pcap(3)
pcap, libpcap - Packet Capture library
SYNOPSIS
#include <pcap.h>
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap_open_live(char *device, int snaplen,
int promisc, int to_ms, char *errbuf)
pcap_t *pcap_open_dead(int linktype, int snaplen)
pcap_t *pcap_open_offline(char *fname, char *errbuf)
pcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname)
int pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf);
int pcap_getnonblock(pcap_t *p, char *errbuf);
int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)
void pcap_freealldevs(pcap_if_t *)
char *pcap_lookupdev(char *errbuf)
int pcap_lookupnet(char *device, bpf_u_int32 *netp,
bpf_u_int32 *maskp, char *errbuf)
int pcap_dispatch(pcap_t *p, int cnt,
pcap_handler callback, u_char *user)
int pcap_loop(pcap_t *p, int cnt,
pcap_handler callback, u_char *user)
void pcap_dump(u_char *user, struct pcap_pkthdr *h,
u_char *sp)
int pcap_compile(pcap_t *p, struct bpf_program *fp,
char *str, int optimize, bpf_u_int32 netmask)
int pcap_setfilter(pcap_t *p, struct bpf_program *fp)
void pcap_freecode(struct bpf_program *);
u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h)
int pcap_datalink(pcap_t *p)
int pcap_snapshot(pcap_t *p)
int pcap_is_swapped(pcap_t *p)
int pcap_major_version(pcap_t *p)
int pcap_minor_version(pcap_t *p)
int pcap_stats(pcap_t *p, struct pcap_stat *ps)
FILE *pcap_file(pcap_t *p)
int pcap_fileno(pcap_t *p)
void pcap_perror(pcap_t *p, char *prefix)
char *pcap_geterr(pcap_t *p)
char *pcap_strerror(int error)
void pcap_close(pcap_t *p)
void pcap_dump_close(pcap_dumper_t *p)
DESCRIPTION
The Packet Capture library provides a high level interface to
packet capture systems. All packets on the network, even those
destined for other hosts, are accessible through this mechanism.
ROUTINES
NOTE: errbuf in pcap_open_live(), pcap_open_dead(),
pcap_open_offline(), pcap_setnonblock(), pcap_getnon
block(), pcap_findalldevs(), pcap_lookupdev(), and
pcap_lookupnet() is assumed to be able to hold at least
PCAP_ERRBUF_SIZE chars.
pcap_open_live() is used to obtain a packet capture
descriptor to look at packets on the network. device is a
string that specifies the network device to open; on Linux
systems with 2.2 or later kernels, a device argument of
"any" or NULL can be used to capture packets from all
interfaces. snaplen specifies the maximum number of bytes
to capture. promisc specifies if the interface is to be
put into promiscuous mode. (Note that even if this param
eter is false, the interface could well be in promiscuous
mode for some other reason.) For now, this doesn't work
on the "any" device; if an argument of "any" or NULL is
supplied, the promisc flag is ignored. to_ms specifies
the read timeout in milliseconds. The read timeout is
used to arrange that the read not necessarily return imme
diately when a packet is seen, but that it wait for some
amount of time to allow more packets to arrive and to read
multiple packets from the OS kernel in one operation. Not
all platforms support a read timeout; on platforms that
don't, the read timeout is ignored. errbuf is used to
return error or warning text. It will be set to error
text when pcap_open_live() fails and returns NULL. errbuf
may also be set to warning text when pcap_open_live() suc
ceds; to detect this case the caller should store a zero-
length string in errbuf before calling pcap_open_live()
and display the warning to the user if errbuf is no longer
a zero-length string.
pcap_open_dead() is used for creating a pcap_t structure
to use when calling the other functions in libpcap. It is
typically used when just using libpcap for compiling BPF
code.
pcap_open_offline() is called to open a ``savefile'' for
reading. fname specifies the name of the file to open.
