Main Page   Modules   Data Structures   File List   Data Fields   Globals   Related Pages  

Exported functions
[WinPcap user's manual]


Typedefs

typedef void(* pcap_handler )(u_char *user, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data)
 Prototype of the callback function that receives the packets.


Functions

pcap_tpcap_open_live (char *device, int snaplen, int promisc, int to_ms, char *ebuf)
 Deprecated

pcap_tpcap_open_dead (int linktype, int snaplen)
 Deprecated

pcap_tpcap_open_offline (const char *fname, char *errbuf)
 Deprecated

pcap_dumper_tpcap_dump_open (pcap_t *p, const char *fname)
 Opens a file to write the network traffic.

int pcap_setnonblock (pcap_t *p, int nonblock, char *errbuf)
 Switches between blocking and nonblocking mode.

int pcap_getnonblock (pcap_t *p, char *errbuf)
 Gets the "non-blocking" state of an interface.

int pcap_findalldevs (pcap_if_t **alldevsp, char *errbuf)
 Deprecated

void pcap_freealldevs (pcap_if_t *alldevsp)
 Frees an interface list returned by pcap_findalldevs().

char * pcap_lookupdev (char *errbuf)
 Deprecated

int pcap_lookupnet (char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf)
 Deprecated

int pcap_dispatch (pcap_t *p, int cnt, pcap_handler callback, u_char *user)
 Deprecated

int pcap_loop (pcap_t *p, int cnt, pcap_handler callback, u_char *user)
 Deprecated

void pcap_dump (u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
 Saves a packet to disk.

int pcap_compile (pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask)
 Compiles a packet filter. Converts an high level filtering expression (see Filtering expression syntax ) in a program that can be interpreted by the kernel-level filtering engine.

int pcap_compile_nopcap (int snaplen_arg, int linktype_arg, struct bpf_program *program, char *buf, int optimize, bpf_u_int32 mask)
 Compiles a packet filter without the need of opening an adapter. Converts an high level filtering expression (see Filtering expression syntax ) in a program that can be interpreted by the kernel-level filtering engine.

int pcap_setfilter (pcap_t *p, struct bpf_program *fp)
 Associates a filter to a capture.

void pcap_freecode (struct bpf_program *fp)
 Frees a filter.

u_char * pcap_next (pcap_t *p, struct pcap_pkthdr *h)
 Discouraged, use pcap_next_ex() instead.
Returns the next available packet.


int pcap_datalink (pcap_t *p)
 Returns the link layer of an adapter.

int pcap_snapshot (pcap_t *p)
 Returns the dimension of the packet portion (in bytes) that is delivered to the application.

int pcap_is_swapped (pcap_t *p)
 returns true if the current savefile uses a different byte order than the current system.

int pcap_major_version (pcap_t *p)
 returns the major version number of the pcap library used to write the savefile.

int pcap_minor_version (pcap_t *p)
 returns the minor version number of the pcap library used to write the savefile.

int pcap_stats (pcap_t *p, struct pcap_stat *ps)
  Discouraged, Use pcap_stats_ex() instead.
Returns statistics on current capture.


FILE * pcap_file (pcap_t *p)
  Discouraged, use pcap_dump() instead.
Returns the stdio stream of an offile capture.


int pcap_fileno (pcap_t *p)
 Discouraged: it returns the file descriptor of a capture device.

void pcap_perror (pcap_t *p, char *prefix)
 prints the text of the last pcap library error on stderr, prefixed by prefix.

char * pcap_geterr (pcap_t *p)
 returns the error text pertaining to the last pcap library error.

char * pcap_strerror (int error)
 pcap_strerror() is provided in case strerror() isn't available.

fn void pcap_close (pcap_t *p)
 closes the files associated with p and deallocates resources.

fn void pcap_dump_close (pcap_dumper_t *p)
 pcap_dump_close() closes the "savefile".

fn int pcap_setbuff (pcap_t *p, int dim)
 Win32 Specific. Sets the size of the kernel buffer associated with an adapter.

int pcap_setmode (pcap_t *p, int mode)
 Win32 Specific. Sets the working mode of the interface p to mode.

int pcap_sendpacket (pcap_t *p, u_char *buf, int size)
 Win32 Specific. Sends a raw packet.

int pcap_setmintocopy (pcap_t *p, int size)
 Win32 Specific. Sets the minumum amount of data received by the kernel in a single call.

HANDLE pcap_getevent (pcap_t *p)
 Win32 Specific. Returns the handle of the event associated with the interface p.

pcap_send_queuepcap_sendqueue_alloc (u_int memsize)
 Win32 Specific. Allocate a send queue.

void pcap_sendqueue_destroy (pcap_send_queue *queue)
 Win32 Specific. Destroy a send queue.

int pcap_sendqueue_queue (pcap_send_queue *queue, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data)
 Win32 Specific. Add a packet to a send queue.

u_int pcap_sendqueue_transmit (pcap_t *p, pcap_send_queue *queue, int sync)
 Win32 Specific. Sends a queue of raw packets to the network.

int pcap_next_ex (pcap_t *p, struct pcap_pkthdr **pkt_header, u_char **pkt_data)
 Read a packet from an interface or from an offline capture.

int pcap_live_dump (pcap_t *p, char *filename, int maxsize, int maxpacks)
 Win32 Specific. Saves a capture to file.

int pcap_live_dump_ended (pcap_t *p, int sync)
 Win32 Specific. Returns the status of the kernel dump process, i.e. tells if one of the limits defined with pcap_live_dump() has been reached.

pcap_statpcap_stats_ex (pcap_t *p, int *pcap_stat_size)
  Win32 Specific. Returns statistics on current capture.

bool pcap_offline_filter (struct bpf_program *prog, const struct pcap_pkthdr *header, const u_char *pkt_data)
  Win32 Specific. It returns if a given filter applies to an offline packet.

int pcap_findalldevs_ex (char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf)
 It creates a list of network devices that can be opened with pcap_open().

int pcap_createsrcstr (char *source, int type, const char *host, const char *port, const char *name, char *errbuf)
 Accepts a set of strings (host name, port, ...), and it returns the complete source string according to the new format (e.g. 'rpcap://1.2.3.4/eth0').

int pcap_parsesrcstr (const char *source, int *type, char *host, char *port, char *name, char *errbuf)
 Parses the source string and returns the pieces in which the source can be split.

pcap_tpcap_open (const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf)
 It opens a generic source in order to capture / send (WinPcap only) traffic.

pcap_samppcap_setsampling (pcap_t *p)
 It defines a sampling method for packet capture.

