I'm coming a little late to the party, but I just had a similar
problem. I was trying to compile snort with a libpcap that uses pfring
as the ring buffer (similar to Phil Wood's stuff) and I am also using
CentOS 4 with a slightly modified 2.6.9-42.0.3.EL kernel (same as
Jesse). This is what I found...
libpcap stuff from /usr/local/src/libpcap-0.9.4...
[root@localhost libpcap-0.9.4]# ./configure --enable-ipv6
[root@localhost libpcap-0.9.4]# make
[root@localhost libpcap-0.9.4]# gcc -shared -Wl,-soname
-Wl,libpcap.so.`cat VERSION` -o libpcap.so.`cat VERSION` *.o -lc
[root@localhost libpcap-0.9.4]# make install && cp libpcap.so.0.9.4
/usr/local/lib
[root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so
[root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so.0
[root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so.0.9
Giving me the following setup...
[root@localhost libpcap-0.9.4]# ls -l /usr/local/lib/
total 372
-rw-r--r-- 1 root root 186300 Jan 31 14:21 libpcap.a
lrwxrwxrwx 1 root root 31 Jan 31 14:24 libpcap.so ->
/usr/local/lib/libpcap.so.0.9.4
lrwxrwxrwx 1 root root 31 Jan 31 14:24 libpcap.so.0 ->
/usr/local/lib/libpcap.so.0.9.4
lrwxrwxrwx 1 root root 31 Jan 31 14:24 libpcap.so.0.9 ->
/usr/local/lib/libpcap.so.0.9.4
-rwxr-xr-x 1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4
[root@localhost libpcap-0.9.4]# echo "/usr/local/lib" >> /etc/ld.so.conf
[root@localhost libpcap-0.9.4]# ldconfig -v |grep pcap
libpcap.so.0.9.4 -> libpcap.so.0.9.4
libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5
Just for reference...
[root@localhost libpcap-0.9.4]# ls -l /usr/lib/libpcap*
lrwxrwxrwx 1 root root 23 Jan 29 16:34 /usr/lib/libpcap-nessus.so
-> libpcap-nessus.so.2.2.5
lrwxrwxrwx 1 root root 23 Jan 29 16:34
/usr/lib/libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5
-rwxr-xr-x 1 root root 175953 Jan 4 11:34 /usr/lib/libpcap-nessus.so.2.2.5
Now when I try to compile snort from /usr/local/src/snort-2.6.0...
[root@localhost snort-2.6.0]# ./configure --enable-dynamicplugin
--enable-timestats --enable-perfprofiling --enable-linux-smp-stats
--with-libpcap-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib
Like Jesse's case, it complains...
[...]
checking for strerror... yes
checking for __FUNCTION__... yes
checking for floor in -lm... yes
checking for pcap_datalink in -lpcap... no
ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place
What makes this really weird is that if I delete just the symlinks for
the shared lib's...
[root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so
[root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0
[root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0.9
[root@localhost snort-2.6.0]# ls -l /usr/local/lib/
total 372
-rw-r--r-- 1 root root 186300 Jan 31 14:21 libpcap.a
-rwxr-xr-x 1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4
[root@localhost snort-2.6.0]# ldconfig -v |grep pcap
libpcap.so.0.9.4 -> libpcap.so.0.9.4
libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5
And then rerun the exact same ./configure for snort that I ran before
it configures and compiles without complaint.
I thought I'd take this a step further. I ran the _exact_ same test
with a stock libpcap-0.9.4 downloaded from www.tcpdump.org _without_
any pfring stuff and even with the symlinks it configures and compiles
without complaint. Then I removed that and ran the _exact_ same test
with the version of libpcap I pulled with 'yum install libpcap' which
also sets up the symlinks. Only difference is it uses /usr/lib instead
of /usr/local/lib. It also configures and compiles without complaint.
Sounds like there might be a problem with the function in configure
that checks for pcap_datalink in the pcap library when dealing with
nonstandard/patched libpcaps that use shared libraries and symlinks.
Or maybe the culprit is CentOS 4 since we are both using that.
I have no idea how AC_CHECK_LIB in configure actually performs the
check, but I do know that pcap_datalink does exist in a pfring enabled
libpcap...
[root@localhost snort-2.6.0]# grep pcap_datalink /usr/local/lib/libpcap.a
Binary file /usr/local/lib/libpcap.a matches
[root@localhost snort-2.6.0]# grep pcap_datalink
/usr/local/lib/libpcap.so.0.9.4
Binary file /usr/local/lib/libpcap.so.0.9.4 matches
Hope this helps,
Wally
On 1/24/07, Darryl Taylor <darryl.taylor@sourcefire.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I just did a complete install as follows on my Dual Opteron running
Gentoo 2.6.17-r8:
libpcap (Phil Woods)
./configure --enable-shared
make
sudo make install
(ensure /usr/local/lib is in ld.so.conf)
sudo ldconfig
snort (with the options I use)
./configure --with-libpcap-library=/usr/local/lib --enable-debug \
- --enable-perfprofiling --enable-dynamicplugin
make
sudo make install
ldd /usr/local/bin/snort
libpcre.so.0 => /usr/lib/libpcre.so.0 (0x00002b3e9220e000)
libpcap-0.9.3.so => /usr/local/lib/libpcap-0.9.3.so
(0x00002b3e9232a000)
libm.so.6 => /lib/libm.so.6 (0x00002b3e92459000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00002b3e925af000)
libdl.so.2 => /lib/libdl.so.2 (0x00002b3e926c5000)
libc.so.6 => /lib/libc.so.6 (0x00002b3e927c9000)
/lib64/ld-linux-x86-64.so.2 (0x00002b3e920f2000)
After this I had a working snort-2.6.1.2.
