Error compiling our pcap filter expression rejects all packets

Hi All,

We are getting below error with Nmap 7.91 while doing port scanning.

Issue :
Nmap port scan fails with Error compiling our pcap filter: expression rejects all packets

Description :
When we are running Nmap port scanning from Windows we get below error with details

nmap.exe» -oX — —privileged —min-rtt-timeout 500ms -sS -sU -T4 -PE -p T:513,5985,5986,3940,5988,902,135,5989,80,21,22,23,443,U:161 10.77.160.110 10.66.0.112 10.97.128.111 172.29.0.113 107.0.0.112 10.4.0.114 10.4.0.112 10.72.0.112 172.25.0.113 169.254.0.58 169.254.0.113 172.19.0.110

Error compiling our pcap filter: expression rejects all packets

We then ran same command for only two problematic IPS:

nmap.exe» -oX — —privileged —min-rtt-timeout 500ms -sS -sU -T4 -PE -p T:513,5985,5986,3940,5988,902,135,5989,80,21,22,23,443,U:161 169.254.0.58 169.254.0.113

Error compiling our pcap filter: expression rejects all packets

We again ran same command, excluding two problematic IPS: This time it works

nmap.exe» -oX — —privileged —min-rtt-timeout 500ms -sS -sU -T4 -PE -p T:513,5985,5986,3940,5988,902,135,5989,80,21,22,23,443,U:161 10.77.160.110 10.66.0.112 10.97.128.111 172.29.0.113 107.0.0.112 10.4.0.114 10.4.0.112 10.72.0.112 172.25.0.113 172.19.0.110

We then ran same commands by connecting to our corporate network (VPN) and all commands pass just fine. Please refer attached output.

*So we want to know why we get error for 169.x series of IPS? Is this known issue?
nmap_queries.txt
*

Linux/BSD: sharing experiences

Notes, tips, tutorials, how-tos, etc. All related to Unix-like OS namely FreeBSD and Linux. My way of giving a bit back to the community. 😉

Wednesday, May 2, 2012

Tip: Fix nmap «Error compiling our pcap filter: icmp7 not supported» on FreeBSD

I was going to start Nmap 5.61TEST5 on FreeBSD when it bricked with the following error:
Found that weird because last time I used security/nmap it worked fine but then again that was something like 3 years ago and the port and the application have been updated since. This lead me to think that most likely an OPTION had been introduced to the port:

1. # cd /usr/ports/security/nmap
2. # make config ===> No options to configure

While investigating the issue I came across problem report ports/159376: security/nmap 5.59BETA1 not working which described the cause of the problem: since NMAP 5.59BETA1 that there was no option to build the port without IPv6 support.

I was pretty sure I’ve disabled IPv6 and I confirmed that:

1. # grep INET6 /etc/src.conf WITHOUT_INET6=YES

Fortunately since NMAP 5.61TEST2 a patch was added that introduced a workaround for systems build with WITHOUT_INET6 by using net/libpcap.

This is also documented under /usr/ports/security/nmap/Makefile :
The -DWITHOUT_INET6 option needs to be passed to make while building the port, like so:

1. # make deinstall clean
2. # make -DWITHOUT_INET6 install clean

Nothing like well documented problem reports and Makefiles 😉

Источник

Nmap issue : Error compiling our pcap filter: expression rejects all packets about npcap HOT 10 OPEN

Ahhh guys I fixed it, you guys didn’t explain it well enough. Npcap doesn’t create a separate network adapter it just links onto a current one’s properties. So what I did was I went to my NordLynx (nordvpn network adapter) and right-clicked properties and on the top of the list, it should say a NpCap in the «This connection uses the following items» then just uninstall the NPCap one. That’s all I did and it fixed the issue.

dmiller-nmap commented on January 15, 2023

This is being handled as nmap/nmap#2381, since the code changes need to be handled there. Npcap is behaving correctly, though there is a leftover Npcap Loopback Adapter causing problems (#55). We’ll keep this issue open for now until the Nmap issue is resolved.

