Llorente, Begoña wrote:
We are attempting to capture on a network interface with ethereal version
0.8.18 on an AIX system version 5.2 maintenance level 4. The devices are
part of IBM 10/100 Mbps Ethernet PCI Adapters. We have installed the
ethereal version that comes with "AIX Toolbox for Linux Applications".
When we run ethereal from the root account, the interfaces don't show up in
the list of interfaces in the "Interface:" field. If we try to run ethereal
entering the name in the "Interface:" field and capturing on that device, we
get the following error message:
The capture session could not be initiated (/dev/bpf0: there is a
request to a device or address that does not exist.)
Please check to make sure you have sufficient permissions, and that
you have the proper interface or pipe specified.
If we run tcpdump on the same interface, the capture begins. The strange
thing is that, if after capturing with tcpdump we run again ethereal, the
interfaces show up in the list of interfaces and everything works ok. If we
reboot the system, the problem arises again until we run tcpdump.
AIX doesn't create the /dev/bpf* devices, or load the BPF driver, at
boot time. The devices don't remain in the file system across a reboot.
This means that they have to be created, and the driver has to be
loaded, by some program before the first capture is done.
I don't think AIX's libpcap includes any code to create the devices or
load the driver; if that's the libpcap that Ethereal is using, that
means that Ethereal won't create them before the first capture is done,
so Ethereal won't be able to capture any traffic as the packet capture
mechanism libpcap uses won't be available.
I think AIX's tcpdump is an old one, and might, in fact, be one from
before the time when the tcpdump developers took the low-level capture
mechanisms and created libpcap from it. If so, AIX's tcpdump wouldn't
use AIX's libpcap (AIX 4.x didn't have libpcap, but it did have tcpdump,
which suggests that AIX's tcpdump might indeed not use libpcap).
AIX's tcpdump *does* create the /dev/bpf* devices and load the BPF
driver if they haven't already been created and loaded, so it will be
able to capture even if the devices don't exist when it's started. That
also means that Ethereal will be able to capture traffic after it's run.
The current libpcap from tcpdump.org *does* include code to create the
/dev/bpf* devices and load the driver, so if Ethereal were built with
that, it would - if run as root - be able to capture immediately after a
reboot, without requiring that tcpdump be run first.
It appears that the default build procedure for libpcap causes problems
on AIX 5.2, because of issues linking libpcap with -lodm and -lcfg,
which it needs to support creating the /dev/bpf* devices and loading the
driver - I'll look into fixing that for libpcap 0.9 (I don't have AIX,
so I'll have to do it from the manuals).