SOCKET pcap_remoteact_accept (const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf)
 It blocks until a network connection is accepted (active mode only).

int pcap_remoteact_close (const char *host, char *errbuf)
 It drops an active connection (active mode only).

void pcap_remoteact_cleanup ()
 Cleans the socket that is currently used in waiting active connections.

int pcap_remoteact_list (char *hostlist, char sep, int size, char *errbuf)
 Returns the hostname of the host that have an active connection with us (active mode only).


Detailed Description

Functions exported by wpcap.dll

Typedef Documentation

typedef void(* pcap_handler)(u_char *user, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data)
 

Prototype of the callback function that receives the packets.

When pcap_dispatch() or pcap_loop() are called by the user, the packets are passed to the application by means of this callback. user is a user-defined parameter that contains the state of the capture session, it corresponds to the user parameter of pcap_dispatch() and pcap_loop(). pkt_header is the header associated by the capture driver to the packet. It is NOT a protocol header. pkt_data points to the data of the packet, including the protocol headers.

Definition at line 792 of file funcs/pcap.h.


Function Documentation

fn void pcap_close pcap_t   p
 

closes the files associated with p and deallocates resources.

See also:
pcap_open_live(), pcap_open_offline(), pcap_open_dead()

Definition at line 657 of file pcap.c.

References PacketCloseAdapter(), pcap_close_remote(), and pcap_freecode().

Referenced by add_or_find_if(), daemon_endcapture(), daemon_opensource(), daemon_serviceloop(), daemon_startcapture(), pcap_compile_nopcap(), pcap_findalldevs_ex(), pcap_opensource_remote(), and pcap_startcapture_remote().

int pcap_compile pcap_t   p,
struct bpf_program   fp,
char *    str,
int    optimize,
bpf_u_int32    netmask
 

Compiles a packet filter. Converts an high level filtering expression (see Filtering expression syntax ) in a program that can be interpreted by the kernel-level filtering engine.

pcap_compile() is used to compile the string str into a filter program. program is a pointer to a bpf_program struct and is filled in by pcap_compile(). optimize controls whether optimization on the resulting code is performed. netmask specifies the netmask of the local net. A return of -1 indicates an error in which case pcap_geterr() may be used to display the error text.

See also:
pcap_open_live(), pcap_setfilter(), pcap_freecode(), pcap_snapshot()

Definition at line 310 of file gencode.c.

References bpf_program::bf_insns, bpf_program::bf_len, bpf_error(), bpf_pcap, freechunks(), gen_retblk(), init_linktype(), mask, no_optimize, pcap_datalink(), pcap_snapshot(), root, snaplen, snprintf, and syntax().

Referenced by daemon_unpackapplyfilter(), main(), and pcap_compile_nopcap().

int pcap_compile_nopcap int    snaplen_arg,
int    linktype_arg,
struct bpf_program   program,
char *    buf,
int    optimize,
bpf_u_int32    mask
 

Compiles a packet filter without the need of opening an adapter. Converts an high level filtering expression (see Filtering expression syntax ) in a program that can be interpreted by the kernel-level filtering engine.

pcap_compile_nopcap() is similar to pcap_compile() except that instead of passing a pcap structure, one passes the snaplen and linktype explicitly. It is intended to be used for compiling filters for direct BPF usage, without necessarily having called pcap_open(). A return of -1 indicates an error; the error text is unavailable. (pcap_compile_nopcap() is a wrapper around pcap_open_dead(), pcap_compile(), and pcap_close(); the latter three routines can be used directly in order to get the error text for a compilation error.)

Look at the Filtering expression syntax section for details on the str parameter.

See also:
pcap_open_live(), pcap_setfilter(), pcap_freecode(), pcap_snapshot()

Definition at line 364 of file gencode.c.

References pcap_close(), pcap_compile(), pcap_open_dead(), and pcap_t.

int pcap_createsrcstr char *    source,
int    type,
const char *    host,
const char *    port,
const char *    name,
char *    errbuf
 

Accepts a set of strings (host name, port, ...), and it returns the complete source string according to the new format (e.g. 'rpcap://1.2.3.4/eth0').

This function is provided in order to help the user creating the source string according to the new format. An unique source string is used in order to make easy for old applications to use the remote facilities. Think about tcpdump, for example, which has only one way to specify the interface on which the capture has to be started. However, GUI-based programs can find more useful to specify hostname, port and interface name separately. In that case, they can use this function to create the source string before passing it to the pcap_open() function.

Parameters:
source: a user-allocated buffer that will contain the complete source string wen the function returns.
The source will start with an identifier according to the new Source Specification Syntax .
This function assumes that the allocated buffer is at least PCAP_BUF_SIZE bytes.
type: its value tells the type of the source we want to create. It can assume the values defined in the Source identification Codes .
host: an user-allocated buffer that keeps the host (e.g. "foo.bar.com") we want to connect to. It can be NULL in case we want to open an interface on a local host.
port: an user-allocated buffer that keeps the network port (e.g. "2002") we want to use for the RPCAP protocol. It can be NULL in case we want to open an interface on a local host.
name: an user-allocated buffer that keeps the interface name we want to use (e.g. "eth0"). It can be NULL in case the return string (i.e. 'source') has to be used with the pcap_findalldevs_ex(), which does not require the interface name.
errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE) that will contain the error message (in case there is one).
Returns:
'0' if everything is fine, '-1' if some errors occurred. The string containing the complete source is returned in the 'source' variable.
Warning:
If the source is longer than PCAP_BUF_SIZE, the excess characters are truncated.