The file has the same format as those used by tcpdump(1)
and tcpslice(1). The name "-" in a synonym for stdin.
errbuf is used to return error text and is only set when
pcap_open_offline() fails and returns NULL.
pcap_dump_open() is called to open a ``savefile'' for
writing. The name "-" in a synonym for stdout. NULL is
the name of the file to open. If NULL is returned,
pcap_geterr() can be used to get the error text.
pcap_setnonblock() puts a capture descriptor, opened with
pcap_open_live(), into ``non-blocking'' mode, or takes it
out of ``non-blocking'' mode, depending on whether the
nonblock argument is non-zero or zero. It has no effect
on ``savefiles''. If there is an error, -1 is returned
and errbuf is filled in with an appropriate error message;
otherwise, 0 is returned. In ``non-blocking'' mode, an
attempt to read from the capture descriptor with pcap_dis
patch() will, if no packets are currently available to be
read, return 0 immediately rather than blocking waiting
for packets to arrive. pcap_loop() and pcap_next() will
not work in ``non-blocking'' mode.
pcap_getnonblock() returns the current ``non-blocking''
state of the capture descriptor; it always returns 0 on
``savefiles''. If there is an error, -1 is returned and
errbuf is filled in with an appropriate error message.
pcap_findalldevs() constructs a list of network devices
that can be opened with pcap_open_live(). (Note that
there may be network devices that cannot be opened with
pcap_open_live() by the process calling pcap_find
alldevs(), because, for example, that process might not
have sufficient privileges to open them for capturing; if
so, those devices will not appear on the list.) alldevsp
is set to point to the first element of the list; each
element of the list is of type pcap_if_t, and has the fol
lowing members:
next if not NULL, a pointer to the next element
in the list; NULL for the last element of
the list
name a pointer to a string giving a name for the
device to pass to pcap_open_live()
description
if not NULL, a pointer to a string giving a
human-readable description of the device
addresses
a pointer to the first element of a list of
addresses for the interface
flags interface flags:
PCAP_IF_LOOPBACK
set if the interface is a loopback
interface
pcap_addr_t, and has the following members:
next if not NULL, a pointer to the next element
in the list; NULL for the last element of
the list
addr a pointer to a struct sockaddr containing an
address
netmask
if not NULL, a pointer to a struct sockaddr
that contains the netmask corresponding to
the address pointed to by addr
broadaddr
if not NULL, a pointer to a struct sockaddr
that contains the broadcast address corre
sponding to the address pointed to by addr;
may be null if the interface doesn't support
broadcasts
dstaddr
if not NULL, a pointer to a struct sockaddr
that contains the destination address corre
sponding to the address pointed to by addr;
may be null if the interface isn't a point-
to-point interface
pcap_freealldevs() is used to free a list allocated by
pcap_findalldevs().
pcap_lookupdev() returns a pointer to a network device
suitable for use with pcap_open_live() and pcap_lookup
net(). If there is an error, NULL is returned and errbuf
is filled in with an appropriate error message.
pcap_lookupnet() is used to determine the network number
and mask associated with the network device device. Both
netp and maskp are bpf_u_int32 pointers. A return of -1
indicates an error in which case errbuf is filled in with
an appropriate error message.
pcap_dispatch() is used to collect and process packets.
cnt specifies the maximum number of packets to process
before returning. This is not a minimum number; when
reading a live capture, only one bufferful of packets is
read at a time, so fewer than cnt packets may be pro
cessed. A cnt of -1 processes all the packets received in
one buffer when reading a live capture, or all the packets
in the file when reading a ``savefile''. callback speci
fies a routine to be called with three arguments: a u_char
pointer which is passed in from pcap_dispatch(), a pointer
packet data.
The number of packets read is returned. 0 is returned if
no packets were read from a live capture (if, for example,
they were discarded because they didn't pass the packet
filter, or if, on platforms that support a read timeout
that starts before any packets arrive, the timeout expires
before any packets arrive, or if the file descriptor for
the capture device is in non-blocking mode and no packets
were available to be read) or if no more packets are
available in a ``savefile.'' A return of -1 indicates an
error in which case pcap_perror() or pcap_geterr() may be
used to display the error text.
