1 2The following instructions apply if you have a Linux or FreeBSD platform and 3want libpcap to support the DAG range of passive network monitoring cards from 4Endace (https://www.endace.com, see below for further contact details). 5 61) Install and build the DAG software distribution by following the 7instructions supplied with that package. Current Endace customers can download 8the DAG software distribution from https://www.endace.com 9 102) Configure libcap. To allow the 'configure' script to locate the DAG 11software distribution use the '--with-dag' option: 12 13 ./configure --with-dag=DIR 14 15Where DIR is the root of the DAG software distribution, for example 16/var/src/dag. If the DAG software is correctly detected 'configure' will 17report: 18 19 checking whether we have DAG API... yes 20 21If 'configure' reports that there is no DAG API, the directory may have been 22incorrectly specified or the DAG software was not built before configuring 23libpcap. 24 25See also the libpcap INSTALL.md file for further libpcap configuration 26options. 27 28Building libpcap at this stage will include support for both the native packet 29capture stream (linux or bpf) and for capturing from DAG cards. To build 30libpcap with only DAG support specify the capture type as 'dag' when 31configuring libpcap: 32 33 ./configure --with-dag=DIR --with-pcap=dag 34 35Applications built with libpcap configured in this way will only detect DAG 36cards and will not capture from the native OS packet stream. 37 38---------------------------------------------------------------------- 39 40Libpcap when built for DAG cards against dag-2.5.1 or later releases: 41 42Timeouts are supported. pcap_dispatch() will return after to_ms milliseconds 43regardless of how many packets are received. If to_ms is zero pcap_dispatch() 44will block waiting for data indefinitely. 45 46pcap_dispatch() will block on and process a minimum of 64kB of data (before 47filtering) for efficiency. This can introduce high latencies on quiet 48interfaces unless a timeout value is set. The timeout expiring will override 49the 64kB minimum causing pcap_dispatch() to process any available data and 50return. 51 52pcap_setnonblock is supported. When nonblock is set, pcap_dispatch() will 53check once for available data, process any data available up to count, then 54return immediately. 55 56pcap_findalldevs() is supported, e.g. dag0, dag1... 57 58Some DAG cards can provide more than one 'stream' of received data. 59This can be data from different physical ports, or separated by filtering 60or load balancing mechanisms. Receive streams have even numbers, e.g. 61dag0:0, dag0:2 etc. Specifying transmit streams for capture is not supported. 62 63pcap_setfilter() is supported, BPF programs run in userspace. 64 65pcap_setdirection() is not supported. Only received traffic is captured. 66DAG cards normally do not have IP or link layer addresses assigned as 67they are used to passively monitor links. 68 69pcap_breakloop() is supported. 70 71pcap_datalink() and pcap_list_datalinks() are supported. The DAG card does 72not attempt to set the correct datalink type automatically where more than 73one type is possible. 74 75pcap_stats() is supported. ps_drop is the number of packets dropped due to 76RX stream buffer overflow, this count is before filters are applied (it will 77include packets that would have been dropped by the filter). The RX stream 78buffer size is user configurable outside libpcap, typically 16-512MB. 79 80pcap_get_selectable_fd() is not supported, as DAG cards do not support 81poll/select methods. 82 83pcap_inject() and pcap_sendpacket() are not supported. 84 85Some DAG cards now support capturing to multiple virtual interfaces, called 86streams. Capture streams have even numbers. These are available via libpcap 87as separate interfaces, e.g. dag0:0, dag0:2, dag0:4 etc. dag0:0 is the same 88as dag0. These are visible via pcap_findalldevs(). 89 90libpcap now does NOT set the card's hardware snaplen (slen). This must now be 91set using the appropriate DAG configuration program, e.g. dagthree, dagfour, 92dagsix, dagconfig. This is because the snaplen is currently shared between 93all of the streams. In future this may change if per-stream slen is 94implemented. 95 96DAG cards by default capture entire packets including the L2 97CRC/FCS. If the card is not configured to discard the CRC/FCS, this 98can confuse applications that use libpcap if they're not prepared for 99packets to have an FCS. 100 101Libpcap now reads the environment variable ERF_FCS_BITS to determine 102how many bits of CRC/FCS to strip from the end of the captured 103frame. This defaults to 32 for use with Ethernet. If the card is 104configured to strip the CRC/FCS, then set ERF_FCS_BITS=0. If used with 105a HDLC/PoS/PPP/Frame Relay link with 16 bit CRC/FCS, then set 106ERF_FCS_BITS=16. 107 108If you wish to create a pcap file that DOES contain the Ethernet FCS, 109specify the environment variable ERF_DONT_STRIP_FCS. This will cause 110the existing FCS to be captured into the pcap file. Note some 111applications may incorrectly report capture errors or oversize packets 112when reading these files. 113 114---------------------------------------------------------------------- 115 116Please submit bug reports via <support@endace.com>. 117 118Please also visit our Web site at: 119 120 https://www.endace.com/ 121 122For more information about Endace DAG cards contact <sales@endace.com>. 123