Unix-compatible Functions | |
These functions are part of the libpcap library, and therefore work both on Windows and on Linux.
| |
| typedef void(* | pcap_handler )(u_char *user, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data) |
| Prototype of the callback function that receives the packets. | |
| pcap_t * | pcap_open_live (const char *device, int snaplen, int promisc, int to_ms, char *ebuf) |
| Open a live capture from the network. | |
| pcap_t * | pcap_open_dead (int linktype, int snaplen) |
| Create a pcap_t structure without starting a capture. | |
| pcap_t * | pcap_open_offline (const char *fname, char *errbuf) |
| Open a savefile in the tcpdump/libpcap format to read packets. | |
| pcap_dumper_t * | pcap_dump_open (pcap_t *p, const char *fname) |
| Open a file to write packets. | |
| int | pcap_setnonblock (pcap_t *p, int nonblock, char *errbuf) |
| Switch between blocking and nonblocking mode. | |
| int | pcap_getnonblock (pcap_t *p, char *errbuf) |
| Get the "non-blocking" state of an interface. | |
| int | pcap_findalldevs (pcap_if_t **alldevsp, char *errbuf) |
| Construct a list of network devices that can be opened with pcap_open_live(). | |
| void | pcap_freealldevs (pcap_if_t *alldevsp) |
| Free an interface list returned by pcap_findalldevs(). | |
| char * | pcap_lookupdev (char *errbuf) |
| Return the first valid device in the system. | |
| int | pcap_lookupnet (const char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf) |
| Return the subnet and netmask of an interface. | |
| int | pcap_dispatch (pcap_t *p, int cnt, pcap_handler callback, u_char *user) |
| Collect a group of packets. | |
| int | pcap_loop (pcap_t *p, int cnt, pcap_handler callback, u_char *user) |
| Collect a group of packets. | |
| u_char * | pcap_next (pcap_t *p, struct pcap_pkthdr *h) |
| Return the next available packet. | |
| int | pcap_next_ex (pcap_t *p, struct pcap_pkthdr **pkt_header, const u_char **pkt_data) |
| Read a packet from an interface or from an offline capture. | |
| void | pcap_breakloop (pcap_t *) |
| set a flag that will force pcap_dispatch() or pcap_loop() to return rather than looping. | |
| int | pcap_sendpacket (pcap_t *p, u_char *buf, int size) |
| Send a raw packet. | |
| void | pcap_dump (u_char *user, const struct pcap_pkthdr *h, const u_char *sp) |
| Save a packet to disk. | |
| long | pcap_dump_ftell (pcap_dumper_t *) |
| Return the file position for a "savefile". | |
| int | pcap_compile (pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask) |
| Compile a packet filter, converting an high level filtering expression (see Filtering expression syntax) in a program that can be interpreted by the kernel-level filtering engine. | |
| int | pcap_compile_nopcap (int snaplen_arg, int linktype_arg, struct bpf_program *program, char *buf, int optimize, bpf_u_int32 mask) |
| Compile a packet filter without the need of opening an adapter. This function converts an high level filtering expression (see Filtering expression syntax) in a program that can be interpreted by the kernel-level filtering engine. | |
| int | pcap_setfilter (pcap_t *p, struct bpf_program *fp) |
| Associate a filter to a capture. | |
| void | pcap_freecode (struct bpf_program *fp) |
| Free a filter. | |
| int | pcap_datalink (pcap_t *p) |
| Return the link layer of an adapter. | |
| int | pcap_list_datalinks (pcap_t *p, int **dlt_buf) |
| list datalinks | |
| int | pcap_set_datalink (pcap_t *p, int dlt) |
| Set the current data link type of the pcap descriptor to the type specified by dlt. -1 is returned on failure. | |
| int | pcap_datalink_name_to_val (const char *name) |
| Translates a data link type name, which is a DLT_ name with the DLT_ removed, to the corresponding data link type value. The translation is case-insensitive. -1 is returned on failure. | |
| const char * | pcap_datalink_val_to_name (int dlt) |
| Translates a data link type value to the corresponding data link type name. NULL is returned on failure. | |
| const char * | pcap_datalink_val_to_description (int dlt) |
| Translates a data link type value to a short description of that data link type. NULL is returned on failure. | |
| int | pcap_snapshot (pcap_t *p) |
| Return the dimension of the packet portion (in bytes) that is delivered to the application. | |
| int | pcap_is_swapped (pcap_t *p) |
| returns true if the current savefile uses a different byte order than the current system. | |
| int | pcap_major_version (pcap_t *p) |
| return the major version number of the pcap library used to write the savefile. | |
| int | pcap_minor_version (pcap_t *p) |
| return the minor version number of the pcap library used to write the savefile. | |
| FILE * | pcap_file (pcap_t *p) |
| Return the standard stream of an offline capture. | |
| int | pcap_stats (pcap_t *p, struct pcap_stat *ps) |