NOTE: when reading a live capture, pcap_dispatch() will
not necessarily return when the read times out; on some
platforms, the read timeout isn't supported, and, on other
platforms, the timer doesn't start until at least one
packet arrives. This means that the read timeout should
NOT be used in, for example, an interactive application,
to allow the packet capture loop to ``poll'' for user
input periodically, as there's no guarantee that pcap_dis
patch() will return after the timeout expires.
pcap_loop() is similar to pcap_dispatch() except it keeps
reading packets until cnt packets are processed or an
error occurs. It does not return when live read timeouts
occur. Rather, specifying a non-zero read timeout to
pcap_open_live() and then calling pcap_dispatch() allows
the reception and processing of any packets that arrive
when the timeout occurs. A negative cnt causes
pcap_loop() to loop forever (or at least until an error
occurs).
pcap_next() reads the next packet (by calling pcap_dis
patch() with a cnt of 1) and returns a u_char pointer to
the data in that packet. (The pcap_pkthdr struct for that
packet is not supplied.)
pcap_dump() outputs a packet to the ``savefile'' opened
with pcap_dump_open(). Note that its calling arguments
are suitable for use with pcap_dispatch() or pcap_loop().
If called directly, the user parameter is of type
pcap_dumper_t as returned by pcap_dump_open().
pcap_compile() is used to compile the string str into a
filter program. program is a pointer to a bpf_program
struct and is filled in by pcap_compile(). optimize con
trols whether optimization on the resulting code is per
formed. netmask specifies the netmask of the local net.
A return of -1 indicates an error in which case
pcap_geterr() may be used to display the error text.
that instead of passing a pcap structure, one passes the
snaplen and linktype explicitly. It is intended to be
used for compiling filters for direct BPF usage, without
necessarily having called pcap_open(). A return of -1
indicates an error; the error text is unavailable.
(pcap_compile_nopcap() is a wrapper around
pcap_open_dead(), pcap_compile(), and pcap_close(); the
latter three routines can be used directly in order to get
the error text for a compilation error.)
pcap_setfilter() is used to specify a filter program. fp
is a pointer to a bpf_program struct, usually the result
of a call to pcap_compile(). -1 is returned on failure,
in which case pcap_geterr() may be used to display the
error text; 0 is returned on success.
pcap_freecode() is used to free up allocated memory
pointed to by a bpf_program struct generated by pcap_com
pile() when that BPF program is no longer needed, for
example after it has been made the filter program for a
pcap structure by a call to pcap_setfilter().
pcap_datalink() returns the link layer type; link layer
types it can return include:
DLT_NULL
BSD loopback encapsulation; the link layer
header is a 4-byte field, in host byte order,
containing a PF_ value from socket.h for the
network-layer protocol of the packet
Note that ``host byte order'' is the byte order
of the machine on which the packets are cap
tured, and the PF_ values are for the OS of the
machine on which the packets are captured; if a
live capture is being done, ``host byte order''
is the byte order of the machine capturing the
packets, and the PF_ values are those of the OS
of the machine capturing the packets, but if a
``savefile'' is being read, the byte order and
PF_ values are not necessarily those of the
machine reading the capture file.
DLT_EN10MB
Ethernet (10Mb, 100Mb, 1000Mb, and up)
DLT_IEEE802
IEEE 802.5 Token Ring
DLT_ARCNET
ARCNET
SLIP; the link layer header contains, in order:
a 1-byte flag, which is 0 for packets
received by the machine and 1 for packets
sent by the machine;
a 1-byte field, the upper 4 bits of which
indicate the type of packet, as per RFC
1144:
0x40 an unmodified IP datagram
(TYPE_IP);
0x70 an uncompressed-TCP IP datagram
(UNCOMPRESSED_TCP), with that
byte being the first byte of the
raw IP header on the wire, con
taining the connection number in
the protocol field;
0x80 a compressed-TCP IP datagram
(COMPRESSED_TCP), with that byte
being the first byte of the com
pressed TCP/IP datagram header;
for UNCOMPRESSED_TCP, the rest of the modi
fied IP header, and for COMPRESSED_TCP, the
compressed TCP/IP datagram header;
for a total of 16 bytes; the uncompressed IP
datagram follows the header
DLT_PPP
PPP; if the first 2 bytes are 0xff and 0x03,
it's PPP in HDLC-like framing, with the PPP
header following those two bytes, otherwise it's
PPP without framing, and the packet begins with
the PPP header
DLT_FDDI
FDDI
DLT_ATM_RFC1483
RFC 1483 LLC/SNAP-encapsulated ATM; the packet
begins with an IEEE 802.2 LLC header
DLT_RAW
raw IP; the packet begins with an IP header
DLT_PPP_SERIAL
PPP in HDLC-like framing, as per RFC 1662, or
Cisco PPP with HDLC framing, as per section
or 0x8F for Cisco PPP with HDLC framing
DLT_PPP_ETHER
PPPoE; the packet begins with a PPPoE header, as
per RFC 2516
DLT_C_HDLC
Cisco PPP with HDLC framing, as per section
4.3.1 of RFC 1547
DLT_IEEE802_11
IEEE 802.11 wireless LAN
DLT_LOOP
OpenBSD loopback encapsulation; the link layer
header is a 4-byte field, in network byte order,
containing a PF_ value from OpenBSD's socket.h
for the network-layer protocol of the packet
Note that, if a ``savefile'' is being read,
those PF_ values are not necessarily those of
the machine reading the capture file.
