I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort. sudo apt-get update sudo apt-get install snort I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command. sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following. sudo chown snort.snort alert After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?

In my docker container I run the following command to install the lib pcap: apt-get install -y libpcap-dev When I run apt list --installed I see this weird output:

libpcap-dev/oldstable,now 1.8.1-6 amd64 [installed]
libpcap0.8-dev/oldstable,now 1.8.1-6 amd64 [installed,automatic]
libpcap0.8/oldstable,now 1.8.1-6 amd64 [installed,automatic]

Does anyone know why it shows "oldstable" and then "now"? Also, how do I force the installation of the latest version of libpcap and libpcap-dev? I've been searching all over but can't figure it out. Thanks! P.S. I'm doing the installation inside a Docker container.

I’ve recently completed a thesis on developing a Linux-based Ethernet packet replay program that achieves high precision using the SO\_TXTIME kernel option. This program is designed to replicate network packets, especially UDP packets, with accuracy in the low microseconds to nanoseconds range. Its primary goal is to enable precise replay and analysis of various network errors. Before I publish my work, I’d like to gauge if there’s interest in such a tool. The code is functional and in good shape, but I still need to refactor it a bit. If this topic intrigues you or if you have any specific questions or feedback, please let me know! Thanks in advance!

On my Red Hat Enterprise Linux Server release 6.5 when saving a tcpdump capture to a file with the -w option, the resulting file is empty: [root@plop ~]# tcpdump -n -w tcpdump.cap listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C217 packets captured 217 packets received by filter 0 packets dropped by kernel [root@plop ~]# cat tcpdump.cap [root@plop ~]# ll tcpdump.cap -rw-r-----. 1 root root 0 Aug 25 14:13 tcpdump.cap [root@plop ~]# I also tried to redirect the output of the command with > and &>, but I always get an empty file... What could be the reason for this? NB: - I can see a correct output in the terminal (many packets) when not redirecting to a file - I did the same with thsark and it worked as expected (the output file was correct) - The verison of tcpdump is tcpdump version 4.1-PRE-CVS_2012_02_01 - The version of libpcap is libpcap version 1.4.0 - I tried with -U option, it didn't fix the problem.

I need to shuffle TCP sessions from pcap file to new file. How can I do it? The following scripts don't work for me. -------------------- To mix up sessions in a pcap file using Tshark or Wireshark, you can use the following steps: 1. Rename the original pcap file to something else (optional): This step is not necessary but can help keep track of the original pcap file. You can use the following command to rename the file:

-shell
    mv original.pcap original_original.pcap

2. Extract individual sessions from the original pcap file using Tshark: Use Tshark to extract individual sessions from the original pcap file into separate pcap files, like this:

-shell
    tshark -r original_original.pcap -Y "tcp.stream == X" -w session_X.pcap

Replace X with the desired session number. Repeat this command for each session you want to extract, incrementing X accordingly. 3. Mix up the extracted pcap files: Use a bash script to randomly concatenate the extracted pcap files into a new mixed-up pcap file. Here is an example script (mixup_pcap.sh) that uses the shuf command to shuffle the filenames randomly and then appends them to a new file:

-bash
    #!/bin/bash
    output_pcap="mixed_sessions.pcap"
    session_files=(session_*.pcap)
 
    # Randomly shuffle the session files
    shuffled_files=($(shuf -e "${session_files[@]}"))

    # Concatenate the shuffled pcap files into a new mixed-up pcap file
    for file in "${shuffled_files[@]}"; do
        cat "$file" >> "$output_pcap"
    done

    echo "Mixed-up pcap file created: $output_pcap"

Save the above script to mixup_pcap.sh, make it executable using chmod +x mixup_pcap.sh, and then run it using ./mixup_pcap.sh. 4. Analyze the mixed-up pcap file: You can open the generated mixed-up pcap file (mixed_sessions.pcap) in Wireshark or use Tshark to analyze it further. Note: Make sure you have Tshark installed on your system to execute the above steps. To mix up sessions in a pcap file using Tshark or Wireshark, you can use the following steps: 1. Rename the original pcap file to something else (optional): This step is not necessary but can help keep track of the original pcap file. You can use the following command to rename the file:

-shell
    mv original.pcap original_original.pcap

2. Extract individual sessions from the original pcap file using Tshark: Use Tshark to extract individual sessions from the original pcap file into separate pcap files, like this:

-shell
    tshark -r original_original.pcap -Y "tcp.stream == X" -w session_X.pcap

Replace X with the desired session number. Repeat this command for each session you want to extract, incrementing X accordingly. 3. Mix up the extracted pcap files: Use a bash script to randomly concatenate the extracted pcap files into a new mixed-up pcap file. Here is an example script (mixup_pcap.sh) that uses the shuf command to shuffle the filenames randomly and then appends them to a new file:

-bash
    #!/bin/bash
    output_pcap="mixed_sessions.pcap"
    session_files=(session_*.pcap)
    
    # Randomly shuffle the session files
    shuffled_files=($(shuf -e "${session_files[@]}"))
    
    # Concatenate the shuffled pcap files into a new mixed-up pcap file
    for file in "${shuffled_files[@]}"; do
        cat "$file" >> "$output_pcap"
    done
    
    echo "Mixed-up pcap file created: $output_pcap"

Save the above script to mixup_pcap.sh, make it executable using chmod +x mixup_pcap.sh, and then run it using ./mixup_pcap.sh. 4. Analyze the mixed-up pcap file: You can open the generated mixed-up pcap file (mixed_sessions.pcap) in Wireshark or use Tshark to analyze it further. Note: Make sure you have Tshark installed on your system to execute the above steps.

I have a pcap file captured with tcpdump: tcpdump -w out.pcap -ni eno1 host 192.88.99.1 I can view the pcap:

rful011@secmonprd13:~$ tcpdump -nr out.pcap -tttt | head
reading from file andy.tcpd, link-type EN10MB (Ethernet)
2023-04-11 11:54:52.046310 IP 130.216.15.171 > 192.88.99.1: IP6 2002:82d8:fab::82d8:fab > 2002:c058:6301::c058:6301: ICMP6, echo request, seq 43217, length 8
2023-04-11 11:54:52.164305 IP 192.88.99.1 > 130.216.15.171: IP6 2002:c058:6301::1 > 2002:82d8:fab::82d8:fab: ICMP6, time exceeded in-transit for 2002:c058:6301::c058:6301, length 56
2023-04-11 11:54:52.165665 IP 130.216.15.171 > 192.88.99.1: IP6 2002:82d8:fab::82d8:fab > 2002:c058:6301::c058:6301: ICMP6, echo request, seq 43218, length 8

but any attempt to filter results in no output:

rful011@secmonprd13:~$ tcpdump -nr out.pcap -tttt ip6 net 2002::/16 | head
reading from file andy.tcpd, link-type EN10MB (Ethernet)
rful011@secmonprd13:~$

I came across while investigating why I was not seeing the 6to4 traffic in Arkime -- in that case I had a bpf filter selecting TCP and this filtered out all 6to4 traffic. Removing the TCP filter and Arkime logged the 6to4 traffic. This issue seems to be with the libpcap? on my Ubuntu boxes *and* I get the same behaviour on my Mac! I can see why filtering on any protocol would filter out 6to4 so how I can construct a bpf filter that will capture the 6to4 traffic while allowing me to filter other traffic normally.

I'm trying to filter traffic by src ether host to see all devices with a specific MAC prefix. If this were like IP, it might filter with src ether host aa:bb:cc:00:00:00/24 to see OUI's matching aa:bb:cc...but it doesn't like that. **Is there a way to match by MAC prefix or mask?** In case it matters: This is for Wi-Fi, so technically it's an SA address that you can see if you scroll to the right (tcpdump puts that in the src ether host field).

