Ask Your Question
0

couldn't attach dumpcap to my own defined device

asked 2023-06-06 15:18:01 +0000

da5id gravatar image

updated 2023-06-06 16:01:37 +0000

grahamb gravatar image

Hello out there, a while ago I defined my own device with a kernel module. Within libpcap I defined my own set of functions, for interrogation of data over mmap or read function. It works and already tested with tcpdump. But failed when I try to bind it with dumpcap. I downloaded the wireshark sources and build it with my version of libpcap (at least I hope I did it so). Then I enoked dumpcap from the build directory of wireshark run/dumpcap -i kpmode0. When I start it with just "run/dumpcap -D" it lists among other interfaces, also my own creation. So it recognizes it. But cannot handle it. My Dumpcap version does not know my pcap functions since I cannot set breakpoints on them with gdb. On the other side if I list up the libraries which are used by this dumcap version of mine (by ldd), it lists my very own libpcap library:

chris@rockpro64:~/wireshark_build$ ldd run/dumpcap 
    linux-vdso.so.1 (0x0000ffffaae4d000)
    libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x0000ffffaad82000)
    libz.so.1 => /lib/aarch64-linux-gnu/libz.so.1 (0x0000ffffaad58000)
    libglib-2.0.so.0 => /lib/aarch64-linux-gnu/libglib-2.0.so.0 (0x0000ffffaac15000)
    libgmodule-2.0.so.0 => /lib/aarch64-linux-gnu/libgmodule-2.0.so.0 (0x0000ffffaac01000)
    libpcre2-8.so.0 => /lib/aarch64-linux-gnu/libpcre2-8.so.0 (0x0000ffffaab6f000)
    libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffffaa9fb000)
    libnl-genl-3.so.200 => /lib/aarch64-linux-gnu/libnl-genl-3.so.200 (0x0000ffffaa9e4000)
    libnl-3.so.200 => /lib/aarch64-linux-gnu/libnl-3.so.200 (0x0000ffffaa9b2000)
    /lib/ld-linux-aarch64.so.1 (0x0000ffffaae1d000)
    libpcre.so.3 => /lib/aarch64-linux-gnu/libpcre.so.3 (0x0000ffffaa940000)
    libpthread.so.0 => /lib/aarch64-linux-gnu/libpthread.so.0 (0x0000ffffaa90f000)
    libdl.so.2 => /lib/aarch64-linux-gnu/libdl.so.2 (0x0000ffffaa8fb000)

And within this /usr/local/lib/libpcap.so.1 I can see my kpmode functions:

chris@rockpro64:~/wireshark_build$ nm -a /usr/local/lib/libpcap.so.1 | grep kpmode
0000000000000000 a pcap-kpmode.c
000000000000a8f0 t kpmode_activate
000000000000ac40 t kpmode_create
000000000000aba0 t kpmode_findalldevs
000000000000a8b0 t kpmode_inject_linux
000000000000aa80 t kpmode_read_linux_bin
000000000000a8a0 t kpmode_setdirection_linux

So why I cannot bring them together?

Thank you in advance

BR /chris

edit retag flag offensive close merge delete

Comments

Did you have a look at the libpcap functions used by dumpcap vs those used by tcpdump?

Jaap gravatar imageJaap ( 2023-06-06 17:42:25 +0000 )edit

But cannot handle it.

What are the details of what happens if you try to tell dumpcap to capture on your interface?

Guy Harris gravatar imageGuy Harris ( 2023-06-06 23:02:25 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-06-19 12:50:18 +0000

da5id gravatar image

It was my fault, to expact that the libpcap symbols are already known right from the start of dumpcap with gdb. But these symbols are getting only imported after loading the library. I was confused by Tcpdump, because Tcpdump loads libpcap statically, and has all my self defined symbols and functions at dispose right after the start of gdb. So my expectation was wrong here. With Dumpcap I can define the breakpoints at my functions and after loading the library the debugger stops there. Thank you for your help anyway

BR /chris

edit flag offensive delete link more

Comments

Tcpdump loads libpcap statically

What do you mean by "loads libpcap statically"? From "/usr/local/lib/libpcap.so.1", I infer that this is neither Windows nor macOS nor AIX, so I'll take a look at, for example, Ubuntu 22.04:

ubu22-04$ ldd /bin/tcpdump
    linux-vdso.so.1 (0x00007fff6db7f000)
    libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007fc176800000)
    libpcap.so.0.8 => /lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007fc1771ac000)

...

It's linked dynamically, although it's not "loaded dynamically" in the sense of calling dlopen() to load it at runtime.

Guy Harris gravatar imageGuy Harris ( 2023-06-19 18:38:40 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-06-06 15:18:01 +0000

Seen: 357 times

Last updated: Jun 19 '23

Related questions

Does Wireshark for non-Windows platforms have a build with local libpcap source option?

Getting error MSB4018 when trying to build wireshark sources

Not able to build the wireshark

Error while building wireshark source code using MSbuild

Reason for different update paths?

Capturing USB with libpcap on Linux

build errors. First time cmake user

How to kill dumpcap.exe - not able to kill it with taskkill running as admin

MSBuild build error MSB6006 on latest version

build wireshark on linux can't find Qt includes