Error Pcap.h Not Found

[Dmv Kolias]

checkingfor gcc... gccchecking whether the C compiler works... yeschecking for C compiler default output file name... a.outchecking for suffix of executables... checking whether we are cross compiling... nochecking for suffix of object files... ochecking whether we are using the GNU C compiler... yeschecking whether gcc accepts -g... yeschecking for gcc option to accept ISO C89... none neededchecking for pcap_open_live in -lpcap... noerror: pcap library not found!

You can also open the configure script to see what exactly went wrong. The script will contain a test program which uses pcap and a command line used to compile it. You can copy the test program from there and try to compile manually using the same command line.

configure: error: Header file pcap.h not found; if you installed libpcap from source, did you also do "make install-incl", and if you installed a binary package of libpcap, is there also a developer's package of libpcap, and did you also install that package?

A: Are you sure pcap.h and bpf.h are installed? The official distribution of libpcap only installs the libpcap.a library file when "make install" is run. To install pcap.h and bpf.h, you must run "make install-incl". If you're running Debian or Redhat, make sure you have the "libpcap-dev" or "libpcap-devel" packages installed. It's also possible that pcap.h and bpf.h have been installed in a strange location. If this is the case, you may have to tweak aclocal.m4.

I have downloaded libpcap-1.1.1 but the Makefile does not seem to have a "install-incl" target. Also, libpcap.x86_64 is installed from the fedora repository. There is no package named "libpcap-dev in the Fedora repository. What should I do next?

Argh, that's annoying. It looks like they forgot libpcap-devel. The package is in updates/testing, though, so I guess they realized their mistake(?). Fedora 15 appears to have the same problem, but libpcap-devel has not yet made even to updates/testing.

For now, it looks like you can pick up the not-done-testing-yet update. Or find the right target to install the header files from the libpcap source. It might be worth opening a bug with Redhat too (I can't find one about it).

The Redhat bug is closed--looks like the problem I found was a bad mirror which was missing the libpcap-devel package. I don't know if your system is being unfortunate and picking the same mirror or if multiple mirrors have the problem or what, but libpcap-devel is part of the base OS for both Fedora 14 and 15 (see the URL to the master mirror in the bug report).

Thanks Jeff. I'm actually working on an isolated network, and I was using the packages on the Fedora 14 DVD (which does not contain libpcap-devel). Also I realized that I needed to select the "Everything" directory instead of the "Fedora" directory to find this package (from ).

I'm trying to install Net::Pcap on a Windows XP system using Strawberry Perl.I have installed the win pcap developer library, I have directed the command line to the include and library files. the Makefile.pl command executes just fine. But when I try to dmake, dmake test, and dmake install - I get errors and it fails. I've tried using versions 0.04, 0.05, and 0.16. All with the same results.I've used dmake realclean in between trials, still doesn't help.One error is: "C:\WpdPack\Include\remote.txt.h:39:2: error: #error Please do not include this file directly. Just define HAVE_REMOTE and then include pcap.h"Another error is: "dmake: Error code 129, while making Pcap.o"Two other warnings are also present.What can I do? Trying to code a network sniffing program to monitor data transmission.Any help is GREATLY appreciated - this is my third day of trying to find a work around.Comment on Net::Pcap installation help (and not with the library)

There are bugs in the Net::Pcap code that have not been patched that affect Windows installations. You can see this by looking at the bug report here =53292. Our own Corion fixed it and provided patches.

Hi, I am working on a custom analyzer, and I am able to use it in offline mode, however, I would like to know how to configure Zeek to use it for live traffic analysis, i.e., how to make Zeek recognize the new analyzer.

SUITABLE_UNIT was not substituted by the unit I chose, causing an error on the creation of a binary file related to the protocol. I simply wrote the chosen unit, just reporting this to let you know, in case this bug was not solved in newer versions of Zeek.

Uncomment this @load statement like the comment says. To use your local settings you need to load local.zeek, by passing it to your zeek invocation (zeek ... local means "load a script local.zeek); the docs explain this

This error message comes out of a zkg before zkg-3.0.0 (you can query the version with zkg --version). Something might be wrong with the zkg you are using. The simplest fix would be to use the zkg which comes with the installation of Zeek you are trying to run.