13:12:48.139316 1.0 Mb/s 2412 MHz 11b -41dBm signal -41dBm signal antenna 0 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:aa:bb:cc:84:05:7c Probe Request (emporia) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit]

I am working with lots of PCAP files and trying to convert them into .tsv files for tabular analysis. So I'm using tshark in a Ubuntu 22 VirtualBox machine to dissect each packet. I have a bash command that I use within a for loop to process each PCAP file.

tshark -r "${pcapFile}" -2 \
		-T fields \
		-E separator=/t \
		-E header=y \
		-E quote=d \
		-e frame.time_epoch \
		-e _ws.col.Info \
		-e _ws.col.Protocol \
		-e ip.src \
		-e ip.dst \
		-e ip.proto \
		-e ip.version \
		-e ip.hdr_len \
		-e ip.src_host \
		-e ip.dst_host \
		-e ip.geoip.dst_city \
		-e ip.geoip.dst_country_iso \
		-e ip.geoip.dst_asnum \
		-e ip.geoip.src_city \
		-e ip.geoip.src_country_iso \
		-e ip.geoip.src_asnum \
		-e eth.src \
		-e eth.dst > "${OUTPUT_FOLDER}/${filename}.tsv"

I'm encountering some strange results. 1. When I run this command as sudo the processing runs *much* faster than when I run without sudo. 2. When I run this command as sudo, the geoip fields are empty, but when I run without sudo they are filled. I'm hoping to get the best of both worlds here, since I have many pcap files to process and would like it to move quickly, but also, I very much want the geoip information. Why can't I get the geoip fields as sudo and/or why doesn't the processing run as quickly without sudo? tshark version: 3.6.7-1~ubuntu22.04.0+wiresharkdevstable \ wireshark version: 3.6.7-1~ubuntu22.04.0+wiresharkdevstable \ System specs: 12 CPU, 24 GB RAM, Ubuntu 22.04

I am new to using snort and still learning in university. I am wondering after I find an intrusion how can I log it and save it as a pcap file? What would the syntax look like to do this? So I can analyze it further with Wireshark. I am doing what the guy is doing in the video below with two virtual machines. This is for an at home lab. Here is the video, https://youtu.be/iBsGSsbDMyw