Definition at line 753 of file pcap-new.c.

References PCAP_SRC_FILE, PCAP_SRC_IFLOCAL, PCAP_SRC_IFREMOTE, and snprintf.

Referenced by pcap_findalldevs_ex().

int pcap_datalink pcap_t   p
 

Returns the link layer of an adapter.

pcap_datalink() returns the link layer type; link layer types it can return include:

  • DLT_NULL BSD loopback encapsulation; the link layer header is a 4-byte field, in host byte order, containing a PF_ value from socket.h for the network-layer protocol of the packet Note that "host byte order" is the byte order of the machine on which the packets are captured, and the PF_ values are for the OS of the machine on which the packets are captured; if a live capture is being done, "host byte order" is the byte order of the machine capturing the packets, and the PF_ values are those of the OS of the machine capturing the packets, but if a "savefile" is being read, the byte order and PF_ values are not necessarily those of the machine reading the capture file.
  • DLT_EN10MB Ethernet (10Mb, 100Mb, 1000Mb, and up)
  • DLT_IEEE802 IEEE 802.5 Token Ring
  • DLT_ARCNET ARCNET SLIP; the link layer header contains, in order: a 1-byte flag, which is 0 for packets received by the machine and 1 for packets sent by the machine; a 1-byte field, the upper 4 bits of which indicate the type of packet, as per RFC 1144:
    • 0x40 an unmodified IP datagram (TYPE_IP);
    • 0x70 an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being the first byte of the raw IP header on the wire, containing the connection number in the protocol field;
    • 0x80 a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the first byte of the compressed TCP/IP datagram header; for UNCOMPRESSED_TCP, the rest of the modified IP header, and for COMPRESSED_TCP, the compressed TCP/IP datagram header; for a total of 16 bytes; the uncompressed IP datagram follows the header
  • DLT_PPP PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like framing, with the PPP header following those two bytes, otherwise it's PPP without framing, and the packet begins with the PPP header
  • DLT_FDDI FDDI
  • DLT_ATM_RFC1483 RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2 LLC header
  • DLT_RAW raw IP; the packet begins with an IP header
  • DLT_PPP_SERIAL PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC framing, as per section or 0x8F for Cisco PPP with HDLC framing
  • DLT_PPP_ETHER PPPoE; the packet begins with a PPPoE header, as per RFC 2516
  • DLT_C_HDLC Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547
  • DLT_IEEE802_11 IEEE 802.11 wireless LAN
  • DLT_LOOP OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in network byte order, containing a PF_ value from OpenBSD's socket.h for the network-layer protocol of the packet Note that, if a "savefile" is being read, those PF_ values are not necessarily those of the machine reading the capture file.
  • DLT_LINUX_SLL Linux "cooked" capture encapsulation; the link layer header contains, in order: a 2-byte "packet type", in network byte order, which is one of:
    • 0 packet was sent to us by somebody else
    • 1 packet was broadcast by somebody else
    • 2 packet was multicast, but not broadcast, by somebody else
    • 3 packet was sent by somebody else to somebody else
    • 4 packet was sent by us a 2-byte field, in network byte order, containing a Linux ARPHRD_ value for the link layer device type; a 2-byte field, in network byte order, containing the length of the link layer address of the sender of the packet (which could be 0); bytes of the link layer header (if there are more than 8 bytes, only the first 8 are present); a 2-byte field containing an Ethernet protocol type, in network byte order, or containing 1 for Novell 802.3 frames without an 802.2 LLC header or 4 for frames beginning with an 802.2 LLC header.
  • DLT_LTALK Apple LocalTalk; the packet begins with an AppleTalk LLAP header

Definition at line 209 of file pcap.c.

Referenced by pcap_compile().

int pcap_dispatch pcap_t   p,
int    cnt,
pcap_handler    callback,
u_char *    user
 

Deprecated

Deprecated:
Use the pcap_next_ex() instead.
It collects a group of packets. Returns when cnt packets have been received or when the timeout set with pcap_open_live() expires.

pcap_dispatch() is used to collect and process packets. cnt specifies the maximum number of packets to process before returning. This is not a minimum number; when reading a live capture, only one bufferful of packets is read at a time, so fewer than cnt packets may be processed. A cnt of -1 processes all the packets received in one buffer when reading a live capture, or all the packets in the file when reading a "savefile". callback specifies a routine to be called with three arguments: a u_char pointer which is passed in from pcap_dispatch(), a pointer packet data.

The number of packets read is returned. 0 is returned if no packets were read from a live capture (if, for example, they were discarded because they didn't pass the packet filter, or if, on platforms that support a read timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read) or if no more packets are available in a "savefile." A return of -1 indicates an error in which case pcap_perror() or pcap_geterr() may be used to display the error text.

Note:
when reading a live capture, pcap_dispatch() will not necessarily return when the read times out; on some platforms, the read timeout isn't supported, and, on other platforms, the timer doesn't start until at least one packet arrives. This means that the read timeout should NOT be used in, for example, an interactive application, to allow the packet capture loop to "poll" for user input periodically, as there's no guarantee that pcap_dispatch() will return after the timeout expires.
See also:
pcap_loop(), pcap_next(), pcap_open_live(), pcap_open_offline(), pcap_handler

Definition at line 69 of file pcap.c.

References pcap_offline_read(), and pcap_read().

Referenced by pcap_next().

void pcap_dump u_char *    user,
const struct pcap_pkthdr   h,
const u_char *    sp
 

Saves a packet to disk.

pcap_dump() outputs a packet to the "savefile" opened with pcap_dump_open(). Note that its calling arguments are suitable for use with pcap_dispatch() or pcap_loop(). If called directly, the user parameter is of type pcap_dumper_t as returned by pcap_dump_open().