This should not be the same error, but instead a different one (e.g., zeek-config not found) coming not out of zkg, but instead the scripts generated for the plugin. This indicates that zeek-config was not found which could be for a number of reasons, the simplest being that you did not export your modifications to PATH; this might also cause above error from zkg. Try

In relation to the tests executed with sudo btest -c btest.cfg, I made some changes on the get-zeek-env file, due to the fact that there were some commands trying to access a file structure that was different from what was really installed in my computer. zeek-path-dev file was located in Downloads/zeek-6.0.3 and zeek-config path is /usr/local/zeek/bin. These changes solved the zeek-config not found error.

You should not need to touch this generated code at all. What you changed here is a code path which is taken for packages which want access to non-public APIs in Zeek and build against a Zeek source tree. AFAIK this is mostly to support legacy plugins and certainly not needed for Spicy analyzers.

I would suggest you revert all the build system changes (they could make your package not installable on other systems). To get you back on track, you should not need to modify anything but Spicy grammars (*.spicy files in analyzer/), Zeek glue code (*.evt files in analyzer/), Zeek scripts (files in scripts/), and possibly tests in testing/tests/ and their traces in testing/Traces/); the generated zkg.meta should work and you only might need to adjust the description field and possibly add dependencies. It might be easiest for you to regenerate a clean setup and copy your above changes over; validate that this works in a properly set up Docker container.

Hello, in the last few days I made some changes in the custom analyzer, specifically in the .spicy file, adding 2 units, in order to promote further analysis over the packets and now, when I install the analyzer in a Docker container skipping the tests, I get errors related to tests.standalone and tests.trace errors.

I have doubts about how should I change these test files according to the features of my analyzer, and I would really appreciate some orientation in this sense, or, if possible, to see some examples that could help me understand about the changes I should make.

This section shows how to use the features of the Npcap API. It is organized as a tutorial, subdivided into a set of lessons that will introduce the reader, in a step-by-step fashion, to program development using Npcap, from the basic functions (obtaining the adapter list, starting a capture, etc.) to the most advanced ones (handling send queues and gathering statistics about network traffic).

The samples are written in plain C, so a basic knowledge of C programming is required. Also, since this is a tutorial about a library dealing with "raw" networking packets, good knowledge of networks and network protocols is assumed.

Typically, the first thing that a Npcap-based application does is get a list of attached network adapters. Both libpcap and Npcap provide the pcap_findalldevs_ex() function for this purpose: this function returns a linked list of pcap_if structures, each of which contains comprehensive information about an attached adapter. In particular, the fields name and description contain the name and a human readable description, respectively, of the corresponding device.

First of all, pcap_findalldevs_ex(), like other libpcap functions, has an errbuf parameter. This parameter points to a string filled by libpcap with a description of the error if something goes wrong.

Second, remember that not all the OSes supported by libpcap provide a description of the network interfaces, therefore if we want to write a portable application, we must consider the case in which description is null: we print the string "No description available" in that situation.

Now that we've seen how to obtain an adapter to play with, let's start the real job, opening an adapter and capturing some traffic. In this lesson we'll write a program that prints some information about each packet flowing through the adapter.

snaplen specifies the portion of the packet to capture. On some OSes (like xBSD and Win32), the packet driver can be configured to capture only the initial part of any packet: this decreases the amount of data to copy to the application and therefore improves the efficiency of the capture. In this case we use the value 65536 which is higher than the greatest MTU that we could encounter. In this manner we ensure that the application will always receive the whole packet.

flags: the most important flag is the one that indicates if the adapter will be put in promiscuous mode. In normal operation, an adapter only captures packets from the network that are destined to it; the packets exchanged by other hosts are therefore ignored. Instead, when the adapter is in promiscuous mode it captures all packets whether they are destined to it or not. This means that on shared media (like non-switched Ethernet), Npcap will be able to capture the packets of other hosts. Promiscuous mode is the default for most capture applications, so we enable it in the following example.

3a8082e126