This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Static linking of libpcap while compilation of tshark

0

Hi,

I am compiling tshark (1.6.4) without wireshark. I am using following configure option:

./configure --with-ssl=/usr --with-krb5 --disable-wireshark --disable-gtk2 --disable-editcap --disable-idl2wrs --disable-ipv6 --enable-setuid-install --libdir=/usr/lib64

On my build server libpcap-devel 1.3.0 is installed. But on production system (on which tshark rpm will be installed) have libpcap 0.9.4 version installed. When I instal tshark rpm (created on build server) on production system, it gives error message that libpcap.so.1(64 bit) not found.

I can not upgrade libpcap version on production system.

Can I do static linking of libpcap with tshark binary while compilation of tshark so that I don't need libpcap on production system.

Thanks

asked 16 Apr '13, 23:24

friends's gravatar image

friends
21448
accept rate: 0%

What version of what OS are your build server and your production system running? From "tshark rpm", I assume the production system is running some Linux distribution that uses RPMs.

What do ls -l /usr/lib64/libpcap.so* /usr/lib/libpcap.so* print on the build server and on the production machine?

(17 Apr '13, 10:34) Guy Harris ♦♦

Output of ls commands:

lrwxrwxrwx 1 root root     16 Apr 18 13:59 /usr/lib64/libpcap.so -> libpcap.so.0.9.4
lrwxrwxrwx 1 root root     16 Jul  6  2011 /usr/lib64/libpcap.so.0 -> libpcap.so.0.9.4
lrwxrwxrwx 1 root root     16 Jul  6  2011 /usr/lib64/libpcap.so.0.9 -> libpcap.so.0.9.4
-rwxr-xr-x 1 root root 171848 Nov 11  2009 /usr/lib64/libpcap.so.0.9.4

My production system and build server are using RHEL 5.7. On both the server libpcap 0.9.4 is installed. But when I compile tshark using libpcap-devel 0.9.4 and install the rpm, then it gives memory corruption error.

TShark 1.6.14 (SVN Rev Unknown from unknown)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.12.3, with libpcap (version unknown), with libz 1.2.3, with POSIX capabilities (Linux), without libpcre, without SMI, without c-ares, without ADNS, without Lua, without Python, without GnuTLS, with Gcrypt 1.4.4, with MIT Kerberos, without GeoIP. NOTE: this build doesn't support the "matches" operator for Wireshark filter syntax.

Running on Linux 2.6.18-274.18.1.el5, with libpcap version 0.9.4, with libz 1.2.3.

Error: *** glibc detected *** tshark: double free or corruption (fasttop): 0x000000000c135a40 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3707a7247f] /lib64/libc.so.6(cfree+0x4b)[0x3707a728db] /usr/lib64/libwiretap.so.1(wtap_close+0x39)[0x2b869b7e2439] /usr/lib64/libwiretap.so.1(wtap_open_offline+0x28b)[0x2b869b7c68ab] tshark(cf_open+0x55)[0x424385] tshark(main+0x1a91)[0x427cf1] /lib64/libc.so.6(__libc_start_main+0xf4)[0x3707a1d9b4] tshark(register_all_protocol_handoffs+0xc31)[0x40d4b9]

(18 Apr ‘13, 04:42) friends

My production system and build server are using RHEL 5.7. On both the server libpcap 0.9.4 is installed.

But you said earlier that

On my build server libpcap-devel 1.3.0 is installed.

So do you mean that, on the build server, you have libpcap 0.9.4 and libpcap-devel 1.3.0 installed? That sounds inconsistent - shouldn’t the same version of libpcap and libpcap-devel be installed?

(18 Apr ‘13, 09:22) Guy Harris ♦♦


3 Answers:

1

You could remove the dynamic libpcap.so files on your compile server, forcing the linker to use the static one.

answered 17 Apr '13, 07:33

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

I'd be more inclined to temporarily rename them, and then move them back, in case somebody wants to run, on that machine, a program dynamically linked with libpcap. Renaming and then renaming them back still leaves a window in which those programs won't work, but it's only open while Wireshark is being built.