| Return statistics on current capture. | |
| void | pcap_perror (pcap_t *p, char *prefix) |
| print the text of the last pcap library error on stderr, prefixed by prefix. | |
| char * | pcap_geterr (pcap_t *p) |
| return the error text pertaining to the last pcap library error. | |
| char * | pcap_strerror (int error) |
| Provided in case strerror() isn't available. | |
| const char * | pcap_lib_version (void) |
| Returns a pointer to a string giving information about the version of the libpcap library being used; note that it contains more information than just a version number. | |
| void | pcap_close (pcap_t *p) |
| close the files associated with p and deallocates resources. | |
| FILE * | pcap_dump_file (pcap_dumper_t *p) |
| return the standard I/O stream of the 'savefile' opened by pcap_dump_open(). | |
| int | pcap_dump_flush (pcap_dumper_t *p) |
| Flushes the output buffer to the ``savefile,'' so that any packets written with pcap_dump() but not yet written to the ``savefile'' will be written. -1 is returned on error, 0 on success. | |
| void | pcap_dump_close (pcap_dumper_t *p) |
| Closes a savefile. | |
Windows-specific Extensions | |
| The functions in this section extend libpcap to offer advanced functionalities (like remote packet capture, packet buffer size variation or high-precision packet injection). Howerver, at the moment they can be used only in Windows. | |
| PAirpcapHandle | pcap_get_airpcap_handle (pcap_t *p) |
| Returns the AirPcap handler associated with an adapter. This handler can be used to change the wireless-related settings of the CACE Technologies AirPcap wireless capture adapters. | |
| bool | pcap_offline_filter (struct bpf_program *prog, const struct pcap_pkthdr *header, const u_char *pkt_data) |
| Returns if a given filter applies to an offline packet. | |
| int | pcap_live_dump (pcap_t *p, char *filename, int maxsize, int maxpacks) |
| Save a capture to file. | |
| int | pcap_live_dump_ended (pcap_t *p, int sync) |
| Return the status of the kernel dump process, i.e. tells if one of the limits defined with pcap_live_dump() has been reached. | |
| struct pcap_stat * | pcap_stats_ex (pcap_t *p, int *pcap_stat_size) |
| Return statistics on current capture. | |
| int | pcap_setbuff (pcap_t *p, int dim) |
| Set the size of the kernel buffer associated with an adapter. | |
| int | pcap_setmode (pcap_t *p, int mode) |
| Set the working mode of the interface p to mode. | |
| int | pcap_setmintocopy (pcap_t *p, int size) |
| Set the minumum amount of data received by the kernel in a single call. | |
| HANDLE | pcap_getevent (pcap_t *p) |
| Return the handle of the event associated with the interface p. | |
| pcap_send_queue * | pcap_sendqueue_alloc (u_int memsize) |
| Allocate a send queue. | |
| void | pcap_sendqueue_destroy (pcap_send_queue *queue) |
| Destroy a send queue. | |
| int | pcap_sendqueue_queue (pcap_send_queue *queue, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data) |
| Add a packet to a send queue. | |
| u_int | pcap_sendqueue_transmit (pcap_t *p, pcap_send_queue *queue, int sync) |
| Send a queue of raw packets to the network. | |
| int | pcap_findalldevs_ex (char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf) |
| Create a list of network devices that can be opened with pcap_open(). | |
| int | pcap_createsrcstr (char *source, int type, const char *host, const char *port, const char *name, char *errbuf) |
| Accept a set of strings (host name, port, ...), and it returns the complete source string according to the new format (e.g. 'rpcap://1.2.3.4/eth0'). | |
| int | pcap_parsesrcstr (const char *source, int *type, char *host, char *port, char *name, char *errbuf) |
| Parse the source string and returns the pieces in which the source can be split. | |
| pcap_t * | pcap_open (const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf) |
| Open a generic source in order to capture / send (WinPcap only) traffic. | |
| struct pcap_samp * | pcap_setsampling (pcap_t *p) |
| Define a sampling method for packet capture. | |
| SOCKET | pcap_remoteact_accept (const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf) |
| Block until a network connection is accepted (active mode only). | |
| int | pcap_remoteact_close (const char *host, char *errbuf) |
| Drop an active connection (active mode only). | |
| void | pcap_remoteact_cleanup () |
| Clean the socket that is currently used in waiting active connections. | |
| int | pcap_remoteact_list (char *hostlist, char sep, int size, char *errbuf) |
| Return the hostname of the host that have an active connection with us (active mode only). | |
| typedef void(* pcap_handler)(u_char *user, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data) |
Prototype of the callback function that receives the packets.
