All,
Is this functionality still supported?
I believe I’ve been able to get bro to use libpcap compiled with dag libraries, but is there native support?
I remember reading somewhere that I could run “./configure --with-dag” to compile bro with dag support.
If not I’ll just recompile libpcap with the dag libraries, and then recompile bro with the new libpcap.
Thanks,
Ben Wood
Can’t speak for what’s actually supported, but I’ve not been disappointed with using libpcap with DAG, bro vs that libpcap.
That said, use pcap 1.3.0. 1.4.0 had some issues, can’t recall their precise nature but “they don’t work at all” sticks in the mind. 
Mike
The native DAG support was removed a while ago but I believe the pcap
wrapper should work fine.
Robin
Thanks, I eventually got it to compile and run correctly.
Turns out ./configure was targeting the system libpcap that was installed before the dag drivers.
– Found PCAP: /usr/lib64/libpcap.so
instead of the “post-dag” compiled one in /usr/local/lib
Even when I tried “./configure --with-pcap=/usr/local/lib” it still favored the system libpcap. I don’t know if this is by design.
My eventual solution was to remove the system libpcap. Once it was gone, ./configure for bro found the one in /usr/local/lib.
– Found PCAP: /usr/local/lib/libpcap.so
Cheers,
Benjamin Wood
Even when I tried "./configure --with-pcap=/usr/local/lib" it still favored the system libpcap. I don't know if this is by design.
You should use --with-pcap=/usr/local
The configure script needs to find the header and the library so you give the installation prefix.
My eventual solution was to remove the system libpcap. Once it was gone, ./configure for bro found the one in /usr/local/lib.
-- Found PCAP: /usr/local/lib/libpcap.so
This worked because /usr/local/ is a secondary search path.
.Setb