(17 Apr '13, 10:31) Guy Harris ♦♦

I compiled tshark with static linking of libpcap 1.3.0.

$ tshark -v
TShark 1.6.14 (SVN Rev Unknown from unknown)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.12.3, with libpcap (version unknown), with libz 1.2.3, with POSIX capabilities (Linux), without libpcre, without SMI, without c-ares, without ADNS, without Lua, without Python, without GnuTLS, with Gcrypt 1.4.4, with MIT Kerberos, without GeoIP. NOTE: this build doesn't support the "matches" operator for Wireshark filter syntax.

Running on Linux 2.6.18-274.18.1.el5, with libpcap version 0.9.4, with libz 1.2.3.

============

When I am running tshark, it throws memory corruption error:

$ cat file.pcap | tshark -r - -R"gsm_map"
*** glibc detected *** tshark: double free or corruption (fasttop): 0x0000000008ec6a20 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3707a7247f]
/lib64/libc.so.6(cfree+0x4b)[0x3707a728db]
/usr/lib64/libwiretap.so.1(wtap_close+0x39)[0x2b93f2ce4439]
/usr/lib64/libwiretap.so.1(wtap_open_offline+0x28b)[0x2b93f2cc88ab]
tshark(cf_open+0x55)[0x421375]
tshark(main+0x1a91)[0x424cb1]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3707a1d9b4]
tshark(register_all_protocol_handoffs+0xae9)[0x40a729]
======= Memory map: ========
00400000-00435000 r-xp 00000000 68:02 6777031                            /usr/local/bin/tshark
00635000-00636000 rw-p 00035000 68:02 6777031                            /usr/local/bin/tshark
00636000-0064b000 rw-p 00636000 00:00 0
080a9000-08f01000 rw-p 080a9000 00:00 0                                  [heap]
3707600000-370761c000 r-xp 00000000 68:02 5243201                        /lib64/ld-2.5.so
370781c000-370781d000 r–p 0001c000 68:02 5243201                        /lib64/ld-2.5.so
370781d000-370781e000 rw-p 0001d000 68:02 5243201                        /lib64/ld-2.5.so
3707a00000-3707b4e000 r-xp 00000000 68:02 5243202                        /lib64/libc-2.5.so
(18 Apr ‘13, 03:49) friends

0

If your OS has a linker that's not stupid, i.e. a linker that allows you to specify that certain particular libraries be linked statically without requiring that everything be linked statically, it should be possible to link libpcap statically. That would require that you manually edit the Makefile; you'd put, for example, "-Bstatic" before "-lpcap" and "-Bdynamic" after it.

Finding the appropriate places to edit is left as an exercise for the reader (i.e., I'm not going to provide any more help here).

answered 17 Apr '13, 00:25

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks for your response..

Is there any parameter supported which can be passed to configure script??

Whenever I create tshark rpm, it does configure, make, install and build rpm. Manually modifying Makefile will not be feasible.

(17 Apr '13, 03:44) friends

No, there's no configure parameter for that.

The way to do this kind of thing when building RPMs is to create a patch against the Makefile and apply it in the RPM spec file (e.g., after 'configure' but before 'make').

(17 Apr '13, 07:34) JeffMorriss ♦

0

On both the server libpcap 0.9.4 is installed. But when I compile tshark using libpcap-devel 0.9.4

...which is what you should be doing; the libpcap-devel version should match the libpcap version!

and install the rpm, then it gives memory corruption error.

...which almost certainly has nothing whatsoever to do with the libpcap-devel version, given that you're getting the same crash when building with a later version of libpcap.

That's probably just a Wireshark bug; try building a newer version of TShark than 1.6.4, such as the current version, 1.8.6 - perhaps the bug will be fixed in that version.

(By the way, unless you're trying to test whether TShark can read from a pipe, doing

 cat file.pcap | tshark -r - -R"gsm_map"

is silly; you could just do

tshark -r file.pcap -R"gsm_map"

This is what's called a "useless use of cat".)

answered 18 Apr '13, 09:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 18 Apr '13, 09:34