Using BPF: (1) AIX 4.x's version of BPF is undocumented and somewhat unstandard; the current BPF support code includes changes that should work around that; it appears to compile and work on at least one AIX 4.3.3 machine. Note that the BPF driver and the "/dev/bpf" devices might not exist on your machine; AIX's tcpdump appears to load the driver and create the devices if they don't already exist. Our libpcap doesn't create them, so you should run (as the super-user) AIX's tcpdump once (you can interrupt it as soon as it starts capturing packets) to create the devices. Do this before running the configure script, so that the configure script finds the BPF devices and chooses to configure libpcap to use BPF. It may be that you will need to do this after every reboot; we don't know whether that's the case, and, if it is the case, don't know whether there's a way to force the driver to be loaded on a reboot. (We also don't know how to make libpcap create the devices and, if necessary, load the driver.) (2) If libpcap doesn't compile on your machine when configured to use BPF, or if the workarounds fail to make it work correctly, you should send to tcpdump-workers@tcpdump.org a detailed bug report (if the compile fails, send us the compile error messages; if it compiles but fails to work correctly, send us as detailed as possible a description of the symptoms, including indications of the network link-layer type being wrong or time stamps being wrong). If you fix the problems yourself, please send to patches@tcpdump.org a patch, so we can incorporate them into the next release. If you don't fix the problems yourself, you can, as a workaround, make libpcap use DLPI instead of BPF. This can be done by specifying the flag: --with-pcap=dlpi to the "configure" script for libpcap. If you use DLPI: (1) It is a good idea to have the latest version of the DLPI driver on your system, since certain versions may be buggy and cause your AIX system to crash. DLPI is included in the fileset bos.rte.tty. I found that the DLPI driver that came with AIX 4.3.2 was buggy, and had to upgrade to bos.rte.tty 4.3.2.4: lslpp -l bos.rte.tty bos.rte.tty 4.3.2.4 COMMITTED Base TTY Support and Commands Updates for AIX filesets can be obtained from: ftp://service.software.ibm.com/aix/fixes/ These updates can be installed with the smit program. (2) After compiling libpcap, you need to make sure that the DLPI driver is loaded. Type: strload -q -d dlpi If the result is: dlpi: yes then the DLPI driver is loaded correctly. If it is: dlpi: no Then you need to type: strload -f /etc/dlpi.conf Check again with strload -q -d dlpi that the dlpi driver is loaded. Alternatively, you can uncomment the lines for DLPI in /etc/pse.conf and reboot the machine; this way DLPI will always be loaded when you boot your system. (3) There appears to be a problem in the DLPI code in some versions of AIX, causing a warning about DL_PROMISC_MULTI failing; this might be responsible for DLPI not being able to capture outgoing packets.