LimesKey commented on January 15, 2023

Hi I’m still getting this error, I believe I downloaded the latest stable version from nmap.org and I only get this error when connected to a VPN (NordVPN). Is this something to do with my VPN or a bug/issue with Nmap? «Error compiling our pcap filter: expression rejects all packets» I was running a «Intense Scan».

dmiller-nmap commented on January 15, 2023

@LimesKey The issue has not been resolved. To work around, ensure all legacy and leftover Npcap Loopback Adapters have been removed (follow instructions at #55: uninstall Npcap, uninstall «Npcap Loopback Adapter» via devmgmt.msc , install the latest Npcap).

LimesKey commented on January 15, 2023

@LimesKey The issue has not been resolved. To work around, ensure all legacy and leftover Npcap Loopback Adapters have been removed (follow instructions at #55: uninstall Npcap, uninstall «Npcap Loopback Adapter» via devmgmt.msc , install the latest Npcap).

Hi this is my first time installing NMAP on my PC so I shouldn’t have any old NpCap loopback adapters but I did check device manager and there were no network adapters created by NMAP in my network adapters. I just deleted Zenmap and reinstalled Npcap 1.70 and in the Zenmap installer it told me «npcap 1.70 exists replace with npcap 1.50 instead?» I selected no. Again there is still no network adapters created by Nmap or Zenamp or Npcap.

guyharris commented on January 15, 2023

Nothing on the nmap command line is a pcap filter expression; @dmiller-nmap, @fyodor — any idea what the pcap filter generated by that command line is? If it tests only IP addresses, it should work on all «normal» devices capable of doing IPv4/IPv6, but if it tests something at the link layer such as a MAC address, that won’t work on the loopback device — on what devices would it try to capture traffic?

guyharris commented on January 15, 2023

@dmiller-nmap if NordLynx uses a TAP adapter, could it be providing the wrong link-layer type or something such as that? It looks as if the OpenVPN driver uses NdisMedium802_3, but I don’t know what the driver used for NordVPN does.

LimesKey commented on January 15, 2023

@guyharris On my PC NordVPN installed both a «Tap-NordVPN Windows Adapter — Ethernet 2» and a «NordLynx 2 — NordLynx Tunnel» Your free to also install NordVPN without having an account with them and it’ll also install the NordLynx adapter and TAP to your pc if you want to go looking around.

ebeng commented on January 15, 2023

Ahhh guys I fixed it, you guys didn’t explain it well enough. Npcap doesn’t create a separate network adapter it just links onto a current one’s properties. So what I did was I went to my NordLynx (nordvpn network adapter) and right-clicked properties and on the top of the list, it should say a NpCap in the «This connection uses the following items» then just uninstall the NPCap one. That’s all I did and it fixed the issue.

You bypassed the problem, by disabling npcap on the NordLynx adapter -> this means, you dont NMAP through the VPN anymore.
I have the same issue, cant do NMAP with NORDVPN enabled..

SuLLLivaN commented on January 15, 2023

I installed npcap-0.992, and it fix the problem

Источник

NMAP 7.92 with npcap-1.50 installation (instead of 1.60) about nmap HOT 2 CLOSED

Hi. We will include the then-latest version of Npcap with the next version of Nmap. But you are welcome and encouraged to upgrade to Npcap 1.60 along with Nmap. The most efficient method is to install Npcap 1.60 first so Nmap 1.50 is never installed in the first place. But you can install Npcap later too.

luistorres21es commented on January 15, 2023

Thanks for your reply

As stated before, I installed npcap 1.60 and nmap 7.92. When trying to perform a scan, the following issue appears:

Error compiling our pcap filter: expression rejects all packets

What should I do to fix this error?