When pcap_dispatch() or pcap_loop() are called by the user, the packets are passed to the application by means of this callback. user is a user-defined parameter that contains the state of the capture session, it corresponds to the user parameter of pcap_dispatch() and pcap_loop(). pkt_header is the header associated by the capture driver to the packet. It is NOT a protocol header. pkt_data points to the data of the packet, including the protocol headers.
Definition at line 27 of file funcs/pcap.h.
| void pcap_breakloop | ( | pcap_t * | ) |
set a flag that will force pcap_dispatch() or pcap_loop() to return rather than looping.
They will return the number of packets that have been processed so far, or -2 if no packets have been processed so far. This routine is safe to use inside a signal handler on UNIX or a console control handler on Windows, as it merely sets a flag that is checked within the loop. The flag is checked in loops reading packets from the OS - a signal by itself will not necessarily terminate those loops - as well as in loops processing a set of packets returned by the OS. Note that if you are catching signals on UNIX systems that support restarting system calls after a signal, and calling pcap_breakloop() in the signal handler, you must specify, when catching those signals, that system calls should NOT be restarted by that signal. Otherwise, if the signal interrupted a call reading packets in a live capture, when your signal handler returns after calling pcap_breakloop(), the call will be restarted, and the loop will not terminate until more packets arrive and the call completes.
| void pcap_close | ( | pcap_t * | p | ) |
close the files associated with p and deallocates resources.
| int pcap_compile | ( | pcap_t * | p, | |
| struct bpf_program * | fp, | |||
| char * | str, | |||
| int | optimize, | |||
| bpf_u_int32 | netmask | |||
| ) |
Compile a packet filter, converting an high level filtering expression (see Filtering expression syntax) in a program that can be interpreted by the kernel-level filtering engine.
pcap_compile() is used to compile the string str into a filter program. program is a pointer to a bpf_program struct and is filled in by pcap_compile(). optimize controls whether optimization on the resulting code is performed. netmask specifies the IPv4 netmask of the network on which packets are being captured; it is used only when checking for IPv4 broadcast addresses in the filter program. If the netmask of the network on which packets are being captured isn't known to the program, or if packets are being captured on the Linux "any" pseudo-interface that can capture on more than one network, a value of 0 can be supplied; tests for IPv4 broadcast addreses won't be done correctly, but all other tests in the filter program will be OK. A return of -1 indicates an error in which case pcap_geterr() may be used to display the error text.
| int pcap_compile_nopcap | ( | int | snaplen_arg, | |
| int | linktype_arg, | |||
| struct bpf_program * | program, | |||
| char * | buf, | |||
| int | optimize, | |||
| bpf_u_int32 | mask | |||
| ) |
Compile a packet filter without the need of opening an adapter. This function converts an high level filtering expression (see Filtering expression syntax) in a program that can be interpreted by the kernel-level filtering engine.
pcap_compile_nopcap() is similar to pcap_compile() except that instead of passing a pcap structure, one passes the snaplen and linktype explicitly. It is intended to be used for compiling filters for direct BPF usage, without necessarily having called pcap_open(). A return of -1 indicates an error; the error text is unavailable. (pcap_compile_nopcap() is a wrapper around pcap_open_dead(), pcap_compile(), and pcap_close(); the latter three routines can be used directly in order to get the error text for a compilation error.)
Look at the Filtering expression syntax section for details on the str parameter.
| int pcap_createsrcstr | ( | char * | source, | |
| int | type, | |||
| const char * | host, | |||
| const char * | port, | |||
| const char * | name, | |||
| char * | errbuf | |||
| ) |
Accept a set of strings (host name, port, ...), and it returns the complete source string according to the new format (e.g. 'rpcap://1.2.3.4/eth0').