DLT_LINUX_SLL
Linux "cooked" capture encapsulation; the link
layer header contains, in order:
a 2-byte "packet type", in network byte
order, which is one of:
0 packet was sent to us by somebody
else
1 packet was broadcast by somebody
else
2 packet was multicast, but not
broadcast, by somebody else
3 packet was sent by somebody else
to somebody else
4 packet was sent by us
a 2-byte field, in network byte order, con
taining a Linux ARPHRD_ value for the link
layer device type;
a 2-byte field, in network byte order, con
taining the length of the link layer
address of the sender of the packet (which
could be 0);
bytes of the link layer header (if there
are more than 8 bytes, only the first 8 are
present);
a 2-byte field containing an Ethernet pro
tocol type, in network byte order, or con
taining 1 for Novell 802.3 frames without
an 802.2 LLC header or 4 for frames begin
ning with an 802.2 LLC header.
DLT_LTALK
Apple LocalTalk; the packet begins with an
AppleTalk LLAP header
pcap_snapshot() returns the snapshot length specified when
pcap_open_live was called.
pcap_is_swapped() returns true if the current ``savefile''
uses a different byte order than the current system.
pcap_major_version() returns the major number of the ver
sion of the pcap used to write the savefile.
pcap_minor_version() returns the minor number of the ver
sion of the pcap used to write the savefile.
pcap_file() returns the standard I/O stream of the ``save
file,'' if a ``savefile'' was opened with
pcap_open_offline(), or NULL, if a network device was
opened with pcap_open_live().
pcap_stats() returns 0 and fills in a pcap_stat struct.
The values represent packet statistics from the start of
the run to the time of the call. If there is an error or
the underlying packet capture doesn't support packet
statistics, -1 is returned and the error text can be
obtained with pcap_perror() or pcap_geterr().
pcap_stats() is supported only on live captures, not on
``savefiles''; no statistics are stored in ``savefiles'',
so no statistics are available when reading from a ``save
file''.
pcap_fileno() returns the file descriptor number from
which captured packets are read, if a network device was
opened with pcap_open_live(), or -1, if a ``savefile'' was
opened with pcap_open_offline().
pcap_perror() prints the text of the last pcap library
error on stderr, prefixed by prefix.
pcap_geterr() returns the error text pertaining to the
last pcap library error. NOTE: the pointer it returns
the string before closing the pcap_t.
pcap_strerror() is provided in case strerror(1) isn't
available.
pcap_close() closes the files associated with p and deal
locates resources.
pcap_dump_close() closes the ``savefile.''
SEE ALSO
tcpdump(ADMN)
AUTHORS
The original authors are:
Van Jacobson, Craig Leres and Steven McCanne, all of the
Lawrence Berkeley National Laboratory, University of Cali
fornia, Berkeley, CA.
The current version is available from "The Tcpdump
Group"'s Web site at
http://www.tcpdump.org/
BUGS
Please send problems, bugs, questions, desirable enhance
ments, etc. to:
tcpdump-workers@tcpdump.org
Please send source code contributions, etc. to:
patches@tcpdump.org
Man(1) output converted with
man2html