Thanks in advance

• Windows Compilation Errors HOT 1
• OpenSSL 3.0.5 high severity findings. HOT 3
• zsh: segmentation fault in version 7.92
• ciphers output for DTLS like ssl-enum-ciphers does for TCP.
• Zenmap Crash not launching HOT 2
• Nmap 7.93 installs with vulnerable OpenSSL v3.05 dlls HOT 1
• NSOCK ERROR [0.1970s] ssl_init_helper(): OpenSSL legacy provider failed to load and Error compiling our pcap filter: expression rejects all packets HOT 3
• target «libssh2.la» in `libssh2/src/Makefile.in` has two same prerequisites, is there a problem? HOT 1
• MAC Address and Vendor missing in «-oG» output as opposed to «-oN»
• ncat version 7.93 is broken on windows 11. There doesn’t seem to e a download for 7.92.
• How to make Ncat wait for udp response?
• Not load html with 2 and more files.js on Windows HOT 1
• Possible bug with hidden files? HOT 2
• Octet Addressing with input file not working HOT 1
• nmap throwing script errors on ‘-sC -sV’ options HOT 1
• Nmap error: nmap: netutil.cc:3197: int route_dst_netlink(const sockaddr_storage*, route_nfo*, const char*, const sockaddr_storage*): Assertion `p != NULL’ failed HOT 3
• nmap: netutil.cc:3197: int route_dst_netlink(const sockaddr_storage*, route_nfo*, const char*, const sockaddr_storage*): Assertion `p != NULL’ failed HOT 5
• Japanese documentation has not been updated to reflect the latest xml
• Nsock send x00x00x00 in first packet while using socks4 proxy (only happend on Windows)
• NSE: failed to initialize the script engine HOT 7

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.

Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

TensorFlow

An Open Source Machine Learning Framework for Everyone

Django

The Web framework for perfectionists with deadlines.

Laravel

A PHP framework for web artisans

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

Some thing interesting about web. New door for the world.

server

A server is a program made to process requests and deliver data to clients.

Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

Visualization

Some thing interesting about visualization, use data art

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.

Microsoft

Open source projects and samples from Microsoft.

Источник

Scanning network from Wireguard tunnel results in «expression rejects all packets» yet local network scan works without issue about npcap HOT 8 OPEN

Is this the same issue as #578? If a Wireguard tunnel reports an NdisMedium type that libpcap’s pcap-npf maps to a DLT_ type that the libpcap pcap compiler doesn’t fully support, that’s an error message that you might get from the pcap compiler.

I have no idea how I could check the if this is the same value that is in the oem23.inf that is liked in properties of network controler, then its: *MediaType = 19 ; NdisMediumIP

Yup, that means «packets that begin with an IP header», so it’s mapped to DLT_RAW , and the ONLY valid packet types are currently IPv4 packets and IPv6 packets, distinguished by the upper 4 bits of the first octet of the packet. ARP packets are not supported.

And what was the filter expression?

That’s the argument to nmap, not a filter expression generated by nmap. That’s a question that would have to be answered by an nmap developer, perhaps by an nmap developer changing nmap to report the generated filter when pcap_compile() fails (hint hint).

And what is the tool you’re using for «scanning»?

I was reffering to nmap which I would like to use to scan the other side of tunnel. I found out that using Wireshark which sadly dont give me the functionaly of nmap but use same npcap? (from what I understand) works correct (mayby somekind of workaround?).

The «workaround» is

1. in the few cases where Wireshark generates any part of a capture filter filter, what it generates tests only at the IP layer or above, which isn’t by deliberate design, it’s by «the stuff it generates is trying to avoid traffic generated by Wireshark itself, which is typically SSH or X11 traffic, so it just filters by host name»;
2. you didn’t type anything that involves filtering at a layer below the IP layer into any window field that contains capture filter text.

If you were to try to capture on the Wireguard interface with a filter expression such as «arp», or «ether host XXX», or «ether proto 0x0806′, or. you’d get an error.

Do I understand correctly that for now I cannot use nmap for wireguard tunnels ?

Or is there a way to scan hosts without using ARP ?

. there’s a way to get nmap not to try to use any filter of the aforementioned sort on that interface.

Note that this is neither WinPcap/Npcap-specific nor Windows-specific:

This is on macOS, but you’ll get the same results (modulo the particular error message) on any other 4.4-Lite-derived OS, as the loopback interface on those OSes does not have a link-layer type that provides an Ethernet header. On Linux, it does, but unless your software is never ever ever going to run on anything other than Linux, you should not rely on the loopback interface providing an Ethernet header when you capture on it.

guyharris commented on January 15, 2023 2

So If I understand correctly the current situation is to wait for/write code that would disable any ARP related actions in nmap.

Or whatever it is that’s causing nmap to generate a filter of some sort that isn’t supported for packets that begin with an IP header; from a quick look at the code it appears that nmap may do IPv6 Neighbor Discovery and have a capture filter that checks for some multicast MAC address, but there isn’t any MAC address in DLT_RAW packets.

guyharris commented on January 15, 2023

Is this the same issue as #578? If a Wireguard tunnel reports an NdisMedium type that libpcap’s pcap-npf maps to a DLT_ type that the libpcap pcap compiler doesn’t fully support, that’s an error message that you might get from the pcap compiler.

guyharris commented on January 15, 2023

And what was the filter expression?