I have an embedded linux USB host which refuses to detect a number of my USB devices. The host is running Ubutun 20.04LTS Nothing shows up in dmesg during a failed detection and afterward the USB port is unusable for any USB device until the host is rebooted. Some devices are detected by the host, including mass storage devices and a webcam (with imaging and audio interface). Devices which have failed include a Zoom H1n audio recorder, a USB-to-serial adaptor cable, and this device . All the devices which fail are detected successfully by my windows laptop, Ubuntu desktop, and another sama5d27-based embedded linux SBC running Debian . As I understand this isn't a matter of missing kernel modules as unrecognized/unsupported devices should still be reported in dmesg. I installed usbmon and captured this trace when connecting one device. Here is a pcap representation . c24a4900 803906549 S Ci:1:001:0 s a3 00 0000 0001 0004 4 < c24a4900 803906679 C Ci:1:001:0 0 4 = 00010000 c24a4900 803906728 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4900 803906760 C Ci:1:001:0 0 4 = 01050100 c24a4900 803906792 S Co:1:001:0 s 23 01 0010 0002 0000 0 c24a4900 803906822 C Co:1:001:0 0 0 c24a4900 803906849 S Ci:1:001:0 s a3 00 0000 0003 0004 4 < c24a4900 803906874 C Ci:1:001:0 0 4 = 00010000 c1e14580 804020108 S Ii:1:001:1 -115:2048 4 < c24a4900 804020218 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4900 804020293 C Ci:1:001:0 0 4 = 01050000 c24a4900 804020409 S Co:1:001:0 s 23 03 0004 0002 0000 0 c24a4900 804020472 C Co:1:001:0 0 0 c24a4400 804100105 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c1e14580 804100183 C Ii:1:001:1 0:2048 1 = 04 c1e14580 804100209 S Ii:1:001:1 -115:2048 4 < c24a4400 804100749 C Ci:1:001:0 0 4 = 01051000 c24a4400 804100826 S Co:1:001:0 s 23 03 0004 0002 0000 0 c24a4400 804100875 C Co:1:001:0 0 0 c24a4400 804320164 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 804320239 C Ci:1:001:0 0 4 = 00010100 c24a4400 804540102 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 804540175 C Ci:1:001:0 0 4 = 00010100 c24a4400 804760112 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 804760185 C Ci:1:001:0 0 4 = 00010100 c24a4400 804980144 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 804980220 C Ci:1:001:0 0 4 = 00010100 c24a4400 804980262 S Co:1:001:0 s 23 01 0014 0002 0000 0 c24a4400 804980294 C Co:1:001:0 0 0 c24a4400 804980329 S Co:1:001:0 s 23 01 0001 0002 0000 0 c24a4400 804980359 C Co:1:001:0 0 0 c24a4400 804980413 S Co:1:001:0 s 23 01 0001 0002 0000 0 c24a4400 804980447 C Co:1:001:0 0 0 c24a4400 804980517 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 804980556 C Ci:1:001:0 0 4 = 00010100 c24a4400 804980586 S Co:1:001:0 s 23 01 0010 0002 0000 0 c24a4400 804980616 C Co:1:001:0 0 0 c24a4400 804980648 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 804980678 C Ci:1:001:0 0 4 = 00010000 c24a4400 805030147 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 805030221 C Ci:1:001:0 0 4 = 00010000 c24a4400 805080107 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 805080176 C Ci:1:001:0 0 4 = 00010000 c24a4400 805130098 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 805130167 C Ci:1:001:0 0 4 = 00010000 c24a4400 805180127 S Ci:1:001:0 s a3 00 0000 0002 0004 4 < c24a4400 805180195 C Ci:1:001:0 0 4 = 00010000 c1e14580 805180329 C Ii:1:001:1 -2:2048 0 The last line represents an error status -2 ENOENT which means "specified interface or endpoint does not exist or is not enabled" and this is sent by the device to the host. What does this mean? Why is the host failing to detect this device?

I'm using aircrack-ng to capture a handshake on a WPA2 access point. I would like to write the outfile in pcap format, but I keep getting errors. I've tried reinstalling aircrack-ng using versions from github and arch repository. I ultimately want to save the outfile in hccapx format for cracking with hashcat.

## OS: Arch Linux x86_64 
## Kernel: 5.18.12-zen1-1-zen 

## Name: aircrack-ng-git
## Version: 20220715.76370d0e-1

sudo airmon-ng start wlan1
# (mac80211 monitor mode already enabled for [phy1]wlan1 on [phy1]10)

sudo airodump-ng  -i wlan1 -c 6 --essid $ESSID --write "$ESSID-log" --output-format pcap
# Invalid output format: IVS and PCAP format cannot be used together.

sudo airodump-ng  -i wlan1 -c 6 --essid $ESSID --write "$ESSID-log"
# outfile: $ESSID-log.ivs

sudo airodump-ng  -i wlan1 -c 6 --essid $ESSID --write "$ESSID-log" --output-format kismet
# outfile: $ESSID-log.kismet.csv
# outfile: $ESSID-log.csv

I have a pcap file and need to send it to specific interface.
How can I do it?

Sounds dumb, but can you extract application name from a packet/pcap. For eg: If a packet destination is to chrome process, can you extract that information from packet?

