[Snort-users] Phil Wood Libpcap Installation Problems

Gentoo-Wally gentoowally at ...11827...
Wed Jan 31 15:12:01 EST 2007


I'm coming a little late to the party, but I just had a similar
problem. I was trying to compile snort with a libpcap that uses pfring
as the ring buffer (similar to Phil Wood's stuff) and I am also using
CentOS 4 with a slightly modified 2.6.9-42.0.3.EL kernel (same as
Jesse). This is what I found...

libpcap stuff from /usr/local/src/libpcap-0.9.4...

[root at ...274... libpcap-0.9.4]# ./configure --enable-ipv6
[root at ...274... libpcap-0.9.4]# make
[root at ...274... libpcap-0.9.4]# gcc -shared -Wl,-soname
-Wl,libpcap.so.`cat VERSION` -o libpcap.so.`cat VERSION` *.o -lc
[root at ...274... libpcap-0.9.4]# make install && cp libpcap.so.0.9.4
/usr/local/lib
[root at ...274... libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so
[root at ...274... libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so.0
[root at ...274... libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so.0.9

Giving me the following setup...

[root at ...274... libpcap-0.9.4]# ls -l /usr/local/lib/
total 372
-rw-r--r--  1 root root 186300 Jan 31 14:21 libpcap.a
lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so ->
/usr/local/lib/libpcap.so.0.9.4
lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so.0 ->
/usr/local/lib/libpcap.so.0.9.4
lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so.0.9 ->
/usr/local/lib/libpcap.so.0.9.4
-rwxr-xr-x  1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4

[root at ...274... libpcap-0.9.4]# echo "/usr/local/lib" >> /etc/ld.so.conf
[root at ...274... libpcap-0.9.4]# ldconfig -v |grep pcap
        libpcap.so.0.9.4 -> libpcap.so.0.9.4
        libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5

Just for reference...

[root at ...274... libpcap-0.9.4]# ls -l /usr/lib/libpcap*
lrwxrwxrwx  1 root root     23 Jan 29 16:34 /usr/lib/libpcap-nessus.so
-> libpcap-nessus.so.2.2.5
lrwxrwxrwx  1 root root     23 Jan 29 16:34
/usr/lib/libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5
-rwxr-xr-x  1 root root 175953 Jan  4 11:34 /usr/lib/libpcap-nessus.so.2.2.5

Now when I try to compile snort from /usr/local/src/snort-2.6.0...

[root at ...274... snort-2.6.0]# ./configure --enable-dynamicplugin
--enable-timestats --enable-perfprofiling --enable-linux-smp-stats
--with-libpcap-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib

Like Jesse's case, it complains...

[...]
checking for strerror... yes
checking for __FUNCTION__... yes
checking for floor in -lm... yes
checking for pcap_datalink in -lpcap... no

   ERROR!  Libpcap library/headers not found, go get it from
   http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place

What makes this really weird is that if I delete just the symlinks for
the shared lib's...

[root at ...274... snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so
[root at ...274... snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0
[root at ...274... snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0.9
[root at ...274... snort-2.6.0]# ls -l /usr/local/lib/
total 372
-rw-r--r--  1 root root 186300 Jan 31 14:21 libpcap.a
-rwxr-xr-x  1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4
[root at ...274... snort-2.6.0]# ldconfig -v |grep pcap
        libpcap.so.0.9.4 -> libpcap.so.0.9.4
        libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5

And then rerun the exact same ./configure for snort that I ran before
it configures and compiles without complaint.

I thought I'd take this a step further. I ran the _exact_ same test
with a stock libpcap-0.9.4 downloaded from www.tcpdump.org _without_
any pfring stuff and even with the symlinks it configures and compiles
without complaint. Then I removed that and ran the _exact_ same test
with the version of libpcap I pulled with 'yum install libpcap' which
also sets up the symlinks. Only difference is it uses /usr/lib instead
of /usr/local/lib. It also configures and compiles without complaint.