See also:
pcap_dump_open(), pcap_dump_close(), pcap_dispatch(), pcap_loop()

Definition at line 650 of file savefile.c.

References pcap_pkthdr::caplen, pcap_pkthdr::len, and pcap_pkthdr::ts.

Referenced by main().

fn void pcap_dump_close pcap_dumper_t   p
 

pcap_dump_close() closes the "savefile".

See also:
pcap_dump_open(), pcap_dump()

Definition at line 715 of file savefile.c.

pcap_dumper_t* pcap_dump_open pcap_t   p,
const char *    fname
 

Opens a file to write the network traffic.

pcap_dump_open() is called to open a "savefile" for writing. fname is the name of the file to open. The name "-" in a synonym for stdout. If NULL is returned, pcap_geterr() can be used to get the error text.

See also:
pcap_dump_close(), pcap_file(), pcap_dump ()

Definition at line 669 of file savefile.c.

References dlt_to_linktype(), pcap_dumper_t, pcap_strerror(), sf_write_header(), and snprintf.

Referenced by main().

FILE* pcap_file pcap_t   p
 

Discouraged, use pcap_dump() instead.
Returns the stdio stream of an offile capture.

pcap_file() returns the standard I/O stream of the "savefile", if a "savefile" was opened with pcap_open_offline(), or NULL, if a network device was opened with pcap_open_live().

See also:
pcap_open_offline(), pcap_open_live()

Definition at line 462 of file pcap.c.

int pcap_fileno pcap_t   p
 

Discouraged: it returns the file descriptor of a capture device.

pcap_fileno() returns the file descriptor number from which captured packets are read, if a network device was opened with pcap_open_live(), or -1, if a "savefile" was opened with pcap_open_offline().

See also:
pcap_open_offline(), pcap_open_live()

Definition at line 468 of file pcap.c.

int pcap_findalldevs pcap_if_t **    alldevsp,
char *    errbuf
 

Deprecated

Deprecated:
Use the pcap_findalldevs_ex() instead.
It returns the list of the interfaces available on the system.

pcap_findalldevs() constructs a list of network devices that can be opened with pcap_open_live(). (Note that there may be network devices that cannot be opened with pcap_open_live() by the process calling pcap_findalldevs(), because, for example, that process might not have sufficient privileges to open them for capturing; if so, those devices will not appear on the list.) alldevsp is set to point to the first element of the list; each element of the list is of type pcap_if_t.

See also:
struct pcap_if, pcap_freealldevs(), pcap_open_live(), pcap_lookupdev(), pcap_lookupnet()

Referenced by daemon_findalldevs(), main(), and pcap_findalldevs_ex().

int pcap_findalldevs_ex char *    source,
struct pcap_rmtauth   auth,
pcap_if_t **    alldevs,
char *    errbuf
 

It creates a list of network devices that can be opened with pcap_open().

This function is a superset of the old 'pcap_findalldevs()', which is obsolete, and which allows listing only the devices present on the local machine. Vice versa, pcap_findalldevs_ex() allows listing the devices present on a remote machine as well. Additionally, it can list all the pcap files available into a given folder. Moreover, pcap_findalldevs_ex() is platform independent, since it relies on the standard pcap_findalldevs() to get addresses on the local machine.

In case the function has to list the interfaces on a remote machine, it opens a new control connection toward that machine, it retrieves the interfaces, and it drops the connection. However, if this function detects that the remote machine is in 'active' mode, the connection is not dropped and the existing socket is used.

The 'source' is a parameter that tells the function where the lookup has to be done and it uses the same syntax of the pcap_open().

Differently from the pcap_findalldevs(), the interface names (pointed by the alldevs->name and the other ones in the linked list) are already ready to be used in the pcap_open() call. Vice versa, the output that comes from pcap_findalldevs() must be formatted with the new pcap_createsrcstr() before passing the source identifier to the pcap_open().

Parameters:
source: a char* buffer that keeps the 'source', according to the new WinPcap syntax. This source will be examined looking for adapters (local or remote) or pcap files.
The strings that must be prepended to the 'source' in order to define if we want local/remote adapters or files is defined in the new Source Specification Syntax .
auth: a pointer to a pcap_rmtauth structure. This pointer keeps the information required to authenticate the RPCAP connection to the remote host. This parameter is not meaningful in case of a query to the local host: in that case it can be NULL.
alldevs: a 'struct pcap_if_t' pointer, which will be properly allocated inside this function. When the function returns, it is set to point to the first element of the interface list; each element of the list is of type 'struct pcap_if_t'.
errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE) that will contain the error message (in case there is one).
Returns:
'0' if everything is fine, '-1' if some errors occurred. The list of the devices is returned in the 'alldevs' variable. When the function returns correctly, 'alldevs' cannot be NULL. In other words, this function returns '-1' also in case the system does not have any interface to list.
The error message is returned in the 'errbuf' variable. An error could be due to several reasons:
  • libpcap/WinPcap was not installed on the local/remote host
  • the user does not have enough privileges to list the devices / files
  • a network problem
  • the RPCAP version negotiation failed
  • other errors (not enough memory and others).

Warning:
There may be network devices that cannot be opened with pcap_open() by the process calling pcap_findalldevs(), because, for example, that process might not have sufficient privileges to open them for capturing; if so, those devices will not appear on the list.

The interface list must be deallocated manually by using the pcap_freealldevs().

Definition at line 147 of file pcap-new.c.

References pcap_addr::addr, pcap_addr::broadaddr, pcap_if::description, pcap_addr::dstaddr, host, pcap_if::name, pcap_addr::netmask, pcap_if::next, pcap_addr::next, PCAP_BUF_SIZE, pcap_close(), pcap_createsrcstr(), pcap_findalldevs(), pcap_open_offline(), pcap_parsesrcstr(), PCAP_SRC_FILE, PCAP_SRC_IFLOCAL, pcap_strerror(), pcap_t, port, rpcap_checkmsg(), rpcap_createhdr(), rpcap_deseraddr(), RPCAP_MSG_ERROR, RPCAP_MSG_FINDALLIF_REPLY, rpcap_remoteact_getsock(), rpcap_sendauth(), snprintf, sock_cleanup(), sock_close(), sock_discard(), sock_init(), sock_initaddress(), sock_open(), sock_recv(), sock_send(), and SOCKET.

void pcap_freealldevs pcap_if_t   alldevsp
 

Frees an interface list returned by pcap_findalldevs().

pcap_freealldevs() is used to free a list allocated by pcap_findalldevs().