If, as per my guess in #578, a Wireguard interface has NDIS type NdisMediumIP , which maps to libpcap type DLT_RAW , while filter expressions that test the IP layer and above should work, expression that test stuff below the IP layer, such as anything that tests the link layer, including tests of the packet type that test for anything other than IPv4 or IPv6 packets, will not work.

If, for example, I run the command

where raw-ip-capture.pcap is a file with a link-layer type of LINKTYPE_RAW , which maps to DLT_RAW :

That happens to e on macOS, with a capture made on an unknown system, but the same behavior will occur with a capture on a DLT_RAW interface on any operating system.

guyharris commented on January 15, 2023

And what is the tool you’re using for «scanning»? In Nmap issue #nmap/nmap#2381, it says nmap should «verify that the pcap_datalink() type supports ARP before using ARP scan for host discovery on that link»; if the link-layer type of a Wireguard tunnel is NdisMediumIP , which means «raw IP with no link-layer header», and which thus MUST map to DLT_RAW , that link-layer type does not and cannot support ARP packets — it can’t support filtering for them, and it can’t even support supplying them to programs doing capturing.

bigretromike commented on January 15, 2023

Is this the same issue as #578? If a Wireguard tunnel reports an NdisMedium type that libpcap’s pcap-npf maps to a DLT_ type that the libpcap pcap compiler doesn’t fully support, that’s an error message that you might get from the pcap compiler.

I have no idea how I could check the if this is the same value that is in the oem23.inf that is liked in properties of network controler, then its: *MediaType = 19 ; NdisMediumIP

And what was the filter expression?

nmap 10.255.100.1 the 10.255.100.1 is the wireguard endpoint ip on the other side, and its results in error.
namp 10.255.100.3 is working fine but that is the ip of wireguard interface itself on my side (local)
nmap 192.168.20.1 is also not working, this is the network on ther other side of tunnel which traffic is routed thru wireguard tunel.

And what is the tool you’re using for «scanning»?

I was reffering to nmap which I would like to use to scan the other side of tunnel.
I found out that using Wireshark which sadly dont give me the functionaly of nmap but use same npcap? (from what I understand) works correct (mayby somekind of workaround?).

DLT_RAW , that link-layer type does not and cannot support ARP packets — it can’t support filtering for them, and it can’t even support supplying them to programs doing capturing.

Do I understand correctly that for now I cannot use nmap for wireguard tunnels ?
Or is there a way to scan hosts without using ARP ?

edit: I tried with nmap —disable-arp-ping 10.255.100.1 still Error compiling our pcap filter: expression rejects all packets

guyharris commented on January 15, 2023

It would be best if nmap would avoid doing anything involving MAC addresses — including assuming that a network has MAC addresses and that «ether host»/»ether src»/»ether dst» will work — or packet types other than IPv4 and IPv6, on any link-layer header types other than:

• DLT_EN10MB ;
• DLT_FDDI ;
• DLT_IEEE802 (which, in practice, really means DLT_IEEE802_5 , i.e. 802.5 Token Run);
• DLT_IEEE802_11 ;
• DLT_PRISM_HEADER ;
• DLT_IEEE802_11_RADIO_AVS ;
• DLT_IEEE802_11_RADIO ;
• DLT_PPI ;
• DLT_IP_OVER_FC .

bigretromike commented on January 15, 2023

@guyharris that is a lot of wisdom you put on me, thank you very much.

So If I understand correctly the current situation is to wait for/write code that would disable any ARP related actions in nmap. ( I was hoping that -disable-arp-ping was that thing).
Until then one could use tools like wireshark and restrain himself from using any filter that use ARP.