Sounds like there might be a problem with the function in configure
that checks for pcap_datalink in the pcap library when dealing with
nonstandard/patched libpcaps that use shared libraries and symlinks.
Or maybe the culprit is CentOS 4 since we are both using that.

I have no idea how AC_CHECK_LIB in configure actually performs the
check, but I do know that pcap_datalink does exist in a pfring enabled
libpcap...

[root at ...274... snort-2.6.0]# grep pcap_datalink /usr/local/lib/libpcap.a
Binary file /usr/local/lib/libpcap.a matches
[root at ...274... snort-2.6.0]# grep pcap_datalink
/usr/local/lib/libpcap.so.0.9.4
Binary file /usr/local/lib/libpcap.so.0.9.4 matches

Hope this helps,
Wally




On 1/24/07, Darryl Taylor <darryl.taylor at ...1935...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I just did a complete install as follows on my Dual Opteron running
> Gentoo 2.6.17-r8:
>
> libpcap (Phil Woods)
> ./configure --enable-shared
> make
> sudo make install
>
> (ensure /usr/local/lib is in ld.so.conf)
> sudo ldconfig
>
>
>
> snort (with the options I use)
> ./configure --with-libpcap-library=/usr/local/lib --enable-debug \
> - --enable-perfprofiling --enable-dynamicplugin
> make
> sudo make install
>
> ldd /usr/local/bin/snort
>         libpcre.so.0 => /usr/lib/libpcre.so.0 (0x00002b3e9220e000)
>         libpcap-0.9.3.so => /usr/local/lib/libpcap-0.9.3.so
> (0x00002b3e9232a000)
>         libm.so.6 => /lib/libm.so.6 (0x00002b3e92459000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x00002b3e925af000)
>         libdl.so.2 => /lib/libdl.so.2 (0x00002b3e926c5000)
>         libc.so.6 => /lib/libc.so.6 (0x00002b3e927c9000)
>         /lib64/ld-linux-x86-64.so.2 (0x00002b3e920f2000)
>
> After this I had a working snort-2.6.1.2.
>
>
> Darryl Taylor
>
>
> IT Security wrote:
> > I recompiled libpcap to use shared libraries and now have the following
> > in /usr/lib:
> >
> > lrwxrwxrwx  1 root root     16 Jan 23 08:56 /usr/lib/libpcap-0.8.3.so ->
> > libpcap-0.9.3.so
> > -rwxr-xr-x  1 root root 375850 Jan 23 09:00 /usr/lib/libpcap-0.9.3.so
> > -rw-r--r--  1 root root 483168 Jan 23 09:00 /usr/lib/libpcap.a
> > -rwxr-xr-x  1 root root    792 Jan 23 09:00 /usr/lib/libpcap.la
> > lrwxrwxrwx  1 root root     16 Jan 23 09:00 /usr/lib/libpcap.so ->
> > libpcap-0.9.3.so
> > lrwxrwxrwx  1 root root     16 Jan 23 09:02 /usr/lib/libpcap.so.0 ->
> > libpcap-0.9.3.so
> > lrwxrwxrwx  1 root root     16 Jan 23 09:03 /usr/lib/libpcap.so.0.8 ->
> > libpcap-0.9.3.so
> > lrwxrwxrwx  1 root root     16 Jan 23 09:03 /usr/lib/libpcap.so.0.8.3 ->
> > libpcap-0.9.3.so
> >
> > I added the symlinks for libpcap 0.8.3 with hopes that it would help,
> > but it didn't.
> >
> > I have run ldconfig since reinstalling libpcap.
> >
> > Attempting to recompile snort and tcpdump both end with the result of:
> >
> > checking for strerror... yes
> > checking for __FUNCTION__... yes
> > checking for floor in -lm... yes
> > checking for pcap_datalink in -lpcap... no
> >
> >    ERROR!  Libpcap library/headers not found, go get it from
> >    http://www.tcpdump.org
> >    or use the --with-libpcap-* options, if you have it installed
> >    in unusual place
> >
> > This makes me think that I'm missing something accosiated with libpcap.
> >
> > Any more ideas?
> >
> > Thanks in advance.
> >
> > - Jesse
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: snort-users-bounces at lists.sourceforge.net
> > [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of IT
> > Security
> > Sent: Tuesday, January 23, 2007 8:11 AM
> > To: Darryl Taylor
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems
> >
> > Darryl -
> >
> > Tried with no luck.  Still get the same error.
> >
> > ./configure --with-libpcap-library=/usr/local/lib