See also:
pcap_findalldevs()

Definition at line 426 of file inet.c.

References pcap_addr::addr, pcap_if::addresses, pcap_addr::broadaddr, pcap_if::description, pcap_addr::dstaddr, pcap_if::name, pcap_addr::netmask, pcap_if::next, and pcap_addr::next.

Referenced by daemon_findalldevs(), and main().

void pcap_freecode struct bpf_program   fp
 

Frees a filter.

pcap_freecode() is used to free up allocated memory pointed to by a bpf_program struct generated by pcap_compile() when that BPF program is no longer needed, for example after it has been made the filter program for a pcap structure by a call to pcap_setfilter().

See also:
pcap_compile(), pcap_compile_nopcap()

Definition at line 384 of file gencode.c.

References bpf_program::bf_insns, and bpf_program::bf_len.

Referenced by pcap_close().

char* pcap_geterr pcap_t   p
 

returns the error text pertaining to the last pcap library error.

Note:
the pointer it returns will no longer point to a valid error message string after the pcap_t passed to it is closed; you must use or copy the string before closing the pcap_t.
See also:
pcap_perror()

Definition at line 491 of file pcap.c.

Referenced by bpf_error(), and daemon_thrdatamain().

HANDLE pcap_getevent pcap_t   p
 

Win32 Specific. Returns the handle of the event associated with the interface p.

This event can be passed to functions like WaitForSingleObject() or WaitForMultipleObjects() to wait until the driver's buffer contains some data without performing a read.

See also:
pcap_open_live()

Definition at line 42 of file Win32-Extensions.c.

int pcap_getnonblock pcap_t   p,
char *    errbuf
 

Gets the "non-blocking" state of an interface.

pcap_getnonblock() returns the current "non-blocking" state of the capture descriptor; it always returns 0 on "savefiles". If there is an error, -1 is returned and errbuf is filled in with an appropriate error message.

See also:
pcap_setnonblock()

Definition at line 502 of file pcap.c.

References pcap_strerror(), and snprintf.

int pcap_is_swapped pcap_t   p
 

returns true if the current savefile uses a different byte order than the current system.

Definition at line 444 of file pcap.c.

int pcap_live_dump pcap_t   p,
char *    filename,
int    maxsize,
int    maxpacks
 

Win32 Specific. Saves a capture to file.

pcap_live_dump() dumps the network traffic from an interface to a file. Using this function the dump is performed at kernel level, therefore it is more efficient than using pcap_dump().

The parameters of this function are an interface descriptor (obtained with pcap_open_live()), a string with the name of the dump file, the maximum size of the file (in bytes) and the maximum number of packets that the file will contain. Setting maxsize or maxpacks to 0 means no limit. When maxsize or maxpacks are reached, the dump ends.

pcap_live_dump() is non-blocking, threfore it returns immediately. pcap_live_dump_ended() can be used to check the status of the dump process or to wait until it is finished. pcap_close() can instead be used to end the dump process.

Note that when one of the two limits is reached, the dump is stopped, but the file remains opened. In order to correctly flush the data and put the file in a consistent state, the adapter must be closed with pcap_close().

See also:
pcap_live_dump_ended(), pcap_open_live(), pcap_close(), pcap_dump_open(), pcap_dump()

Definition at line 311 of file Win32-Extensions.c.

int pcap_live_dump_ended pcap_t   p,
int    sync
 

Win32 Specific. Returns the status of the kernel dump process, i.e. tells if one of the limits defined with pcap_live_dump() has been reached.

pcap_live_dump_ended() informs the user about the limits that were set with a previous call to pcap_live_dump() on the interface pointed by p: if the return value is nonzero, one of the limits has been reched and the dump process is currently stopped.

If sync is nonzero, the function blocks until the dump is finished, otherwise it returns immediately.

Warning:
if the dump process has no limits (i.e. if the maxsize and maxpacks arguments of pcap_live_dump() were both 0), the dump process will never stop, therefore setting sync to TRUE will block the application on this call forever.
See also:
pcap_live_dump()

Definition at line 342 of file Win32-Extensions.c.

char* pcap_lookupdev char *    errbuf
 

Deprecated

Deprecated:
Use the pcap_findalldevs_ex() instead.
It returns the first valid device in the system.

pcap_lookupdev() returns a pointer to a network device suitable for use with pcap_open_live() and pcap_lookupnet(). If there is an error, NULL is returned and errbuf is filled in with an appropriate error message.

See also:
pcap_findalldevs(), pcap_open_live()

int pcap_lookupnet char *    device,
bpf_u_int32   netp,
bpf_u_int32   maskp,
char *    errbuf
 

Deprecated

Deprecated:
Use the pcap_findalldevs_ex() instead.
It returns the subnet and netmask of an interface.

pcap_lookupnet() is used to determine the network number and mask associated with the network device device. Both netp and maskp are bpf_u_int32 pointers. A return of -1 indicates an error in which case errbuf is filled in with an appropriate error message.

See also:
pcap_findalldevs()

int pcap_loop pcap_t   p,
int    cnt,
pcap_handler    callback,
u_char *    user
 

Deprecated

Deprecated:
Use the pcap_next_ex() instead.
It collects a group of packets. Returns when cnt packets have been received, but doesn't respect the timeout set with pcap_open_live(), therefore it can block forever.

pcap_loop() is similar to pcap_dispatch() except it keeps reading packets until cnt packets are processed or an error occurs. It does not return when live read timeouts occur. Rather, specifying a non-zero read timeout to pcap_open_live() and then calling pcap_dispatch() allows the reception and processing of any packets that arrive when the timeout occurs. A negative cnt causes pcap_loop() to loop forever (or at least until an error occur s).

