libpcap compatibility problem (Re: new bro "CURRENT" release - 0.8a57)

Argh - the 0.8a57 release uses some new libpcap functionality
(pcap_compile_nocap(), and calling pcap_freecode() with a bpf_program*)
that isn't supported in older libpcap releases. If someone could please
contribute autoconf tweaks to deal with this incompatibility, I'd much
appreciate it.

    Vern

Hi all,

Argh - the 0.8a57 release uses some new libpcap functionality
(pcap_compile_nocap(), and calling pcap_freecode() with a bpf_program*)
that isn't supported in older libpcap releases. If someone could please
contribute autoconf tweaks to deal with this incompatibility, I'd much
appreciate it.

mhmm ... it seems that pcap_compile_nopcap() was added in 0.5, and
pcap_freecode() without the pcap_t in 0.6.1, so I guess there should be
a check for versions >= 0.6.1.

I'm attaching a patch that seems to work -- it checks whether the
pcap_compile_nocap symbol exists, and whether a program passing only one
argument to pcap_freecode() can build.

I haven't checked if the autoconf macros are available in older versions
as well (at that point I'm usually losing my patience :slight_smile: Apply with -p0
in the toplevel directory of the source tree.

Hth,
Christian.

bro-0.8.a57-pcapfix.diff (811 Bytes)

^^^^^
Heh. I duplicated the typo :slight_smile: The patch *does* check for
pcap_compile_nopcap() though ...

Cheers,
Christian.

All,

I just build and deployed bro-0.8a57 and the thing segfaults after about
5-100 minutes of running. I tried '-t file', but then it segfaults
immediately.

Platform is RedHat 9; default build of bro with ssl. Deployed on a fairly
loaded 10MB/s link.

Anybody else seeing this?

Best,

Hi,