PCAP(3) PCAP(3)
NAME
pcap - Packet Capture library
SYNOPSIS
##include <>
char errbuf[PCAPERBUFSIZE];;
pcapt **pcapopenlive(const char **device,, int snaplen,,
int promisc,, int toms,, char **errbuf)
pcapt **pcapopendead(int linktype,, int snaplen)
pcapt **pcapopenoffline(const char **fname,, char **errbuf)
pcapt **pcapfopenoffline(FILE **fp,, char **errbuf)
pcapdumpert **pcapdumpopen(pcapt **p,, const char **fname)
pcapdumpert **pcapdumpfopen(pcapt **p,, FILE **fp)
int pcapsetnonblock(pcapt **p,, int nonblock,, char **errbuf);;
int pcapgetnonblock(pcapt **p,, char **errbuf);;
int pcapfindalldevs(pcapift ****alldevsp,, char **errbuf)
void pcapfreealldevs(pcapift **alldevs)
char **pcaplookupdev(char **errbuf)
int pcaplookupnet(const char **device,, bpfuint32 **netp,,
bpfuint32 **maskp,, char **errbuf)
typedef void (**pcaphandler)(uchar **user,, const struct pcappkthdr **h,,
const uchar **bytes);;
int pcapdispatch(pcapt **p,, int cnt,,
pcaphandler callback,, uchar **user)
int pcaploop(pcapt **p,, int cnt,,
pcaphandler callback,, uchar **user)
void pcapdump(uchar **user,, struct pcappkthdr **h,,
uchar **sp)
int pcapcompile(pcapt **p,, struct bpfprogram **fp,,
char **str,, int optimize,, bpfuint32 netmask)
int pcapsetfilter(pcapt **p,, struct bpfprogram **fp)
void pcapfreecode(struct bpfprogram **)
int pcapsetdirection(pcapt **p,, pcapdirectiont d)
const uchar **pcapnext(pcapt **p,, struct pcappkthdr **h)
int pcapnextex(pcapt **p,, struct pcappkthdr ****pktheader,,
const uchar ****pktdata)
void pcapbreakloop(pcapt **)
int pcapinject(pcapt **p,, const void **buf,, sizet size)
int pcapsendpacket(pcapt **p,, const uchar **buf,, int size)
int pcapdatalink(pcapt **p)
int pcaplistdatalinks(pcapt **p,, int ****dltbuf);;
int pcapsetdatalink(pcapt **p,, int dlt);;
int pcapdatalinknametoval(const char **name);;
const char **pcapdatalinkvaltoname(int dlt);;
const char **pcapdatalinkvaltodescription(int dlt);;
int pcapsnapshot(pcapt **p)
int pcapisswapped(pcapt **p)
int pcapmajorversion(pcapt **p)
int pcapminorversion(pcapt **p)
int pcapstats(pcapt **p,, struct pcapstat **ps)
FILE **pcapfile(pcapt **p)
int pcapfileno(pcapt **p)
int pcapgetselectablefd(pcapt **p);;
void pcapperror(pcapt **p,, char **prefix)
char **pcapgeterr(pcapt **p)
char **pcapstrerror(int error)
const char **pcaplibversion(void)
void pcapclose(pcapt **p)
int pcapdumpflush(pcapdumpert **p)
long pcapdumpftell(pcapdumpert **p)
FILE **pcapdumpfile(pcapdumpert **p)
void pcapdumpclose(pcapdumpert **p)
DESCRIPTION
The Packet Capture library provides a high level interface to packet
capture systems. All packets on the network, even those destined for
other hosts, are accessible through this mechanism.
ROUTINES
NOTE: errbuf in pcapopenlive(), pcapopendead(),
pcapopenoffline(), pcapfopenoffline(), pcapsetnonblock(),
pcapgetnonblock(), pcapfindalldevs(), pcaplookupdev(), and
pcaplookupnet() is assumed to be able to hold at least
PCAPERBUFSIZE chars.