Maybe a bad assumption about higher layer is using valid lower layer or maybe technology and non-standard solution (or future standard) went to much ahead of nmap development 👍

• Make Npcap and Npcap OEM installer options case insensitive
• Win7 PAE (patch) and Windows Server 2008 (32bit) BSOD HOT 6
• Fatal exception: Failed to install NMAP — winpcap-nmap-latest.exe failed to install with code 2 HOT 1
• Npcap Bug Report HOT 1
• Is Windows Embedded Standard supported by Npcap? HOT 1
• send error: PacketSendPacket failed: The I/O operation failed because network media is disconnected or wireless access point is out of range HOT 4
• Can’t Enable Monitor Mode in Windows with Intel Wi-Fi 6 AX200 160MHz adapter using WlanHelper.exe HOT 4
• npcap-1.71 hangs hard on windows 8.1 on VirtualBox on attempt to install
• MSSQL Response Time for SQL DB hosts due to Npcap 1.31
• How to interpret pcap_stats() returned values in case of npcap HOT 1
• Npcap 1.71: Hardware packet filter may be ignored (e.g. promiscuous unset) when adapters are listed after capture starts. HOT 1
• Npcap | Receiving back packets sent to a network interface
• Npcap 1.71 error on channel change
• npcap breaks wireshark HOT 3
• Npcap Bug Report
• Cannot start packet capture 1.72 on Killer E3100 HOT 2
• NPCAP 1.72 install fails on Windows 10
• Winpcap + npcap: some packets not received
• NPCAP 1.71 & 1.72 is not completely removed after an unistall

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.

Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

TensorFlow

An Open Source Machine Learning Framework for Everyone

Django

The Web framework for perfectionists with deadlines.

Laravel

A PHP framework for web artisans

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

Some thing interesting about web. New door for the world.

server

A server is a program made to process requests and deliver data to clients.

Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

Visualization

Some thing interesting about visualization, use data art

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.

Microsoft

Open source projects and samples from Microsoft.

Источник

I was going to start Nmap 5.61TEST5 on FreeBSD when it bricked with the following error:

 Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-05-02 15:17 WEST  
 Error compiling our pcap filter: icmp6 not supported  

Found that weird because last time I used security/nmap it worked fine but then again that was something like 3 years ago and the port and the application have been updated since. This lead me to think that most likely an OPTION had been introduced to the port:

1. # cd /usr/ports/security/nmap
2. # make config===> No options to configure

While investigating the issue I came across problem report ports/159376: security/nmap 5.59BETA1 not working which described the cause of the problem: since NMAP 5.59BETA1 that there was no option to build the port without IPv6 support.

I was pretty sure I’ve disabled IPv6 and I confirmed that:

1. # grep INET6 /etc/src.confWITHOUT_INET6=YES

Fortunately since NMAP 5.61TEST2 a patch was added that introduced a workaround for systems build with WITHOUT_INET6 by using net/libpcap.

This is also documented under /usr/ports/security/nmap/Makefile:

 # XXX: Workaround if OS is build with WITHOUT_INET6  
 # PR: ports/159376  
 #  
 # Note: If this option is specified in src.conf it has to  
 # be defined as param -DWITHOUT_INET6 during build time  
 # since the port system has no access to src.conf  
 .if defined(WITHOUT_INET6)  
 LIB_DEPENDS+= pcap.1:${PORTSDIR}/net/libpcap  
 CONFIGURE_ARGS+= --with-libpcap=${LOCALBASE}  
 .endif

The -DWITHOUT_INET6 option needs to be passed to make while building the port, like so:

1. # make deinstall clean
2. # make -DWITHOUT_INET6 install clean

Nothing like well documented problem reports and Makefiles

{edit: I am cross posting this from my primary thread outside…can some one tell me which is the correct place to post queries like this? Here, or my original thread outside? }

Hello everyone,
I am new to the world of Linux Programming.
As part of learning to use the pcap library, I downloaded a basic libpcap program.
The program is a very basic one, just looks at the available network devices and prints some info on them. The error that gcc gives me says «undefined reference». The details are below.

The program goes like this.

