OpenBSD Anomalies

From WTFwiki
Jump to navigation Jump to search

OpenBSD PCAP + VLAN tags

  • OpenBSD's default install does not include libpcap-based support for VLAN tags in BPF filters: this applies to tcpdump as well as all programs that you compile on that system and link against the bundled libpcap.
  • To resolve this, you must download and manually compile your own libpcap/tcpdump before compiling tools such as Snort.
  • I recommend the argument '--prefix=/usr' to the 'configure' script for both libpcap and tcpdump to replace the bundled copies.
  • This particular issue is confirmed with OpenBSD versions 3.9 and 4.0 on both the sparc and i386 architectures; it probably exists in earlier versions, and potentially later, when they exist. It may be worse on platforms where the NIC does not support hardware tag interpretation.
  • When installing libpcap by hand, be sure to do it like this:
 /path/to/pcap/source# ./configure --prefix=/usr
 /path/to/pcap/source# make
 /path/to/pcap/source# make install-shared-so
 /path/to/pcap/source# ln -s /usr/lib/ /usr/lib/
 /path/to/pcap/source# ln -s /usr/lib/ /usr/lib/
 /path/to/pcap/source# ldconfig -R
  • Once those steps are finished, proceed to installing tcpdump (./configure --prefix=/usr ; make ; make install) and then Snort, etc.