See also:
pcap_dispatch(), pcap_next(), pcap_open_live(), pcap_open_offline(), pcap_handler

Definition at line 78 of file pcap.c.

References n, pcap_offline_read(), and pcap_read().

Referenced by main().

int pcap_major_version pcap_t   p
 

returns the major version number of the pcap library used to write the savefile.

See also:
pcap_minor_version()

Definition at line 450 of file pcap.c.

int pcap_minor_version pcap_t   p
 

returns the minor version number of the pcap library used to write the savefile.

See also:
pcap_major_version()

Definition at line 456 of file pcap.c.

u_char* pcap_next pcap_t   p,
struct pcap_pkthdr   h
 

Discouraged, use pcap_next_ex() instead.
Returns the next available packet.

pcap_next() reads the next packet (by calling pcap_dispatch() with a cnt of 1) and returns a u_char pointer to the data in that packet. (The pcap_pkthdr struct for that packet is not supplied.)

See also:
pcap_dispatch(), pcap_loop()

Definition at line 119 of file pcap.c.

References singleton::hdr, pcap_dispatch(), and singleton::pkt.

int pcap_next_ex pcap_t   p,
struct pcap_pkthdr **    pkt_header,
u_char **    pkt_data
 

Read a packet from an interface or from an offline capture.

This function is used to retrieve the next available packet, bypassing the callback method traditionally provided by libpcap.

pcap_next_ex fills the pkt_header and pkt_data parameters (see pcap_handler()) with the pointers to the header and to the data of the next captured packet.

The return value can be:

  • 1 if the packet has been read without problems
  • 0 if the timeout set with pcap_open_live() has elapsed. In this case pkt_header and pkt_data don't point to a valid packet
  • -1 if an error occurred
  • -2 if EOF was reached reading from an offline capture

See also:
pcap_open_live(), pcap_loop(), pcap_dispatch(), pcap_handler()

Definition at line 148 of file pcap.c.

References pkt_for_fakecallback::hdr, pcap_offline_read(), pcap_read(), pcap_read_nocb_remote(), pcap_startcapture_remote(), and pkt_for_fakecallback::pkt.

Referenced by daemon_thrdatamain(), and main().

bool pcap_offline_filter struct bpf_program   prog,
const struct pcap_pkthdr   header,
const u_char *    pkt_data
 

Win32 Specific. It returns if a given filter applies to an offline packet.

This function is used to apply a filter to a packet that is currently in memory. This process does not need to open an adapter; we need just to create the proper filter (by settings parameters like the snapshot length, or the link-layer type) by means of the pcap_compile_nopcap().

The current API of libpcap does not allow to receive a packet and to filter the packet after it has been received. However, this can be useful in case you want to filter packets in the application, instead of into the receiving process. This function allows you to do the job.

Parameters:
prog: bpf program (created with the pcap_compile_nopcap() )
header: header of the packet that has to be filtered
pkt_data: buffer containing the packet, in network-byte order.
Returns:
the length of the bytes that are currently available into the packet if the packet satisfies the filter, 0 otherwise.

Definition at line 355 of file Win32-Extensions.c.

pcap_t* pcap_open const char *    source,
int    snaplen,
int    flags,
int    read_timeout,
struct pcap_rmtauth   auth,
char *    errbuf
 

It opens a generic source in order to capture / send (WinPcap only) traffic.

The pcap_open() replaces all the pcap_open_xxx() functions with a single call.

This function hides the differences between the different pcap_open_xxx() functions so that the programmer does not have to manage different opening function. In this way, the 'true' open function is decided according to the source type, which is included into the source string (in the form of source prefix).

This function can rely on the pcap_createsrcstr() to create the string that keeps the capture device according to the new syntax, and the pcap_parsesrcstr() for the other way round.

Parameters:
source: zero-terminated string containing the source name to open. The source name has to include the format prefix according to the new Source Specification Syntax and it cannot be NULL.
On on Linux systems with 2.2 or later kernels, a device argument of "any" (i.e. rpcap://any) can be used to capture packets from all interfaces.
In order to makes the source syntax easier, please remember that:
snaplen: length of the packet that has to be retained. For each packet received by the filter, only the first 'snaplen' bytes are stored in the buffer and passed to the user application. For instance, snaplen equal to 100 means that only the first 100 bytes of each packet are stored.
flags: keeps several flags that can be needed for capturing packets. The allowed flags are defined in the pcap_open() flags .
read_timeout: read timeout in milliseconds. The read timeout is used to arrange that the read not necessarily return immediately when a packet is seen, but that it waits for some amount of time to allow more packets to arrive and to read multiple packets from the OS kernel in one operation. Not all platforms support a read timeout; on platforms that don't, the read timeout is ignored.
auth: a pointer to a 'struct pcap_rmtauth' that keeps the information required to authenticate the user on a remote machine. In case this is not a remote capture, this pointer can be set to NULL.
errbuf: a pointer to a user-allocated buffer which will contain the error in case this function fails. The pcap_open() and findalldevs() are the only two functions which have this parameter, since they do not have (yet) a pointer to a pcap_t structure, which reserves space for the error string. Since these functions do not have (yet) a pcap_t pointer (the pcap_t pointer is NULL in case of errors), they need an explicit 'errbuf' variable. 'errbuf' may also be set to warning text when pcap_open_live() succeds; to detect this case the caller should store a zero-length string in 'errbuf' before calling pcap_open_live() and display the warning to the user if 'errbuf' is no longer a zero-length string.
Returns:
A pointer to a 'pcap_t' which can be used as a parameter to the following calls (pcap_compile() and so on) and that specifies an opened WinPcap session. In case of problems, it returns NULL and the 'errbuf' variable keeps the error message.
Warning:
The source cannot be larger than PCAP_BUF_SIZE.