This function is provided in order to help the user creating the source string according to the new format. An unique source string is used in order to make easy for old applications to use the remote facilities. Think about tcpdump, for example, which has only one way to specify the interface on which the capture has to be started. However, GUI-based programs can find more useful to specify hostname, port and interface name separately. In that case, they can use this function to create the source string before passing it to the pcap_open() function.
| source,: | a user-allocated buffer that will contain the complete source string wen the function returns. The source will start with an identifier according to the new Source Specification Syntax . This function assumes that the allocated buffer is at least PCAP_BUF_SIZE bytes. | |
| type,: | its value tells the type of the source we want to create. It can assume the values defined in the Source identification Codes . | |
| host,: | an user-allocated buffer that keeps the host (e.g. "foo.bar.com") we want to connect to. It can be NULL in case we want to open an interface on a local host. | |
| port,: | an user-allocated buffer that keeps the network port (e.g. "2002") we want to use for the RPCAP protocol. It can be NULL in case we want to open an interface on a local host. | |
| name,: | an user-allocated buffer that keeps the interface name we want to use (e.g. "eth0"). It can be NULL in case the return string (i.e. 'source') has to be used with the pcap_findalldevs_ex(), which does not require the interface name. | |
| errbuf,: | a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE) that will contain the error message (in case there is one). |
| int pcap_datalink | ( | pcap_t * | p | ) |
Return the link layer of an adapter.
returns the link layer type; link layer types it can return include:
| int pcap_datalink_name_to_val | ( | const char * | name | ) |
Translates a data link type name, which is a DLT_ name with the DLT_ removed, to the corresponding data link type value. The translation is case-insensitive. -1 is returned on failure.
| const char* pcap_datalink_val_to_description | ( | int | dlt | ) |
Translates a data link type value to a short description of that data link type. NULL is returned on failure.
| const char* pcap_datalink_val_to_name | ( | int | dlt | ) |
Translates a data link type value to the corresponding data link type name. NULL is returned on failure.
| int pcap_dispatch | ( | pcap_t * | p, | |
| int | cnt, | |||
| pcap_handler | callback, | |||
| u_char * | user | |||
| ) |
Collect a group of packets.
pcap_dispatch() is used to collect and process packets. cnt specifies the maximum number of packets to process before returning. This is not a minimum number; when reading a live capture, only one bufferful of packets is read at a time, so fewer than cnt packets may be processed. A cnt of -1 processes all the packets received in one buffer when reading a live capture, or all the packets in the file when reading a ``savefile''. callback specifies a routine to be called with three arguments: a u_char pointer which is passed in from pcap_dispatch(), a const struct pcap_pkthdr pointer, and a const u_char pointer to the first caplen (as given in the struct pcap_pkthdr a pointer to which is passed to the callback routine) bytes of data from the packet (which won't necessarily be the entire packet; to capture the entire packet, you will have to provide a value for snaplen in your call to pcap_open_live() that is sufficiently large to get all of the packet's data - a value of 65535 should be sufficient on most if not all networks).
The number of packets read is returned. 0 is returned if no packets were read from a live capture (if, for example, they were discarded because they didn't pass the packet filter, or if, on platforms that support a read timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read) or if no more packets are available in a ``savefile.'' A return of -1 indicates an error in which case pcap_perror() or pcap_geterr() may be used to display the error text. A return of -2 indicates that the loop terminated due to a call to pcap_breakloop() before any packets were processed. If your application uses pcap_breakloop(), make sure that you explicitly check for -1 and -2, rather than just checking for a return value < 0.
| void pcap_dump | ( | u_char * | user, | |
| const struct pcap_pkthdr * | h, | |||
| const u_char * | sp | |||
| ) |
Save a packet to disk.
pcap_dump() outputs a packet to the "savefile" opened with pcap_dump_open(). Note that its calling arguments are suitable for use with pcap_dispatch() or pcap_loop(). If called directly, the user parameter is of type pcap_dumper_t as returned by pcap_dump_open().
| void pcap_dump_close | ( | pcap_dumper_t * | p | ) |
| FILE* pcap_dump_file | ( | pcap_dumper_t * | p | ) |
return the standard I/O stream of the 'savefile' opened by pcap_dump_open().
