[Winpcap-users] pcapt_open_live ( ) function, how it works?

Tue Jul 19 00:11:37 PDT 2011

On Jul 19, 2011, at 12:01 AM, rajath kumara wrote:

> But , where and how exactly is packet generated? because, i never explicitly generated this packet.

So?  You don't think that, when you capture packets with libpcap/WinPcap, the only packets you see will be those you explicitly generate with one of your programs, do you?  That's not the case; even if you're not in promiscuous mode, libpcap/WinPcap should see *all* the packets received by or transmitted by the host on that interface that match whatever filter you specify (and if you specify no filter or an empty filter, it'll match *all* packets), and if you *are* in promiscuous mode, the interface will even receive packets that are on your network segment but aren't being unicast to your machine, multicast to a multicast group to which your machine belongs, or broadcast.

So the packet was either generated by some process on the machine on which you're running or by some other machine on the network segment to which the network adapter is connected.

> Also, could you let me know, what exactly pcap_open_live( ) and pcap_next_ex( ) functions do, apart from opening device and read a packet.

At the most abstract level - i.e., the level seen by people writing programs that use libpcap/WinPcap - "opening a device" *is* exactly what pcap_open_live() does, and "reading packets" *is* exactly what pcap_next_ex() does.

What they do on a particular OS and device depends on the OS and device.  For LAN devices on Windows, pcap_open_live() currently calls various routines in Packet.dll, such as PacketOpenAdapter(), and pcap_next_ex() also calls various routines in Packet.dll, such as PacketReceivePacket().  (Actually, they call routines that call those routines, but that's an even more specific implementation detail.)  For regular network devices on Linux, pcap_open_live() creates a PF_PACKET socket (except on the 2.0 kernel) and binds it to a network device (unless you're opening the "any" device), and might memory-map it, and pcap_next_ex() will either do a recvfrom() on that socket or read data from the memory-mapped buffer.  For regular network devices in *BSD and Mac OS X, pcap_open_live() opens a BPF device and binds it to a network adapter, and pcap_next_ex() reads from that BPF device (or, on FreeBSD, pcap_open_live() might memory-map the device and pcap_next_ex() might read from the memory-mapped buffer).  For regular network devices on Solaris....