The following formats are not allowed as 'source' strings:

  • rpcap:// [to open the first local adapter]
  • rpcap://hostname/ [to open the first remote adapter]

Definition at line 1102 of file pcap-new.c.

References host, PCAP_BUF_SIZE, pcap_open_live(), pcap_open_offline(), pcap_opensource_remote(), pcap_parsesrcstr(), PCAP_SRC_FILE, PCAP_SRC_IFLOCAL, PCAP_SRC_IFREMOTE, pcap_t, port, and snprintf.

Referenced by daemon_opensource(), daemon_startcapture(), and main().

pcap_t* pcap_open_dead int    linktype,
int    snaplen
 

Deprecated

Deprecated:
Use the pcap_open() instead.
It creates a pcap_t structure without starting a capture.

pcap_open_dead() is used for creating a pcap_t structure to use when calling the other functions in libpcap. It is typically used when just using libpcap for compiling BPF code.

See also:
pcap_open_offline(), pcap_open_live(), pcap_findalldevs(), pcap_compile(), pcap_setfilter(), pcap_close()

Definition at line 638 of file pcap.c.

References pcap_t.

Referenced by pcap_compile_nopcap().

pcap_t* pcap_open_live char *    device,
int    snaplen,
int    promisc,
int    to_ms,
char *    ebuf
 

Deprecated

Deprecated:
Use the pcap_open() instead.
pcap_open_live() is used to obtain a packet capture descriptor to look at packets on the network. device is a string that specifies the network device to open; on Linux systems with 2.2 or later kernels, a device argument of "any" or NULL can be used to capture packets from all interfaces. snaplen specifies the maximum number of bytes to capture. promisc specifies if the interface is to be put into promiscuous mode. (Note that even if this parameter is false, the interface could well be in promiscuous mode for some other reason.) For now, this doesn't work on the "any" device; if an argument of "any" or NULL is supplied, the promisc flag is ignored. to_ms specifies the read timeout in milliseconds. The read timeout is used to arrange that the read not necessarily return immediately when a packet is seen, but that it wait for some amount of time to allow more packets to arrive and to read multiple packets from the OS kernel in one operation. Not all platforms support a read timeout; on platforms that don't, the read timeout is ignored. errbuf is used to return error or warning text. It will be set to error text when pcap_open_live() fails and returns NULL. errbuf may also be set to warning text when pcap_open_live() succeds; to detect this case the caller should store a zero length string in errbuf before calling pcap_open_live() and display the warning to the user if errbuf is no longer a zero-length string.

See also:
pcap_open_offline(), pcap_open_dead(), pcap_findalldevs(), pcap_close()

pcap_t* pcap_open_offline const char *    fname,
char *    errbuf
 

Deprecated

Deprecated:
Use the pcap_open() instead.
It opens a savefile in the tcpdump/libpcap format to read the packets.

pcap_open_offline() is called to open a "savefile" for reading. fname specifies the name of the file to open. The file has the same format as those used by tcpdump(1) and tcpslice(1). The name "-" in a synonym for stdin. errbuf is used to return error text and is only set when pcap_open_offline() fails and returns NULL.

See also:
pcap_open_live(), pcap_dump_open(), pcap_findalldevs(), pcap_close()

Definition at line 387 of file savefile.c.

References bpf_u_int32, linktype_to_dlt(), PATCHED_TCPDUMP_MAGIC, pcap_fddipad, pcap_strerror(), pcap_t, PCAP_VERSION_MAJOR, snprintf, swap_hdr(), and TCPDUMP_MAGIC.

Referenced by pcap_findalldevs_ex(), and pcap_open().

int pcap_parsesrcstr const char *    source,
int *    type,
char *    host,
char *    port,
char *    name,
char *    errbuf
 

Parses the source string and returns the pieces in which the source can be split.

This call is the other way round of pcap_createsrcstr(). It accepts a null-terminated string and it returns the parameters related to the source. This includes:

  • the type of the source (file, winpcap on a remote adapter, winpcap on local adapter), which is determined by the source prefix (PCAP_SRC_IF_STRING and so on)
  • the host on which the capture has to be started (only for remote captures)
  • the 'raw' name of the source (file name, name of the remote adapter, name of the local adapter), without the source prefix. The string returned does not include the type of the source itself (i.e. the string returned does not include "file://" or rpcap:// or such).

The user can omit some parameters in case it is not interested in them.

Parameters:
source: a null-terminated string containing the WinPcap source. This source starts with an identifier according to the new Source Specification Syntax .
type: pointer to an integer, which is used to return the code corrisponding to the selected source. The code will be one defined in the Source identification Codes .
In case the source string does not exists (i.e. 'source == NULL') or it is empty ('*source == NULL'), it returns PCAP_SRC_IF_LOCAL (i.e. you are ready to call pcap_open_live() ). This behavior is kept only for compatibility with older applications (e.g. tcpdump); therefore we suggest to move to the new syntax for sources.
This parameter can be NULL in case the user is not interested in that.
host: user-allocated buffer (of size PCAP_BUF_SIZE) that is used to return the host name on which the capture has to be started. This value is meaningful only in case of remote capture; otherwise, the returned string will be empty (""). This parameter can be NULL in case the user is not interested in that.
port: user-allocated buffer (of size PCAP_BUF_SIZE) that is used to return the port that has to be used by the RPCAP protocol to contact the other host. This value is meaningful only in case of remote capture and if the user wants to use a non-standard port; otherwise, the returned string will be empty (""). In case of remote capture, an emply string means "use the standard RPCAP port". This parameter can be NULL in case the user is not interested in that.
name: user-allocated buffer (of size PCAP_BUF_SIZE) that is used to return the source name, without the source prefix. If the name does not exist (for example because source contains 'rpcap://' that means 'default local adapter'), it returns NULL. This parameter can be NULL in case the user is not interested in that.
errbuf: pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE) that will contain the error message (in case there is one). This parameter can be NULL in case the user is not interested in that.
Returns:
'0' if everything is fine, '-1' if some errors occurred. The requested values (host name, network port, type of the source) are returned into the proper variables passed by reference.