pcapopenlive() is used to obtain a packet capture descriptor to look
at packets on the network. device is a string that specifies the net-
work device to open; on Linux systems with 2.2 or later kernels, a
device argument of "any" or NUL can be used to capture packets from
all interfaces. snaplen specifies the maximum number of bytes to cap-
ture. If this value is less than the size of a packet that is cap-
tured, only the first snaplen bytes of that packet will be captured and
provided as packet data. A value of 65535 should be sufficient, on
most if not all networks, to capture all the data available from the
packet. promisc specifies if the interface is to be put into promiscu-
ous mode. (Note that even if this parameter is false, the interface
could well be in promiscuous mode for some other reason.) For now,
this doesn't work on the "any" device; if an argument of "any" or NUL
is supplied, the promisc flag is ignored. toms specifies the read
timeout in milliseconds. The read timeout is used to arrange that the
read not necessarily return immediately when a packet is seen, but that
it wait for some amount of time to allow more packets to arrive and to
read multiple packets from the OS kernel in one operation. Not all
platforms support a read timeout; on platforms that don't, the read
timeout is ignored. A zero value for toms, on platforms that support
a read timeout, will cause a read to wait forever to allow enough pack-
ets to arrive, with no timeout. errbuf is used to return error or
warning text. It will be set to error text when pcapopenlive() fails
and returns NUL. errbuf may also be set to warning text when
pcapopenlive() succeds; to detect this case the caller should store a
zero-length string in errbuf before calling pcapopenlive() and dis-
play the warning to the user if errbuf is no longer a zero-length
string.
pcapopendead() is used for creating a pcapt structure to use when
calling the other functions in libpcap. It is typically used when just
using libpcap for compiling BPF code.
pcapopenoffline() is called to open a ``savefile'' for reading.
fname specifies the name of the file to open. The file has the same
format as those used by tcpdump(1) and tcpslice(1). The name "-" in a
synonym for stdin. Alternatively, you may call pcapfopenoffline() to
read dumped data from an existing open stream fp. Note that on Win-
dows, that stream should be opened in binary mode. errbuf is used to
return error text and is only set when pcapopenoffline() or
pcapfopenoffline() fails and returns NUL.
pcapdumpopen() is called to open a ``savefile'' for writing. The name
"-" in a synonym for stdout. NUL is returned on failure. p is a pcap
struct as returned by pcapopenoffline() or pcapopenlive(). fname
specifies the name of the file to open. Alternatively, you may call
pcapdumpfopen() to write data to an existing open stream fp. Note
that on Windows, that stream should be opened in binary mode. If NUL
is returned, pcapgeterr() can be used to get the error text.
pcapsetnonblock() puts a capture descriptor, opened with
pcapopenlive(), into ``non-blocking'' mode, or takes it out of ``non-
blocking'' mode, depending on whether the nonblock argument is non-zero
or zero. It has no effect on ``savefiles''. If there is an error, -1
is returned and errbuf is filled in with an appropriate error message;
otherwise, 0 is returned. In ``non-blocking'' mode, an attempt to read
from the capture descriptor with pcapdispatch() will, if no packets
are currently available to be read, return 0 immediately rather than
blocking waiting for packets to arrive. pcaploop() and pcapnext()
will not work in ``non-blocking'' mode.
pcapgetnonblock() returns the current ``non-blocking'' state of the
capture descriptor; it always returns 0 on ``savefiles''. If there is
an error, -1 is returned and errbuf is filled in with an appropriate
error message.
pcapfindalldevs() constructs a list of network devices that can be
opened with pcapopenlive(). (Note that there may be network devices
that cannot be opened with pcapopenlive() by the process calling
pcapfindalldevs(), because, for example, that process might not have
sufficient privileges to open them for capturing; if so, those devices
will not appear on the list.) alldevsp is set to point to the first
element of the list; each element of the list is of type pcapift, and
has the following members:
next if not NUL, a pointer to the next element in the list;
NUL for the last element of the list
name a pointer to a string giving a name for the device to
pass to pcapopenlive()
description
if not NUL, a pointer to a string giving a human-read-
able description of the device
addresses
a pointer to the first element of a list of addresses for
the interface
flags interface flags:
PCAPIFLOPBACK
set if the interface is a loopback interface
Each element of the list of addresses is of type pcapaddrt, and has
the following members:
next if not NUL, a pointer to the next element in the list;
NUL for the last element of the list
addr a pointer to a struct sockaddr containing an address
netmask
if not NUL, a pointer to a struct sockaddr that contains
the netmask corresponding to the address pointed to by
addr
broadaddr
if not NUL, a pointer to a struct sockaddr that contains
the broadcast address corresponding to the address
pointed to by addr; may be null if the interface doesn't
support broadcasts
dstaddr
if not NUL, a pointer to a struct sockaddr that contains
the destination address corresponding to the address
pointed to by addr; may be null if the interface isn't a
point-to-point interface
Note that not all the addresses in the list of addresses are necessar-
ily IPv4 or IPv6 addresses - you must check the safamily member of the
struct sockaddr before interpreting the contents of the address.
