[Winpcap-users] functions do the same purpose

Guy Harris guy at alum.mit.edu
Sun Apr 7 16:03:06 PDT 2013 

On Apr 7, 2013, at 2:47 PM, Ahmed Elshaer <a.n.elshaer at gmail.com> wrote:

> what is the difference between
> pcap_open     and pcap_open_live

pcap_open() supports some options that pcap_open_live() doesn't, such as providing a user name and password for remote capture, some flags for remote capture, and an option to return packets as soon as they arrive.

If you don't need any of the options that pcap_open() supports, and want your code to be portable to non-Windows systems, pcap_open_live() is the best choice.  pcap_open_live() is also a bit simpler to call. If you need those options, pcap_open() is the best choice.

> findalldevs_ex and findalldevs

pcap_findalldevs_ex() can ask a remote machine running the rpcap service what devices it has to capture on; pcap_findalldevs() can only check for local devices.

If you don't need to support capturing from interfaces attached to other machines, and want your code to be portable to non-Windows systems, pcap_findalldevs() is the best choice.  It is also a bit simpler to call.  If you want to support capturing on interfaces attached to other machines, pcap_findalldevs_ex() is the best choice.

> pacap_loop     and pcap_dispatch and pcap_next_ex

pcap_loop() will keep reading packets until the specified count runs out or pcap_breakloop() is called (in another thread).

pcap_dispatch() will do at most one blocking call into the OS per call to pcap_dispatch(); it's primarily intended for use when your program has a main loop using calls such as select()/poll()/etc. on UN*X or WaitForMultipleObjects()/MsgWaitForMultipleObjects() on Windows, so that the main loop is handling both packets and other things (network connections, devices, window system input events).

Both pcap_loop() and pcap_dispatch() use callbacks to supply packets, and pcap_next_ex(), in effect, calls pcap_loop() with a count of 1 with its own callback that fills in some information that it then returns.  pcap_loop() and pcap_dispatch() might thus have less overhead, but you have to supply a callback rather than doing something simpler such as

	for (;;) {
		get a packet with pcap_next_ex();
		if (error) {
			report the error;
			break;
		}
		process the packet;
	}

If you're not doing your own main loop in the fashion I described, there's no reason to use pcap_dispatch().  If you are, you would either use it or put the pcap_t into non-blocking mode and write your own loop using pcap_next_ex(), processing packets until you get an error or a "no packets available right now" indication, and then going back to the main loop to wait for an event.

Whether to use pcap_loop() or pcap_next_ex(), in the case where you don't have your own main loop, depends on whether a callback or a loop of your own is more convenient, and whether the extra overhead of pcap_next_ex() actually makes a difference.

More information about the Winpcap-users mailing list