infrastation
commented
3 years ago Would you like to prepare a patch for the man page?
Open raybellis opened 3 years ago
infrastation
commented
3 years ago Would you like to prepare a patch for the man page?
raybellis
commented
3 years ago I guess I could learn enough ROFF to do that. In 30+ years using UNIX systems I've always managed to avoid it...
guyharris
commented
3 years ago The first question is whether this belongs in that man page or in some other man page, such as the top-level pcap man page. There might be people who aren't planning on writing a capture program that captures on every device listed by pcap_findalldevs() - or on writing any capture program at all - but want to capture on all devices. (Note that, at least with Apple's libpcap, newer versions of macOS also support an "any" device.)
Bear in mind that the "any" device captures on all network interfaces known to the networking stack, but not necessarily on all devices supported by libpcap, e.g. DAG devices, DPDK devices, RDMA sniffing devices, D-Bus, USB buses, etc. aren't supported by "any" (because "any" is implemented at the network stack level on Linux, by not binding the PF_PACKET socket to a particular device, and implemented using PKTAP, which is network-interface-specific, on macOS).
guyharris
commented
3 years ago So perhaps the page just generally needs to note that not everything listed by pcap_findalldevs() corresponds to a specific network interface.
infrastation
commented
3 years ago @raybellis, here is a starting point to save you some time.
raybellis
commented
3 years ago @infrastation thanks, but I think I'll wait until Guy has declared what the real fix is...
infrastation
commented
2 years ago On a related note, Solaris now supports the "any" pseudo-interface too, or so they say.
infrastation
commented
2 years ago It seems best to explain the pseudo-interface in both tcpdump and libpcap man pages, as the intended audiences often do not intersect. Commit the-tcpdump-group/tcpdump@de27d59 makes some clarifications in the tcpdump man page.
infrastation
commented
2 months ago Alright, now pcap_create(3PCAP) has the same comment about "any" as pcap_open_live(3PCAP). Perhaps this is not the ideal way to document it, but it is a bit better than discussing Linux 2.2 and later only.
guyharris
commented
2 months ago On a related note, Solaris now supports the "any" pseudo-interface too, or so they say.
They say so elsewhere, too - see https://github.com/the-tcpdump-group/tcpdump/issues/1057
infrastation
commented
2 months ago As it turns out, "any" works on the current Solaris CBE (11.4.42.111.0), so it is easy to verify this behaviour. Speaking of the existing documentation prose, tcpdump man page still has one place that says "Linux systems with 2.2 or later kernels". Let me fix that. In libpcap man pages I do not see any existing prose that needs an update, if you see a good place for new prose, please add it.
infrastation
commented
2 months ago Done in the-tcpdump-group/tcpdump@70e4bc7.
In the current master branch, the special addition of the Linux "any" pseudo-device by the platform specific implementation of
pcap_findalldevsto the list of returned devices is not documented. This might confuse people using the list to individually open all devices, only to find that "any" also does this.