-1 is returned on failure, in which case errbuf is filled in with an
appropriate error message; 00 is returned on success.
pcapfreealldevs() is used to free a list allocated by pcapfind-
alldevs().
pcaplookupdev() returns a pointer to a network device suitable for use
with pcapopenlive() and pcaplookupnet(). If there is an error, NUL
is returned and errbuf is filled in with an appropriate error message.
pcaplookupnet() is used to determine the network number and mask asso-
ciated with the network device device. Both netp and maskp are
bpfuint32 pointers. A return of -1 indicates an error in which case
errbuf is filled in with an appropriate error message.
pcapdispatch() is used to collect and process packets. cnt specifies
the maximum number of packets to process before returning. This is not
a minimum number; when reading a live capture, only one bufferful of
packets is read at a time, so fewer than cnt packets may be processed.
A cnt of -1 processes all the packets received in one buffer when read-
ing a live capture, or all the packets in the file when reading a
``savefile''. callback specifies a routine to be called with three
arguments: a uchar pointer which is passed in from pcapdispatch(), a
const struct pcappkthdr pointer to a structure with the following mem-
bers:
ts a struct timeval containing the time when the packet was
captured
caplen a bpfuint32 giving the number of bytes of the packet
that are available from the capture
len a bpfuint32 giving the length of the packet, in bytes
(which might be more than the number of bytes available
from the capture, if the length of the packet is larger
than the maximum number of bytes to capture)
and a const uchar pointer to the first caplen (as given in the struct
pcappkthdr a pointer to which is passed to the callback routine) bytes
of data from the packet (which won't necessarily be the entire packet;
to capture the entire packet, you will have to provide a value for
snaplen in your call to pcapopenlive() that is sufficiently large to
get all of the packet's data - a value of 65535 should be sufficient on
most if not all networks).
The number of packets read is returned. 0 is returned if no packets
were read from a live capture (if, for example, they were discarded
because they didn't pass the packet filter, or if, on platforms that
support a read timeout that starts before any packets arrive, the time-
out expires before any packets arrive, or if the file descriptor for
the capture device is in non-blocking mode and no packets were avail-
able to be read) or if no more packets are available in a ``savefile.''
A return of -1 indicates an error in which case pcapperror() or
pcapgeterr() may be used to display the error text. A return of -2
indicates that the loop terminated due to a call to pcapbreakloop()
before any packets were processed. If your application uses
pcapbreakloop(),, make sure that you explicitly check for -1 and -2,,
rather than just checking for a return value << 00.
NOTE: when reading a live capture, pcapdispatch() will not necessarily
return when the read times out; on some platforms, the read timeout
isn't supported, and, on other platforms, the timer doesn't start until
at least one packet arrives. This means that the read timeout should
NOT be used in, for example, an interactive application, to allow the
packet capture loop to ``poll'' for user input periodically, as there's
no guarantee that pcapdispatch() will return after the timeout
expires.
pcaploop() is similar to pcapdispatch() except it keeps reading pack-
ets until cnt packets are processed or an error occurs. It does not
return when live read timeouts occur. Rather, specifying a non-zero
read timeout to pcapopenlive() and then calling pcapdispatch()
allows the reception and processing of any packets that arrive when the
timeout occurs. A negative cnt causes pcaploop() to loop forever (or
at least until an error occurs). -1 is returned on an error; 0 is
returned if cnt is exhausted; -2 is returned if the loop terminated due
to a call to pcapbreakloop() before any packets were processed. If
your application uses pcapbreakloop(),, make sure that you explicitly
check for -1 and -2,, rather than just checking for a return value << 00.
pcapnext() reads the next packet (by calling pcapdispatch() with a
cnt of 1) and returns a uchar pointer to the data in that packet.
