Albert Chin wrote:
1. Running 0.10.12 with libpcap-0.8.3, Capture->Interfaces then
click on "Capture", I get the recv_ack error above.
The Capture->Interfaces window opens all the interfaces.
On systems using BPF, that could run out of BPF devices on systems that
have a fixed number of them, if there are more interfaces than BPF
devices - my system currently has 4 interface entries: one for the
Ethernet interface, one for the AirPort 802.11 interface, one for the
PPP interface created for the VPN into work, and one for the loopback
interfaces - and, for systems such as OS X that create BPF devices on
the fly, the newly-created devices might not be accessible to the user
running Ethereal.
If you click on the "Capture" button for one of those interfaces, the
Capture->Interfaces window stays open - and so do all the interfaces
it's monitoring.
On HP-UX, it turns out that you can't open a given interface more than
once. To quote the mail I sent to tcpdump-workers about this:
Having just checked the HP-UX documentation, the idea I have is "HP-UX
DLPI isn't as friendly as we'd like":
http://docs.hp.com/en/B2355-90139/ch01s03.html
"Note: Each LAN interface currently allows only one stream to enable
the promiscuous mode service. This restriction will be removed with a
future release of the DLPI provider."
That's the edition for HP-UX 10.x, 11.0, and 11i v1.6.
http://docs.hp.com/en/B2355-90871/ch01s03.html
"Note: Each LAN interface currently allows only one unbound stream to
enable the promiscuous mode service."
That's the edition for 11i v2 and 11i v2 September 2004; I guess that
release isn't the "future release" to which the older manual referred,
and the lack of the "future release" item in the newer manual appears to
suggest that they don't want to make any such promises.
If we're not in DL_PROMISC_PHYS mode, I think we want to be in
DL_PROMISC_SAP, so we at least see all traffic being sent to or from
the machine running the libpcap application, not just traffic for some
particular SAP.
I guess that means that, even though the changes not to use a
hardwired SAP mean that we can now run when other software is using the
SAP to which we used to be hardwired, we can't run if some other
software using libpcap (or otherwise enabling DL_PROMISC_PHYS or
DL_PROMISC_SAP) is running.
I.e., the "Capture" buttons in the Capture->Interfaces buttons won't
work on HP-UX if the Capture->Interfaces dialog isn't closed once you
start the capture (or if you don't close the interface you're capturing on).
The above comments apply to libpcap 0.9.3; 0.8.3 uses the same SAP for
all opens, so it only supports opening one interface at a time, period.
Note also that opening the interface for the capture would, on a system
using BPF, require one more BPF device, so the BPF problems described
above might show up in that case on those systems.
2. Running 0.10.12 with libpcap-0.8.3, Capture->Options then
click on "Start", everything works.
You don't have the extra opens from the Capture->Interfaces dialog in
that case.
3. Running 0.10.12 with libpcap-0.8.3, Capture->Interfaces then
click on "Capture", I get the recv_ack error above. Then,
Capture->Options and click on "Start. I get the error above.
If the Capture->Interfaces window is open when you click "Start" in the
Capture->Options window, that's the same as clicking the "Capture"
button in the Capture->Interfaces window, in that you're trying to open
the same interface twice, which has the same problem on HP-UX as was
described above.
Running 0.10.12 with libpcap-0.9.3 is totaly useless as it lists *NO*
interfaces.
That was a bug in libpcap on HP-UX, for which I've checked in a fix.
However, that fix merely means that Capture->Interfaces will be able to
open more interfaces; it doesn't mean that a live capture will be able
to open one of those interfaces for a second time as long as it's
already open for Capture->Interfaces.