| int pcap_dump_flush | ( | pcap_dumper_t * | p | ) |
Flushes the output buffer to the ``savefile,'' so that any packets written with pcap_dump() but not yet written to the ``savefile'' will be written. -1 is returned on error, 0 on success.
| long pcap_dump_ftell | ( | pcap_dumper_t * | ) |
Return the file position for a "savefile".
pcap_dump_ftell() returns the current file position for the "savefile", representing the number of bytes written by pcap_dump_open() and pcap_dump() . -1 is returned on error.
| pcap_dumper_t* pcap_dump_open | ( | pcap_t * | p, | |
| const char * | fname | |||
| ) |
Open a file to write packets.
pcap_dump_open() is called to open a "savefile" for writing. The name "-" in a synonym for stdout. NULL is returned on failure. p is a pcap struct as returned by pcap_open_offline() or pcap_open_live(). fname specifies the name of the file to open. Alternatively, you may call pcap_dump_fopen() to write data to an existing open stream fp. Note that on Windows, that stream should be opened in binary mode. If NULL is returned, pcap_geterr() can be used to get the error text.
| FILE* pcap_file | ( | pcap_t * | p | ) |
Return the standard stream of an offline capture.
pcap_file() returns the standard I/O stream of the "savefile", if a "savefile" was opened with pcap_open_offline(), or NULL, if a network device was opened with pcap_open_live().
| int pcap_findalldevs | ( | pcap_if_t ** | alldevsp, | |
| char * | errbuf | |||
| ) |
Construct a list of network devices that can be opened with pcap_open_live().
| int pcap_findalldevs_ex | ( | char * | source, | |
| struct pcap_rmtauth * | auth, | |||
| pcap_if_t ** | alldevs, | |||
| char * | errbuf | |||
| ) |
Create a list of network devices that can be opened with pcap_open().
This function is a superset of the old 'pcap_findalldevs()', which is obsolete, and which allows listing only the devices present on the local machine. Vice versa, pcap_findalldevs_ex() allows listing the devices present on a remote machine as well. Additionally, it can list all the pcap files available into a given folder. Moreover, pcap_findalldevs_ex() is platform independent, since it relies on the standard pcap_findalldevs() to get addresses on the local machine.
In case the function has to list the interfaces on a remote machine, it opens a new control connection toward that machine, it retrieves the interfaces, and it drops the connection. However, if this function detects that the remote machine is in 'active' mode, the connection is not dropped and the existing socket is used.
The 'source' is a parameter that tells the function where the lookup has to be done and it uses the same syntax of the pcap_open().
Differently from the pcap_findalldevs(), the interface names (pointed by the alldevs->name and the other ones in the linked list) are already ready to be used in the pcap_open() call. Vice versa, the output that comes from pcap_findalldevs() must be formatted with the new pcap_createsrcstr() before passing the source identifier to the pcap_open().
| source,: | a char* buffer that keeps the 'source localtion', according to the new WinPcap syntax. This source will be examined looking for adapters (local or remote) (e.g. source can be 'rpcap://' for local adapters or 'rpcap://host:port' for adapters on a remote host) or pcap files (e.g. source can be 'file://c:/myfolder/'). The strings that must be prepended to the 'source' in order to define if we want local/remote adapters or files is defined in the new Source Specification Syntax . | |
| auth,: | a pointer to a pcap_rmtauth structure. This pointer keeps the information required to authenticate the RPCAP connection to the remote host. This parameter is not meaningful in case of a query to the local host: in that case it can be NULL. | |
| alldevs,: | a 'struct pcap_if_t' pointer, which will be properly allocated inside this function. When the function returns, it is set to point to the first element of the interface list; each element of the list is of type 'struct pcap_if_t'. | |
| errbuf,: | a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE) that will contain the error message (in case there is one). |
The interface list must be deallocated manually by using the pcap_freealldevs().
| void pcap_freealldevs | ( | pcap_if_t * | alldevsp | ) |
Free an interface list returned by pcap_findalldevs().
pcap_freealldevs() is used to free a list allocated by pcap_findalldevs().
| void pcap_freecode | ( | struct bpf_program * | fp | ) |
Free a filter.
pcap_freecode() is used to free up allocated memory pointed to by a bpf_program struct generated by pcap_compile() when that BPF program is no longer needed, for example after it has been made the filter program for a pcap structure by a call to pcap_setfilter().
| PAirpcapHandle pcap_get_airpcap_handle | ( | pcap_t * | p | ) |
Returns the AirPcap handler associated with an adapter. This handler can be used to change the wireless-related settings of the CACE Technologies AirPcap wireless capture adapters.
| p,: | handle to an open libpcap adapter |
| char* pcap_geterr | ( | pcap_t * | p | ) |
return the error text pertaining to the last pcap library error.
| HANDLE pcap_getevent | ( | pcap_t * | p | ) |
Return the handle of the event associated with the interface p.