(The pcappkthdr struct for that packet is not supplied.) NUL is
returned if an error occured, or if no packets were read from a live
capture (if, for example, they were discarded because they didn't pass
the packet filter, or if, on platforms that support a read timeout that
starts before any packets arrive, the timeout expires before any pack-
ets arrive, or if the file descriptor for the capture device is in non-
blocking mode and no packets were available to be read), or if no more
packets are available in a ``savefile.'' Unfortunately, there is no
way to determine whether an error occured or not.
pcapnextex() reads the next packet and returns a success/failure
indication:
1 the packet was read without problems
0 packets are being read from a live capture, and the time-
out expired
-1 an error occurred while reading the packet
-2 packets are being read from a ``savefile'', and there are
no more packets to read from the savefile.
If the packet was read without problems, the pointer pointed to by the
pktheader argument is set to point to the pcappkthdr struct for the
packet, and the pointer pointed to by the pktdata argument is set to
point to the data in the packet.
pcapbreakloop() sets a flag that will force pcapdispatch() or
pcaploop() to return rather than looping; they will return the number
of packets that have been processed so far, or -2 if no packets have
been processed so far.
This routine is safe to use inside a signal handler on UNIX or a con-
sole control handler on Windows, as it merely sets a flag that is
checked within the loop.
The flag is checked in loops reading packets from the OS - a signal by
itself will not necessarily terminate those loops - as well as in loops
processing a set of packets returned by the OS. Note that if you are
catching signals on UNIX systems that support restarting system calls
after a signal,, and calling pcapbreakloop() in the signal handler,, you
must specify,, when catching those signals,, that system calls should NOT
be restarted by that signal. Otherwise,, if the signal interrupted a
call reading packets in a live capture,, when your signal handler
returns after calling pcapbreakloop(),, the call will be restarted,, and
the loop will not terminate until more packets arrive and the call com-
pletes.
Note also that, in a multi-threaded application, if one thread is
blocked in pcapdispatch(), pcaploop(), pcapnext(), or
pcapnextex(), a call to pcapbreakloop() in a different thread will
not unblock that thread; you will need to use whatever mechanism the OS
provides for breaking a thread out of blocking calls in order to
unblock the thread, such as thread cancellation in systems that support
POSIX threads.
Note that pcapnext() will, on some platforms, loop reading packets
from the OS; that loop will not necessarily be terminated by a signal,
so pcapbreakloop() should be used to terminate packet processing even
if pcapnext() is being used.
pcapbreakloop() does not guarantee that no further packets will be
processed by pcapdispatch() or pcaploop() after it is called; at most
one more packet might be processed.
If -2 is returned from pcapdispatch() or pcaploop(), the flag is
cleared, so a subsequent call will resume reading packets. If a posi-
tive number is returned, the flag is not cleared, so a subsequent call
will return -2 and clear the flag.
pcapinject() sends a raw packet through the network interface; buf
points to the data of the packet, including the link-layer header, and
size is the number of bytes in the packet. It returns the number of
bytes written on success. A return of -1 indicates an error in which
case pcapperror() or pcapgeterr() may be used to display the error
text. Note that, even if you successfully open the network interface,
you might not have permission to send packets on it, or it might not
support sending packets; as pcapopenlive() doesn't have a flag to
indicate whether to open for capturing, sending, or capturing and send-
ing, you cannot request an open that supports sending and be notified
at open time whether sending will be possible. Note also that some
devices might not support sending packets.
Note that, on some platforms, the link-layer header of the packet
that's sent might not be the same as the link-layer header of the
packet supplied to pcapinject(), as the source link-layer address, if
the header contains such an address, might be changed to be the address
assigned to the interface on which the packet it sent, if the platform
doesn't support sending completely raw and unchanged packets. Even
worse, some drivers on some platforms might change the link-layer type
field to whatever value libpcap used when attaching to the device, even
on platforms that do nominally support sending completely raw and
unchanged packets.
pcapsendpacket() is like pcapinject(), but it returns 0 on success
and -1 on failure. (pcapinject() comes from OpenBSD; pcapsend-
packet() comes from WinPcap. Both are provided for compatibility.)
pcapdump() outputs a packet to the ``savefile'' opened with
pcapdumpopen(). Note that its calling arguments are suitable for use
with pcapdispatch() or pcaploop(). If called directly, the user
parameter is of type pcapdumpert as returned by pcapdumpopen().
pcapcompile() is used to compile the string str into a filter program.