/* ldev.c
Martin Casado
Looks for an interface, and lists the network ip
and mask associated with that interface.
*/
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h> /* GIMME a libpcap plz! */
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(int argc, char **argv)
{
char *dev; /* name of the device to use */
char *net; /* dot notation of the network address */
char *mask;/* dot notation of the network mask */
int ret; /* return code */
char errbuf[PCAP_ERRBUF_SIZE];
bpf_u_int32 netp; /* ip */
bpf_u_int32 maskp;/* subnet mask */
struct in_addr addr;

/* ask pcap to find a valid device for use to sniff on */
dev = pcap_lookupdev(errbuf);

/* error checking */
if(dev == NULL)
{
printf(«%sn»,errbuf);
exit(1);
}

/* print out device name */
printf(«DEV: %sn»,dev);

/* ask pcap for the network address and mask of the device */
ret = pcap_lookupnet(dev,&netp,&maskp,errbuf);

if(ret == -1)
{
printf(«%sn»,errbuf);
exit(1);
}

/* get the network address in a human readable form */
addr.s_addr = netp;
net = inet_ntoa(addr);

if(net == NULL)/* thanks Scott */
{
perror(«inet_ntoa»);
exit(1);
}

printf(«NET: %sn»,net);

/* do the same as above for the device’s mask */
addr.s_addr = maskp;
mask = inet_ntoa(addr);

if(mask == NULL)
{
perror(«inet_ntoa»);
exit(1);
}

printf(«MASK: %sn»,mask);

return 0;
}

I saved the file as lcap.c, rather than ldev.c as mentioned by the original author.
On trying to compile with gcc , I get this:

suneil@Family:~/Desktop/code$ gcc -o lcap lcap.c
/tmp/ccGCEcAx.o: In function `main’:
lcap.c:(.text+0x2a): undefined reference to `pcap_lookupdev’
lcap.c:(.text+0x82): undefined reference to `pcap_lookupnet’
collect2: ld returned 1 exit status
suneil@Family:~/Desktop/code$

but that error doesn’t make sense, because in the pcap.h header file, the two functions are defined: (scroll down a bit, the defn’s are highlighted)

#ifndef lib_pcap_h
#define lib_pcap_h

#include <sys/types.h>
#include <sys/time.h>

#include <net/bpf.h>

#include <stdio.h>

#ifdef __cplusplus
extern «C» {
#endif

#define PCAP_VERSION_MAJOR 2
#define PCAP_VERSION_MINOR 4

#define PCAP_ERRBUF_SIZE 256

/*
* Compatibility for systems that have a bpf.h that
* predates the bpf typedefs for 64-bit support.
*/
#if BPF_RELEASE — 0 < 199406
typedef int bpf_int32;
typedef u_int bpf_u_int32;
#endif

typedef struct pcap pcap_t;
typedef struct pcap_dumper pcap_dumper_t;
typedef struct pcap_if pcap_if_t;
typedef struct pcap_addr pcap_addr_t;

/*
* The first record in the file contains saved values for some
* of the flags used in the printout phases of tcpdump.
* Many fields here are 32 bit ints so compilers won’t insert unwanted
* padding; these files need to be interchangeable across architectures.
*
* Do not change the layout of this structure, in any way (this includes
* changes that only affect the length of fields in this structure).
*
* Also, do not change the interpretation of any of the members of this
* structure, in any way (this includes using values other than
* LINKTYPE_ values, as defined in «savefile.c», in the «linktype»
* field).
*
*
*/
struct pcap_file_header {
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;
bpf_int32 thiszone; /* gmt to local correction */
bpf_u_int32 sigfigs; /* accuracy of timestamps */
bpf_u_int32 snaplen; /* max length saved portion of each pkt */
bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */
};

/*
* Each packet in the dump file is prepended with this generic header.
* This gets around the problem of different headers for different
* packet interfaces.
*/
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};

/*
* As returned by the pcap_stats()
*/
struct pcap_stat {
u_int ps_recv; /* number of packets received */
u_int ps_drop; /* number of packets dropped */
u_int ps_ifdrop; /* drops by interface XXX not yet supported */
};

/*
* Item in a list of interfaces.
*/
struct pcap_if {
struct pcap_if *next;
char *name; /* name to hand to «pcap_open_live()» */
char *description; /* textual description of interface, or NULL */
struct pcap_addr *addresses;
u_int flags; /* PCAP_IF_ interface flags */
};