Object: to find the IP addresses of HTTP servers in a pcap file with a specific header string. Can or should the -l option to flush be used? One way: the following was done but am wondering if it can be shortened. If this question is too broad, please advise.

tshark -r file.pcap -T fields -e ip.src -e http.server > name.txt &&
  cat name.txt | sort | uniq -c | sort -nr | grep "xxx_xxx"

I am sorry if this is duplicate of https://serverfault.com/q/1076769/822163 . I created that first and then realized the Linux and Unix stack exchange is the right place. Problem: When the tc HTB or CQB is used to do traffic shaping, first two packet that are sent after some time gap are sent back to back as recorded in the pcap log. I have a intermediate computer with ubuntu 18.4 with network forwarding enabled. I run the tc with HTB to shape the traffic to have constant bitrate output on egress port. Client requests the chunks with variable sizes from the sever. Server sends the chunk transfer encoded data with gap of 200ms between each chunk to client. With my setup having the intermediate computer, These packets are passed through the traffic shaper on intermediate computer to obtain fixed bitrate of 500kbps. As I disable offload (TSO and GRO) each n bytes are split into frames by pcap. Most of 1448B packets have time gap close to 24.224ms which is expected at 500kbps Issue: Although the frames arrive in the sequence, their time gap of arrival is not consistent. Second large packet (1448B) after gap of 200ms always comes almost back to back with first packet. Last packet in chunk ( 654B) arrives with delay (24.224ms instead of 10.464ms in example in the picture attached) Screen shot of the timings TC command with HTB: tc qdisc del dev eno1 root 2> /dev/null > /dev/null tc qdisc add dev eno1 root handle 1:0 htb default 2 tc class add dev eno1 parent 1:1 classid 1:2 htb rate 500kbit ceil 500kbit burst 10 cburst 10 prio 2 tc filter add dev eno1 protocol ip parent 1:0 u32 match ip dst 192.168.2.103 flowid 1:2 If I am not doing any mistake in calculation I think the issue could be due to the token handling in tc that I am using for trafic shaping. I think the tokens are accumulated in the idle time and when the next packet is received it sends the two packets back to back. from third packet token consumtion rate settles down. If this is what is happenning, I would like to know if there is a way to avoid using the accumulated tokens for second packet in the chunk. I tried various options in tc command I also tried using CQB - command below Reference : https://lartc.org/lartc.html#AEN2233 Observation: reducing the burst = 10 slightly increases the gap between first and second packet. tc With CQB: tc qdisc del dev eno1 root 2> /dev/null > /dev/null tc qdisc add dev eno1 root handle 1: cbq avpkt 5000 bandwidth 10mbit tc class add dev eno1 parent 1: classid 1:1 cbq rate 500kbit allot 5000 prio 5 bounded isolated tc class add dev eno1 parent 1:1 classid 1:10 cbq rate 500kbit allot 5000 prio 1 avpkt 5000 bounded tc class add dev eno1 parent 1:1 classid 1:20 cbq rate 500kbit allot 5000 avpkt 5000 prio 2 tc filter add dev eno1 protocol ip parent 1:0 u32 match ip dst 192.168.2.103 flowid 1:10 tc filter add dev eno1 parent 1: protocol ip prio 13 u32 match ip dst 0.0.0.0/0 flowid 1:20 Further: As per suggestion from http://linux-ip.net/articles/hfsc.en/ I tried HFSC (referred ). I need help with HFSC here. Here is the script that I used tc qdisc del dev eno1 root 2> /dev/null > /dev/null tc qdisc add dev eno1 root handle 1: hfsc tc class add dev eno1 parent 1: classid 1:1 hfsc sc rate 1000kbit ul rate 1000kbit tc class add dev eno1 parent 1:1 classid 1:10 hfsc sc rate 1000kbit ul rate 1000kbit tc class add dev eno1 parent 1:1 classid 1:20 hfsc sc rate 10000kbit ul rate 10000kbit tc class add dev eno1 parent 1:10 classid 1:11 hfsc sc umax 1480b dmax 53ms rate 400kbit ul rate 1000kbit tc class add dev eno1 parent 1:10 classid 1:12 hfsc sc umax 1480b dmax 30ms rate 100kbit ul rate 1000kbit tc filter add dev eno1 protocol ip parent 1:0 u32 match ip dst 192.168.2.103 flowid 1:11 output of my tc class show eno1 Output: class hfsc 1:11 parent 1:10 sc m1 0bit d 23.4ms m2 400Kbit ul m1 0bit d 0us m2 1Mbit class hfsc 1: root class hfsc 1:1 parent 1: sc m1 0bit d 0us m2 1Mbit ul m1 0bit d 0us m2 1Mbit class hfsc 1:10 parent 1:1 sc m1 0bit d 0us m2 1Mbit ul m1 0bit d 0us m2 1Mbit class hfsc 1:20 parent 1:1 sc m1 0bit d 0us m2 10Mbit ul m1 0bit d 0us m2 10Mbit class hfsc 1:12 parent 1:10 sc m1 394672bit d 30.0ms m2 100Kbit ul m1 0bit d 0us m2 1Mbit I am not sure what does it mean by > ul m1 0bit d 0us where as In my tc command I have > sc umax 1480b dmax 53ms After running this script I try to ping 192.168.1.102. I get few ping responses and then the ARP > who has 192.168.2.100 kicks in where 192.168.2.100 is ip address of ip forwarding port where I am running tc. The command is mostly copied from http://linux-ip.net/articles/hfsc.en/ I have just added route > tc filter add dev eno1 protocol ip parent 1:0 u32 match ip dst 192.168.2.103 flowid 1:11 It would be great if someone could help to fix the umax and dmax issue.