program is a pointer to a bpfprogram struct and is filled in by
pcapcompile(). optimize controls whether optimization on the result-
ing code is performed. netmask specifies the IPv4 netmask of the net-
work on which packets are being captured; it is used only when checking
for IPv4 broadcast addresses in the filter program. If the netmask of
the network on which packets are being captured isn't known to the pro-
gram, or if packets are being captured on the Linux "any" pseudo-inter-
face that can capture on more than one network, a value of 0 can be
supplied; tests for IPv4 broadcast addreses won't be done correctly,
but all other tests in the filter program will be OK. A return of -1
indicates an error in which case pcapgeterr() may be used to display
the error text.
pcapcompilenopcap() is similar to pcapcompile() except that instead
of passing a pcap structure, one passes the snaplen and linktype
explicitly. It is intended to be used for compiling filters for direct
BPF usage, without necessarily having called pcapopen(). A return of
-1 indicates an error; the error text is unavailable. (pcapcom-
pilenopcap() is a wrapper around pcapopendead(), pcapcompile(), and
pcapclose(); the latter three routines can be used directly in order
to get the error text for a compilation error.)
pcapsetfilter() is used to specify a filter program. fp is a pointer
to a bpfprogram struct, usually the result of a call to pcapcom-
pile(). -1 is returned on failure, in which case pcapgeterr() may be
used to display the error text; 00 is returned on success.
pcapfreecode() is used to free up allocated memory pointed to by a
bpfprogram struct generated by pcapcompile() when that BPF program is
no longer needed, for example after it has been made the filter program
for a pcap structure by a call to pcapsetfilter().
pcapsetdirection() is used to specify a direction that packets will be
captured. pcapdirectiont is one of the constants PCAPDIN,
PCAPDOUT or PCAPDINOUT. PCAPDIN will only capture packets
received by the device, PCAPDOUT will only capture packets sent by
the device and PCAPDINOUT will capture packets received by or sent by
the device. PCAPDINOUT is the default setting if this function is
not called. This isn't necessarily supported on all platforms; some
platforms might return an error, and some other platforms might not
support PCAPDOUT. This operation is not supported if a ``savefile''
is being read. -1 is returned on failure, 00 is returned on success.
pcapdatalink() returns the link layer type; link layer types it can
return include:
DLTNUL
BSD loopback encapsulation; the link layer header is a 4-byte
field, in host byte order, containing a PF value from
socket.h for the network-layer protocol of the packet.
Note that ``host byte order'' is the byte order of the
machine on which the packets are captured, and the PF values
are for the OS of the machine on which the packets are cap-
tured; if a live capture is being done, ``host byte order''
is the byte order of the machine capturing the packets, and
the PF values are those of the OS of the machine capturing
the packets, but if a ``savefile'' is being read, the byte
order and PF values are not necessarily those of the machine
reading the capture file.
DLTEN100MB
Ethernet (10Mb, 100Mb, 1000Mb, and up)
DLTIE8002
IE 802.5 Token Ring
DLTARCNET
ARCNET
DLTSLIP
SLIP; the link layer header contains, in order:
a 1-byte flag, which is 0 for packets received by the
machine and 1 for packets sent by the machine;
a 1-byte field, the upper 4 bits of which indicate the
type of packet, as per RFC 1144:
0x40 an unmodified IP datagram (TYPEIP);
0x70 an uncompressed-TCP IP datagram (UNCOM-
PRESEDTCP), with that byte being the first
byte of the raw IP header on the wire, con-
taining the connection number in the protocol
field;
0x80 a compressed-TCP IP datagram (COMPRESEDTCP),
with that byte being the first byte of the
compressed TCP/IP datagram header;
for UNCOMPRESEDTCP, the rest of the modified IP
header, and for COMPRESEDTCP, the compressed TCP/IP
datagram header;
for a total of 16 bytes; the uncompressed IP datagram follows
the header.
DLTP
P; if the first 2 bytes are 0xff and 0x03, it's P in
HDLC-like framing, with the P header following those two
bytes, otherwise it's P without framing, and the packet
begins with the P header.
DLTFDI
FDI
DLTATMRFC1483
RFC 1483 LC/SNAP-encapsulated ATM; the packet begins with an
IE 802.2 LC header.
DLTRAW
raw IP; the packet begins with an IP header.