#define PCAP_IF_LOOPBACK 0x00000001 /* interface is loopback */

/*
* Representation of an interface address.
*/
struct pcap_addr {
struct pcap_addr *next;
struct sockaddr *addr; /* address */
struct sockaddr *netmask; /* netmask for that address */
struct sockaddr *broadaddr; /* broadcast address for that address */
struct sockaddr *dstaddr; /* P2P destination address for that address */
};

typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,
const u_char *);

char *pcap_lookupdev(char *);
int pcap_lookupnet(char *, bpf_u_int32 *, bpf_u_int32 *, char *);
pcap_t *pcap_open_live(char *, int, int, int, char *);
pcap_t *pcap_open_dead(int, int);
pcap_t *pcap_open_offline(const char *, char *);
void pcap_close(pcap_t *);
int pcap_loop(pcap_t *, int, pcap_handler, u_char *);
int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);
const u_char*
pcap_next(pcap_t *, struct pcap_pkthdr *);
int pcap_stats(pcap_t *, struct pcap_stat *);
int pcap_setfilter(pcap_t *, struct bpf_program *);
int pcap_getnonblock(pcap_t *, char *);
int pcap_setnonblock(pcap_t *, int, char *);
void pcap_perror(pcap_t *, char *);
char *pcap_strerror(int);
char *pcap_geterr(pcap_t *);
int pcap_compile(pcap_t *, struct bpf_program *, char *, int,
bpf_u_int32);
int pcap_compile_nopcap(int, int, struct bpf_program *,
char *, int, bpf_u_int32);
void pcap_freecode(struct bpf_program *);
int pcap_datalink(pcap_t *);
int pcap_snapshot(pcap_t *);
int pcap_is_swapped(pcap_t *);
int pcap_major_version(pcap_t *);
int pcap_minor_version(pcap_t *);

/* XXX */
FILE *pcap_file(pcap_t *);
int pcap_fileno(pcap_t *);

pcap_dumper_t *pcap_dump_open(pcap_t *, const char *);
void pcap_dump_close(pcap_dumper_t *);
void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);

int pcap_findalldevs(pcap_if_t **, char *);
void pcap_freealldevs(pcap_if_t *);

/* XXX this guy lives in the bpf tree */
u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
int bpf_validate(struct bpf_insn *f, int len);
char *bpf_image(struct bpf_insn *, int);
void bpf_dump(struct bpf_program *, int);

#ifdef __cplusplus
}
#endif

#endif

Am i doing something wrong in my compile process? Help/Suggestions please on how to get this working.
Thanks,
Nuttycat

EDIT:
Just for info:
About 10 mins before I ran the compile process, I got the libpcap devl lib using apt-get
suneil@Family:/$ sudo apt-get install libpcap-dev

This installed without any errors.

I am writing a pcaket sniffer program using libpcap library on the «wlan» interface. I wanted to filter captured packets so that only Beacon frames would be processed. So, I wrote the following code for that:

const char *str = "wlan subtype beacon";
printf("debug stmt1n");

struct bpf_program *fp;
printf("debug stmt2n");

if((pcap_compile(pkt_handle, fp, str, 1, PCAP_NETMASK_UNKNOWN)==-1)
{
    pcap_perror(pkt_handle, "Compile");
}
printf("debug stmt3n"):

But on compiling, I get a segmentation fault on the pcap_compile() statement:

debug stmt1
debug stmt2
Segmentation fault

So, what could be the problem?

Opearting System: Ubuntu 10.10

Compile: 802.11 link-layer types supported only on 802.11

What could be the problem? I am using Netgear USB wireless card.

Update2:

As suggested by nos, I made the following change:

struct bpf_program *fp = (struct bpf_program *)malloc(sizeof(struct bpf_program));

But, still I am getting the same message:

Compile: 802.11 link-layer types supported only on 802.11

int *dlt_buf;
int n;
n = pcap_list_datalinks(pkt_handle, &dlt_buf);
printf("n = %dn",n);
if(n == -1)
{
    pcap_perror(pkt_handle, "Datalink_list");
}
else
{
    printf("The list of datalinks supported aren");
    int i;
    for(i=0; i<n; i++)
        printf("%dn",dlt_buf[i]);
    const char *str1 = pcap_datalink_val_to_name(dlt_buf[0]);
    const char *str2 = pcap_datalink_val_to_description(dlt_buf[0]);
    printf("str1 = %sn",str1);
    printf("str2 = %sn",str2);
    pcap_free_datalinks(dlt_buf);
}

This is the output I got:

n = 1
The list of datalinks supported are
127
str1 = IEEE802_11_RADIO
str2 = 802.11 plus radiotap header

So, my pcap handle is pointing to the correct interface. But still I am getting that error message.