> >
> > Thanks for the assistance.
> >
> > - Jesse
> >
> >
> >
> > -----Original Message-----
> > From: Darryl Taylor [mailto:darryl.taylor at ...1935...]
> > Sent: Tuesday, January 23, 2007 8:00 AM
> > To: darryl.taylor at ...1935...
> > Cc: IT Security; snort-users-bounces at lists.sourceforge.net;
> > snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems
> >
> > Sorry bout that. Needed a little more sleep. It should be
> > --with-libpcap-library=[your path]
> >
> >
> >
> > Darryl Taylor
> > Security Engineer
> > SOURCEfire
> > Office: 404-474-8454
> > Cell:   404-783-2064
> > eFax:   404-521-4309
> >
> > Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6
> > Key: http://demo.sourcefire.com/dtaylor.pgp.key
> >
> >
> >
> >
> > darryl.taylor at ...1935... wrote:
> >> Try ./configure --with-libpcap=/usr/local when compiling snort. If it
> > still fails then the library was probably compiled statically. If that
> > is the case, post back and I will tell you how to make it a shared
> > object. I think I had this problem a few years ago.
> >> Sent from my Verizon Wireless BlackBerry
> >
> >> -----Original Message-----
> >> From: "IT Security" <ITSEC at ...14044...>
> >> Date: Mon, 22 Jan 2007 17:46:59
> >> To:<snort-users at lists.sourceforge.net>
> >> Subject: [Snort-users] Phil Wood Libpcap Installation Problems
> >
> >> I'm trying to get Phil Wood's modified libpcap working on my Snort
> >> 2.6.1 sensor, but have run into some difficulties and hoping that
> >> someone out there can help.
> >
> >> I've downloaded and extracted libpcap-0.9.20060417.tar.gz.  I then
> > run:
> >>    ./configure
> >>    make
> >>    make install
> >
> >> I then downloaded and extracted snort-2.6.1.1.tar.gz.  I then run:
> >
> >>    ./configure
> >>    make
> >
> >> That's where it blows up.  Here is the error:
> >
> >> <snip>
> >
> >> checking for pcap_datalink in -lpcap... no
> >
> >>    ERROR!  Libpcap library/headers not found, go get it from
> >>    http://www.tcpdump.org
> >>    or use the --with-libpcap-* options, if you have it installed
> >>    in unusual place
> >
> >> </snip>
> >
> >> Any ideas why the headers would be missing?  Header files are
> >> identified with the .h extension correct?  Where are these supposed to
> >
> >> reside on the system?
> >
> >> I'm running CentOS 4 with 2.6.9-42.0.3.EL kernel.
> >
> >> Thanks in advance.
> >
> >> - Jesse
> >
> >> ----------------------------------------------------------------------
> >> --- Take Surveys. Earn Cash. Influence the Future of IT Join
> >> SourceForge.net's Techsay panel and you'll get the chance to share
> >> your opinions on IT & business topics through brief surveys - and earn
> >
> >> cash
> >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
> >> DEV _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> ----------------------------------------------------------------------
> >> --- Take Surveys. Earn Cash. Influence the Future of IT Join
> >> SourceForge.net's Techsay panel and you'll get the chance to share
> >> your opinions on IT & business topics through brief surveys - and earn
> >
> >> cash
> >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
> >> DEV _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> - ------------------------------------------------------------------------
> - -
> Take Surveys. Earn Cash. Influence the Future of IT Join
> SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
> V
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> - -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFt7ZE4lpqfBbyaLYRAjmNAJ94Zrrh+Fy01mK5j5+S9f8apPrRJgCeOBFt
> Gf7swfkS4Wv92y0VldKsslw=
> =HRZ4
> -----END PGP SIGNATURE-----
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list