DLTPSERIAL
P in HDLC-like framing, as per RFC 1662, or Cisco P with
HDLC framing, as per section 4.3.1 of RFC 1547; the first
byte will be 0xF for P in HDLC-like framing, and will be
0x0F or 0x8F for Cisco P with HDLC framing.
DLTPETHER
PoE; the packet begins with a PoE header, as per RFC
2516.
DLTCHDLC
Cisco P with HDLC framing, as per section 4.3.1 of RFC
1547.
DLTIE800211
IE 802.11 wireless LAN
DLTFRELAY
Frame Relay
DLTLOP
OpenBSD loopback encapsulation; the link layer header is a
4-byte field, in network byte order, containing a PF value
from OpenBSD's socket.h for the network-layer protocol of the
packet.
Note that, if a ``savefile'' is being read, those PF values
are not necessarily those of the machine reading the capture
file.
DLTLINUXSL
Linux "cooked" capture encapsulation; the link layer header
contains, in order:
a 2-byte "packet type", in network byte order, which is
one of:
0 packet was sent to us by somebody else
1 packet was broadcast by somebody else
2 packet was multicast, but not broadcast, by
somebody else
3 packet was sent by somebody else to somebody
else
4 packet was sent by us
a 2-byte field, in network byte order, containing a
Linux ARPHRD value for the link layer device type;
a 2-byte field, in network byte order, containing the
length of the link layer address of the sender of the
packet (which could be 0);
an 8-byte field containing that number of bytes of the
link layer header (if there are more than 8 bytes, only
the first 8 are present);
a 2-byte field containing an Ethernet protocol type, in
network byte order, or containing 1 for Novell 802.3
frames without an 802.2 LC header or 4 for frames
beginning with an 802.2 LC header.
DLTLTALK
Apple LocalTalk; the packet begins with an AppleTalk LAP
header.
DLTPFLOG
OpenBSD pflog; the link layer header contains, in order:
a 1-byte header length, in host byte order;
a 4-byte PF value, in host byte order;
a 2-byte action code, in network byte order, which is
one of:
0 passed
1 dropped
2 scrubbed
a 2-byte reason code, in network byte order, which is
one of:
0 match
1 bad offset
2 fragment
3 short
4 normalize
5 memory
a 16-character interface name;
a 16-character ruleset name (only meaningful if subrule
is set);
a 4-byte rule number, in network byte order;
a 4-byte subrule number, in network byte order;
a 1-byte direction, in network byte order, which is one
of:
0 incoming or outgoing
1 incoming
2 outgoing
DLTPRISMHEADER
Prism monitor mode information followed by an 802.11 header.
DLTIPOVERFC
RFC 2625 IP-over-Fibre Channel, with the link-layer header
being the NetworkHeader as described in that RFC.
DLTSUNATM
SunATM devices; the link layer header contains, in order:
a 1-byte flag field, containing a direction flag in the
uppermost bit, which is set for packets transmitted by
the machine and clear for packets received by the
machine, and a 4-byte traffic type in the low-order 4
bits, which is one of:
0 raw traffic
1 LANE traffic
2 LC-encapsulated traffic
3 MARS traffic
4 IFMP traffic
5 ILMI traffic
6 Q.2931 traffic
a 1-byte VPI value;
a 2-byte VCI field, in network byte order.
DLTIE800211RADIO
link-layer information followed by an 802.11 header - see
http:/www.shaftnet.org/~pizza/software/capturefrm.txt for a
description of the link-layer information.
DLTARCNETLINUX
ARCNET, with no exception frames, reassembled packets rather
than raw frames, and an extra 16-bit offset field between the
destination host and type bytes.
DLTLINUXIRDA
Linux-IrDA packets, with a DLTLINUXSL header followed by
the IrLAP header.
pcaplistdatalinks() is used to get a list of the supported data link
types of the interface associated with the pcap descriptor.
pcaplistdatalinks() allocates an array to hold the list and sets
*dltbuf. The caller is responsible for freeing the array. -1 is
returned on failure; otherwise, the number of data link types in the
array is returned.
pcapsetdatalink() is used to set the current data link type of the
pcap descriptor to the type specified by dlt. -1 is returned on fail-
ure.
pcapdatalinknametoval() translates a data link type name, which is
a DLT name with the DLT removed, to the corresponding data link type
value. The translation is case-insensitive. -1 is returned on fail-
ure.
