问题
I just want to use tcpdump with the same -Qout functionality that is available on Ubuntu.
On macOS tcpdump and libpcap have been stripped off the functionality to filter with -Qout.
tcpdump -Qout -nnSX -c 10 -w packet.pcap port XXXX
tcpdump: cannot parse term at:
tcpdump: invalid expression "out"
I have build tcpdump (./configure, make, make install) and PATH=/usr/local/sbin:$PATH.
When I check with
tcpdump --version
tcpdump version 4.9.3
libpcap version 1.8.1 -- Apple version 79.250.1
Now If I try the same dump I get another message:
tcpdump --direction=out -nnSX -c 10 -w packet.pcap port XXXX
tcpdump: en0: pcap_setdirection() failed: Setting direction to PCAP_D_OUT is not supported on BPF
I have also downloaded the source for libpcap-1.9.0 and tried to build it the same way (./configure, make, make install).
clang: error: linker command failed with exit code 1 (use -v to see
invocation)
make: *** [libpcap.dylib] Error 1
I need to somehow build and link libpcap-1.9.0 to tcpdump 4.9.3 so when I use tcpdump it will use libpcap 1.9.0.
EDIT: I have installed libpcap 1.9.1 with brew and exported the path with
echo 'export PATH="/usr/local/opt/libpcap/bin:$PATH"' >> ~/.bash_profile
but it still shows me that its linked to the system default 1.8.1
tcpdump --version
tcpdump version 4.9.3
libpcap version 1.8.1 -- Apple version 79.250.1
回答1:
This is more accurately described as "Apple never implemented a feature".
The underlying capture mechanism on macOS is called "BPF", for "Berkeley Packet Filter"; it was originally developed by one of the people at Lawrence Berkeley Laboratories who created libpcap and tcpdump (Van Jacobson). It's provided by various BSD-flavored OSes, including FreeBSD, NetBSD, OpenBSD, and DragonFly BSD - and macOS.
FreeBSD and NetBSD's BPFs had a feature added to let a program configure it to capture only incoming packets, only outgoing packets, or both incoming and outgoing packets; OpenBSD has a similar feature (with some differences in the details, so I need to go back and add support for that to the tcpdump.org libpcap).
macOS, however, never implemented that feature. (That's essentially what "PCAP_D_OUT is not supported on BPF", although that error message should probably be changed to something that doesn't use names from the libpcap API, as users might not know what "PCAP_D_OUT" is.)
(Oh, and Apple's tcpdump uses -Q for its own purposes, so they'd have to do some hack to allow it to be used for direction and for metadata filtering. Fortunately, tcpdump also supports --direction=, so Apple could, at least, use that if they ever implement the direction feature in BPF.)
来源:https://stackoverflow.com/questions/58641670/change-libpcap-version-on-macos-apple-removed-a-feature