I am porting a DOS application to linux and don't know a hell of a lot about linux. The application is a machine controller which uses ethernet as a high-speed serial port. Networking has nothing to do with it, the computer and machine just broadcast raw packets at each other over a crossover ethernet cable. No TCP or anything like it, they're both in promiscuous mode sending plain ethernet packets. I'm using Ubuntu 20.04, and I haven't found a way to enable the ethernet port without the damn thing trying to establish a network connection. Surely this must be doable- can anybody help me out? I'm thinking I can use pcap to send and receive the packets, but I'm stuck at the starting gate here.

https://www.tcpdump.org/index.html#documentation has manpages for pcap, tcpdump, and rpcapd, but I don't find what relation is between the three. Is pcap a C library for implementing a client of rpcapd? Is tcpdump a client of rpcpad and therefore dependent on rpcpad? Is tcpdump implemented in pcap?

I have a tcpdump (pcap) capture file and want to extract all domains. I do it with the following command: strings capture_file | grep -oiE '([a-zA-Z0-9][a-zA-Z0-9-]{1,61}\.){1,}(\.?[a-zA-Z]{2,}){1,}' | sort -u > out But I want to extract only those related to the string "Client Hello". Example in Wireshark: Handshake Protocol: Client Hello Server Name: example.com Is there any way of doing this?

There is some *.pcap*-file with fragmented IP traffic. I replay this file with tcpreplay, but also I need to replay it with [*DF*](https://www.eit.lth.se/ppplab/IPHeader.htm#Flags) *(don't fragment)* bit set in some packets. I supposed that tcprewrite will help, but it seems that there is no ability to change IP-header flags in this utility. So which utility (console preferably) should I use to correctly alter IP-header flags in pcap-file in Linux? If tcprewrite or any other can do so, some examples would be helpful. By the way, after altering *DF*-bit the [checksum](https://www.eit.lth.se/ppplab/IPHeader.htm#Header%20checksum) of IP-header should be updated respectively.

I'm running the latest version of Kali on a VirtualBox, and I cannot get hcxtools installed. More specifically, I can not figure out how to get the dependency pcap.h. Running make in /hcxtools responds: root@Lead-Pencil-Tip:~/hcxtools# make cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlanhcx2cap.d -o wlanhcx2cap wlanhcx2cap.c -lpcap wlanhcx2cap.c:12:10: fatal error: pcap.h: No such file or directory #include ^~~~~~~~ compilation terminated. make: *** [Makefile:81: wlanhcx2cap] Error 1 I've installed: libssl-dev libcurl4-gnutls-dev libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev The answers in issues 51 and 61 have not solved my problem.