This event can be passed to functions like WaitForSingleObject() or WaitForMultipleObjects() to wait until the driver's buffer contains some data without performing a read.
We disourage the use of this function because it is not portable.
| int pcap_getnonblock | ( | pcap_t * | p, | |
| char * | errbuf | |||
| ) |
Get the "non-blocking" state of an interface.
pcap_getnonblock() returns the current "non-blocking" state of the capture descriptor; it always returns 0 on "savefiles". If there is an error, -1 is returned and errbuf is filled in with an appropriate error message.
| int pcap_is_swapped | ( | pcap_t * | p | ) |
returns true if the current savefile uses a different byte order than the current system.
| const char* pcap_lib_version | ( | void | ) |
Returns a pointer to a string giving information about the version of the libpcap library being used; note that it contains more information than just a version number.
| int pcap_list_datalinks | ( | pcap_t * | p, | |
| int ** | dlt_buf | |||
| ) |
list datalinks
pcap_list_datalinks() is used to get a list of the supported data link types of the interface associated with the pcap descriptor. pcap_list_datalinks() allocates an array to hold the list and sets *dlt_buf. The caller is responsible for freeing the array. -1 is returned on failure; otherwise, the number of data link types in the array is returned.
| int pcap_live_dump | ( | pcap_t * | p, | |
| char * | filename, | |||
| int | maxsize, | |||
| int | maxpacks | |||
| ) |
Save a capture to file.
The parameters of this function are an interface descriptor (obtained with pcap_open_live()), a string with the name of the dump file, the maximum size of the file (in bytes) and the maximum number of packets that the file will contain. Setting maxsize or maxpacks to 0 means no limit. When maxsize or maxpacks are reached, the dump ends.
pcap_live_dump() is non-blocking, threfore Return immediately. pcap_live_dump_ended() can be used to check the status of the dump process or to wait until it is finished. pcap_close() can instead be used to end the dump process.
Note that when one of the two limits is reached, the dump is stopped, but the file remains opened. In order to correctly flush the data and put the file in a consistent state, the adapter must be closed with pcap_close().
| int pcap_live_dump_ended | ( | pcap_t * | p, | |
| int | sync | |||
| ) |
Return the status of the kernel dump process, i.e. tells if one of the limits defined with pcap_live_dump() has been reached.
If sync is nonzero, the function blocks until the dump is finished, otherwise Return immediately.
| char* pcap_lookupdev | ( | char * | errbuf | ) |
Return the first valid device in the system.
| int pcap_lookupnet | ( | const char * | device, | |
| bpf_u_int32 * | netp, | |||
| bpf_u_int32 * | maskp, | |||
| char * | errbuf | |||
| ) |
Return the subnet and netmask of an interface.
| int pcap_loop | ( | pcap_t * | p, | |
| int | cnt, | |||
| pcap_handler | callback, | |||
| u_char * | user | |||
| ) |
Collect a group of packets.
pcap_loop() is similar to pcap_dispatch() except it keeps reading packets until cnt packets are processed or an error occurs. It does not return when live read timeouts occur. Rather, specifying a non-zero read timeout to pcap_open_live() and then calling pcap_dispatch() allows the reception and processing of any packets that arrive when the timeout occurs. A negative cnt causes pcap_loop() to loop forever (or at least until an error occurs). -1 is returned on an error; 0 is returned if cnt is exhausted; -2 is returned if the loop terminated due to a call to pcap_breakloop() before any packets were processed. If your application uses pcap_breakloop(), make sure that you explicitly check for -1 and -2, rather than just checking for a return value < 0.
| int pcap_major_version | ( | pcap_t * | p | ) |
return the major version number of the pcap library used to write the savefile.
| int pcap_minor_version | ( | pcap_t * | p | ) |
return the minor version number of the pcap library used to write the savefile.
| u_char* pcap_next | ( | pcap_t * | p, | |
| struct pcap_pkthdr * | h | |||
| ) |
Return the next available packet.
pcap_next() reads the next packet (by calling