pcapdatalinkvaltoname() translates a data link type value to the
corresponding data link type name. NUL is returned on failure.
pcapdatalinkvaltodescription() translates a data link type value to
a short description of that data link type. NUL is returned on fail-
ure.
pcapsnapshot() returns the snapshot length specified when
pcapopenlive() was called.
pcapisswapped() returns true if the current ``savefile'' uses a dif-
ferent byte order than the current system.
pcapmajorversion() returns the major number of the file format of the
savefile; pcapminorversion() returns the minor number of the file
format of the savefile. The version number is stored in the header of
the savefile.
pcapfile() returns the standard I/O stream of the ``savefile,'' if a
``savefile'' was opened with pcapopenoffline(), or NUL, if a network
device was opened with pcapopenlive().
pcapstats() returns 0 and fills in a pcapstat struct. The values rep-
resent packet statistics from the start of the run to the time of the
call. If there is an error or the underlying packet capture doesn't
support packet statistics, -1 is returned and the error text can be
obtained with pcapperror() or pcapgeterr(). pcapstats() is sup-
ported only on live captures, not on ``savefiles''; no statistics are
stored in ``savefiles'', so no statistics are available when reading
from a ``savefile''.
pcapfileno() returns the file descriptor number from which captured
packets are read, if a network device was opened with pcapopenlive(),
or -1, if a ``savefile'' was opened with pcapopenoffline().
pcapgetselectablefd() returns, on UNIX, a file descriptor number for
a file descriptor on which one can do a select() or poll() to wait for
it to be possible to read packets without blocking, if such a descrip-
tor exists, or -1, if no such descriptor exists. Some network devices
opened with pcapopenlive() do not support select() or poll() (for
example, regular network devices on FreeBSD 4.3 and 4.4, and Endace DAG
devices), so -1 is returned for those devices.
Note that on most versions of most BSDs (including Mac OS X) select()
and poll() do not work correctly on BPF devices;
pcapgetselectablefd() will return a file descriptor on most of those
versions (the exceptions being FreeBSD 4.3 and 4.4), a simple select()
or poll() will not return even after a timeout specified in
pcapopenlive() expires. To work around this, an application that
uses select() or poll() to wait for packets to arrive must put the
pcapt in non-blocking mode, and must arrange that the select() or
poll() have a timeout less than or equal to the timeout specified in
pcapopenlive(), and must try to read packets after that timeout
expires, regardless of whether select() or poll() indicated that the
file descriptor for the pcapt is ready to be read or not. (That work-
around will not work in FreeBSD 4.3 and later; however, in FreeBSD 4.6
and later, select() and poll() work correctly on BPF devices, so the
workaround isn't necessary, although it does no harm.)
pcapgetselectablefd() is not available on Windows.
pcapperror() prints the text of the last pcap library error on stderr,
prefixed by prefix.
pcapgeterr() returns the error text pertaining to the last pcap
library error. NOTE: the pointer it returns will no longer point to a
valid error message string after the pcapt passed to it is closed; you
must use or copy the string before closing the pcapt.
pcapstrerror() is provided in case strerror(1) isn't available.
pcaplibversion() returns a pointer to a string giving information
about the version of the libpcap library being used; note that it con-
tains more information than just a version number.
pcapclose() closes the files associated with p and deallocates
resources.
pcapdumpfile() returns the standard I/O stream of the ``savefile''
opened by pcapdumpopen().
pcapdumpflush() flushes the output buffer to the ``savefile,'' so
that any packets written with pcapdump() but not yet written to the
``savefile'' will be written. -1 is returned on error, 0 on success.
pcapdumpftell() returns the current file position for the ``save-
file'', representing the number of bytes written by pcapdumpopen()
and pcapdump(). -1 is returned on error.
pcapdumpclose() closes the ``savefile.''
SEE ALSO
tcpdump(1), tcpslice(1)
AUTHORS
The original authors are:
Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence
Berkeley National Laboratory, University of California, Berkeley, CA.
The current version is available from "The Tcpdump Group"'s Web site at
http://www.tcpdump.org/
BUGS
Please send problems, bugs, questions, desirable enhancements, etc. to:
tcpdump-workers@tcpdump.org
Please send source code contributions, etc. to:
patches@tcpdump.org
27 February 2004 PCAP(3)
|
