| JP Abgrall | 511eca3 | 2014-02-12 13:46:45 -0800 | [diff] [blame] | 1 | The following instructions apply if you have a Linux platform and want |
| 2 | libpcap to support the 'ACN' WAN/LAN router product from from SITA |
| 3 | (http://www.sita.aero) |
| 4 | |
| 5 | This might also work on non-Linux Unix-compatible platforms, but that |
| 6 | has not been tested. |
| 7 | |
| 8 | See also the libpcap INSTALL.txt file for further libpcap configuration |
| 9 | options. |
| 10 | |
| 11 | These additions/extensions have been made to PCAP to allow it to |
| 12 | capture packets from a SITA ACN device (and potentially others). |
| 13 | |
| 14 | To enable its support you need to ensure that the distribution has |
| Elliott Hughes | 965a4b5 | 2017-05-15 10:37:39 -0700 | [diff] [blame] | 15 | a correct configure.ac file; that can be created if neccessay by |
| JP Abgrall | 511eca3 | 2014-02-12 13:46:45 -0800 | [diff] [blame] | 16 | using the normal autoconf procedure of: |
| 17 | |
| 18 | aclocal |
| 19 | autoconf |
| 20 | autoheader |
| 21 | automake |
| 22 | |
| 23 | Then run configure with the 'sita' option: |
| 24 | |
| 25 | ./configure --with-sita |
| 26 | |
| 27 | Applications built with libpcap configured in this way will only detect SITA |
| 28 | ACN interfaces and will not capture from the native OS packet stream. |
| 29 | |
| 30 | The SITA extension provides a remote datascope operation for capturing |
| 31 | both WAN and LAN protocols. It effectively splits the operation of |
| 32 | PCAP into two halves. The top layer performs the majority of the |
| 33 | work, but interfaces via a TCP session to remote agents that |
| 34 | provide the lower layer functionality of actual sniffing and |
| 35 | filtering. More detailed information regarding the functions and |
| 36 | inter-device protocol and naming conventions are described in detail |
| 37 | in 'pcap-sita.html'. |
| 38 | |
| 39 | pcap_findalldevs() reads the local system's /etc/hosts file looking |
| 40 | for host names that match the format of IOP type devices. ie. aaa_I_x_y |
| 41 | and then queries each associated IP address for a list of its WAN and |
| 42 | LAN devices. The local system the aggregates the lists obtained from |
| 43 | each IOP, sorts it, and provides it (to Wireshark et.al) as the |
| 44 | list of monitorable interfaces. |
| 45 | |
| 46 | Once a valid interface has been selected, pcap_open() is called |
| 47 | which opens a TCP session (to a well known port) on the target IOP |
| 48 | and tells it to start monitoring. |
| 49 | |
| 50 | All captured packets are then forwarded across that TCP session |
| 51 | back to the local 'top layer' for forwarding to the actual |
| 52 | sniffing program (wireshark...) |
| 53 | |
| 54 | Note that the DLT_SITA link-layer type includes a proprietary header |
| 55 | that is documented as part of the SITA dissector of Wireshark and is |
| 56 | also described in 'pcap-sita.html' for posterity sake. |
| 57 | |
| 58 | That header provides: |
| 59 | - Packet direction (in/out) (1 octet) |
| 60 | - Link layer hardware signal status (1 octet) |
| 61 | - Transmit/Receive error status (2 octets) |
| 62 | - Encapsulated WAN protocol ID (1 octet) |
| 63 | |
| 64 | |