问题描述
我只想将tcpdump与Ubuntu上可用的-Qout功能一起使用.
I just want to use tcpdump with the same -Qout functionality that is available on Ubuntu.
在macOS上,已删除了tcpdump和libpcap的功能以使用-Qout进行过滤.
On macOS tcpdump and libpcap have been stripped off the functionality to filter with -Qout.
tcpdump -Qout -nnSX -c 10 -w packet.pcap port XXXX
tcpdump: cannot parse term at:
tcpdump: invalid expression "out"
我已经构建了tcpdump(./configure,make,make install)和 PATH =/usr/local/sbin:$ PATH
.当我用
I have build tcpdump (./configure, make, make install) and PATH=/usr/local/sbin:$PATH
.When I check with
tcpdump --version
tcpdump version 4.9.3
libpcap version 1.8.1 -- Apple version 79.250.1
现在,如果我尝试相同的转储,则会收到另一条消息:
Now If I try the same dump I get another message:
tcpdump --direction=out -nnSX -c 10 -w packet.pcap port XXXX
tcpdump: en0: pcap_setdirection() failed: Setting direction to PCAP_D_OUT is not supported on BPF
我还下载了libpcap-1.9.0的源代码,并尝试以相同的方式(./configure、make、make install)进行构建.
I have also downloaded the source for libpcap-1.9.0 and tried to build it the same way (./configure, make, make install).
clang: error: linker command failed with exit code 1 (use -v to see
invocation)
make: *** [libpcap.dylib] Error 1
我需要以某种方式构建并将libpcap-1.9.0链接到tcpdump 4.9.3,因此当我使用tcpdump时,它将使用libpcap 1.9.0.
I need to somehow build and link libpcap-1.9.0 to tcpdump 4.9.3 so when I use tcpdump it will use libpcap 1.9.0.
我已经用brew安装了libpcap 1.9.1,并用
I have installed libpcap 1.9.1 with brew and exported the path with
echo 'export PATH="/usr/local/opt/libpcap/bin:$PATH"' >> ~/.bash_profile
但是它仍然显示它链接到系统默认值1.8.1
but it still shows me that its linked to the system default 1.8.1
tcpdump --version
tcpdump version 4.9.3
libpcap version 1.8.1 -- Apple version 79.250.1
推荐答案
这更准确地描述为"Apple 从未实现一项功能".
This is more accurately described as "Apple never implemented a feature".
macOS上的基本捕获机制称为"BPF",用于"Berkeley Packet Filter";它最初是由劳伦斯·伯克利实验室(Lawrence Berkeley Laboratories)的一名开发人员创建的,该实验室创建了libpcap和tcpdump(Van Jacobson).它由各种BSD风格的操作系统提供,包括FreeBSD,NetBSD,OpenBSD和DragonFly BSD-以及macOS.
The underlying capture mechanism on macOS is called "BPF", for "Berkeley Packet Filter"; it was originally developed by one of the people at Lawrence Berkeley Laboratories who created libpcap and tcpdump (Van Jacobson). It's provided by various BSD-flavored OSes, including FreeBSD, NetBSD, OpenBSD, and DragonFly BSD - and macOS.
FreeBSD和NetBSD的BPF添加了一项功能,使程序可以将其配置为仅捕获传入数据包,仅捕获传出数据包,或捕获传入和传出数据包;OpenBSD具有类似的功能(细节有所不同,因此我需要回过头来将其支持添加到tcpdump.org libpcap中.)
FreeBSD and NetBSD's BPFs had a feature added to let a program configure it to capture only incoming packets, only outgoing packets, or both incoming and outgoing packets; OpenBSD has a similar feature (with some differences in the details, so I need to go back and add support for that to the tcpdump.org libpcap).
macOS从未实现该功能.(实际上,这就是"BPF不支持PCAP_D_OUT"的含义,尽管该错误消息可能应该更改为不使用libpcap API中名称的名称,因为用户可能不知道"PCAP_D_OUT"是什么.)
macOS, however, never implemented that feature. (That's essentially what "PCAP_D_OUT is not supported on BPF", although that error message should probably be changed to something that doesn't use names from the libpcap API, as users might not know what "PCAP_D_OUT" is.)
(哦,Apple的tcpdump出于自身目的使用-Q,因此他们必须做一些破解才能将其用于和方向进行元数据过滤.幸运的是,tcpdump还可以支持--direction =,因此Apple至少可以在BPF中实现导航功能时使用.)
(Oh, and Apple's tcpdump uses -Q for its own purposes, so they'd have to do some hack to allow it to be used for direction and for metadata filtering. Fortunately, tcpdump also supports --direction=, so Apple could, at least, use that if they ever implement the direction feature in BPF.)
这篇关于在macOS上更改libpcap版本(Apple删除了一项功能)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!