Darryl Taylor
IT Security wrote:
I recompiled libpcap to use shared libraries and now have the following
in /usr/lib:
lrwxrwxrwx 1 root root 16 Jan 23 08:56 /usr/lib/libpcap-0.8.3.so ->
libpcap-0.9.3.so
-rwxr-xr-x 1 root root 375850 Jan 23 09:00 /usr/lib/libpcap-0.9.3.so
-rw-r--r-- 1 root root 483168 Jan 23 09:00 /usr/lib/libpcap.a
-rwxr-xr-x 1 root root 792 Jan 23 09:00 /usr/lib/libpcap.la
lrwxrwxrwx 1 root root 16 Jan 23 09:00 /usr/lib/libpcap.so ->
libpcap-0.9.3.so
lrwxrwxrwx 1 root root 16 Jan 23 09:02 /usr/lib/libpcap.so.0 ->
libpcap-0.9.3.so
lrwxrwxrwx 1 root root 16 Jan 23 09:03 /usr/lib/libpcap.so.0.8 ->
libpcap-0.9.3.so
lrwxrwxrwx 1 root root 16 Jan 23 09:03 /usr/lib/libpcap.so.0.8.3 ->
libpcap-0.9.3.so
I added the symlinks for libpcap 0.8.3 with hopes that it would help,
but it didn't.
I have run ldconfig since reinstalling libpcap.
Attempting to recompile snort and tcpdump both end with the result of:
checking for strerror... yes
checking for __FUNCTION__... yes
checking for floor in -lm... yes
checking for pcap_datalink in -lpcap... no
ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place
This makes me think that I'm missing something accosiated with libpcap.
Any more ideas?
Thanks in advance.
- Jesse
-----Original Message-----
From: snort-users-bounces@lists.sourceforge.net
[mailto:snort-users-bounces@lists.sourceforge.net] On Behalf Of IT
Security
Sent: Tuesday, January 23, 2007 8:11 AM
To: Darryl Taylor
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems
Darryl -
Tried with no luck. Still get the same error.
./configure --with-libpcap-library=/usr/local/lib
Thanks for the assistance.
- Jesse
-----Original Message-----
From: Darryl Taylor [mailto:darryl.taylor@sourcefire.com]
Sent: Tuesday, January 23, 2007 8:00 AM
To: darryl.taylor@sourcefire.com
Cc: IT Security; snort-users-bounces@lists.sourceforge.net;
snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems
Sorry bout that. Needed a little more sleep. It should be
--with-libpcap-library=[your path]
Darryl Taylor
Security Engineer
SOURCEfire
Office: 404-474-8454
Cell: 404-783-2064
eFax: 404-521-4309
Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6
Key: http://demo.sourcefire.com/dtaylor.pgp.key
darryl.taylor@sourcefire.com wrote:
Try ./configure --with-libpcap=/usr/local when compiling snort. If it
still fails then the library was probably compiled statically. If that
is the case, post back and I will tell you how to make it a shared
object. I think I had this problem a few years ago.
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: "IT Security" <ITSEC@24hourfit.com>
Date: Mon, 22 Jan 2007 17:46:59
To:<snort-users@lists.sourceforge.net>
Subject: [Snort-users] Phil Wood Libpcap Installation Problems
I'm trying to get Phil Wood's modified libpcap working on my Snort
2.6.1 sensor, but have run into some difficulties and hoping that
someone out there can help.
I've downloaded and extracted libpcap-0.9.20060417.tar.gz. I then
run:
./configure
make
make install
I then downloaded and extracted snort-2.6.1.1.tar.gz. I then run:
./configure
make
That's where it blows up. Here is the error:
<snip>
checking for pcap_datalink in -lpcap... no
ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place
</snip>
Any ideas why the headers would be missing? Header files are
identified with the .h extension correct? Where are these supposed to
reside on the system?
I'm running CentOS 4 with 2.6.9-42.0.3.EL kernel.
Thanks in advance.
- Jesse
----------------------------------------------------------------------
--- Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share
your opinions on IT & business topics through brief surveys - and earn
cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
DEV _______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
----------------------------------------------------------------------
--- Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share
your opinions on IT & business topics through brief surveys - and earn
cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
DEV _______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- ------------------------------------------------------------------------
- -
Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFt7ZE4lpqfBbyaLYRAjmNAJ94Zrrh+Fy01mK5j5+S9f8apPrRJgCeOBFt
Gf7swfkS4Wv92y0VldKsslw=
=HRZ4
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