Definition at line 885 of file pcap-new.c.

References host, PCAP_BUF_SIZE, PCAP_SRC_FILE, PCAP_SRC_IFLOCAL, PCAP_SRC_IFREMOTE, port, and snprintf.

Referenced by pcap_findalldevs_ex(), pcap_open(), pcap_open_live(), and pcap_opensource_remote().

void pcap_perror pcap_t   p,
char *    prefix
 

prints the text of the last pcap library error on stderr, prefixed by prefix.

See also:
pcap_geterr()

Definition at line 485 of file pcap.c.

SOCKET pcap_remoteact_accept const char *    address,
const char *    port,
const char *    hostlist,
char *    connectinghost,
struct pcap_rmtauth   auth,
char *    errbuf
 

It blocks until a network connection is accepted (active mode only).

This function has been defined to allow the client dealing with the 'active mode'. In other words, in the 'active mode' the server opens the connection toward the client, so that the client has to open a socket in order to wait for connections. When a new connection is accepted, the RPCAP protocol starts as usual; the only difference is that the connection is initiated by the server.

This function accepts only ONE connection, then it closes the waiting socket. This means that if some error occurs, the application has to call it again in order to accept another connection.

This function returns when a new connection (coming from a valid host 'connectinghost') is accepted; it returns error otherwise.

Parameters:
address: a string that keeps the network address we have to bind to; usually it is NULL (it means 'bind on all local addresses').
port: a string that keeps the network port on which we have to bind to; usually it is NULL (it means 'bind on the predefined port', i.e. RPCAP_DEFAULT_NETPORT_ACTIVE).
hostlist: a string that keeps the host name of the host from whom we are expecting a connection; it can be NULL (it means 'accept connection from everyone'). Host names are separated by a whatever character in the RPCAP_HOSTLIST_SEP list.
connectinghost: a user-allocated buffer that will contain the name of the host is trying to connect to us. This variable must be at least RPCAP_HOSTLIST_SIZE bytes..
auth: a pointer to a pcap_rmtauth structure. This pointer keeps the information required to authenticate the RPCAP connection to the remote host.
errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE) that will contain the error message (in case there is one).
Returns:
The SOCKET identifier of the new control connection if everything is fine, a negative number if some errors occurred. The error message is returned into the errbuf variable. In case it returns '-1', this means 'everything is fine', but the host cannot be admitted. In case it returns '-2', in means 'unrecoverable error' (for example it is not able to bind the socket, or something like that). In case it returns '-3', it means 'authentication failed'. The authentication check is performed only if the connecting host is among the ones that are allowed to connect to this host.
The host that is connecting to us is returned into the hostlist variable, which ust be allocated by the user. This variable contains the host name both in case the host is allowed, and in case the connection is refused.

Warning:
Although this function returns the socket established by the new control connection, this value should not be used. This value will be stored into some libpcap internal variables and it will be managed automatically by the library. In other words, all the following calls to findalldevs() and pcap_open() will check if the host is among one that already has a control connection in place; if so, that one will be used.

This function has several problems if used inside a thread, which is stopped when this call is blocked into the accept(). In this case, the socket on which we accept connections is not freed (thread termination is a very dirty job), so that we are no longer able to accept other connections until the program (i.e. the process) stops. In order to solve the problem, call the pcap_remoteact_cleanup().

Definition at line 1237 of file pcap-new.c.

References activeHosts, activehosts::host, activehosts::next, pcap_strerror(), port, rpcap_sendauth(), rpcap_senderror(), snprintf, SOCK_ASSERT, sock_check_hostlist(), sock_close(), sock_cmpaddr(), sock_geterror(), sock_init(), sock_initaddress(), sock_open(), activehosts::sockctrl, SOCKET, and sockmain.

void pcap_remoteact_cleanup  
 

Cleans the socket that is currently used in waiting active connections.

This function does a very dirty job. The fact is that is the waiting socket is not freed if the pcap_remoteaccept() is killed inside a new thread. This function is able to clean the socket in order to allow the next calls to pcap_remoteact_accept() to work.

This function is useful *only* if you launch pcap_remoteact_accept() inside a new thread, and you stops (not very gracefully) the thread (for example because the user changed idea, and it does no longer want to wait for an active connection). So, basically, the flow should be the following:

This function has no effects in other cases.

Returns:
None.

Definition at line 1489 of file pcap-new.c.

References sock_cleanup().

int pcap_remoteact_close const char *    host,
char *    errbuf
 

It drops an active connection (active mode only).

This function has been defined to allow the client dealing with the 'active mode'. This function closes an active connection that is still in place and it purges the host name from the 'activeHost' list. From this point on, the client will not have any connection with that host in place.

Parameters:
host: a string that keeps the host name of the host for which we want to close the active connection.
errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE) that will contain the error message (in case there is one).
Returns:
'0' if everything is fine, '-1' if some errors occurred. The error message is returned into the errbuf variable.

Definition at line 1391 of file pcap-new.c.

References activeHosts, activehosts::host, activehosts::next, rpcap_createhdr(), snprintf, sock_cleanup(), sock_close(), sock_cmpaddr(), sock_send(), and activehosts::sockctrl.

int pcap_remoteact_list char *    hostlist,
char    sep,
int    size,
char *    errbuf
 

Returns the hostname of the host that have an active connection with us (active mode only).

This function has been defined to allow the client dealing with the 'active mode'. This function returns the list of hosts that are currently having an active connection with us. This function is useful in order to delete an active connection that is still in place.

Parameters:
hostlist: a user-allocated string that will keep the list of host that are currently connected with us.
sep: the character that has to be sued as a separator between the hosts (',' for example).
size: size of the hostlist buffer.
errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE) that will contain the error message (in case there is one).
Returns:
'0' if everything is fine, '-1' if some errors occurred. The error message is returned into the errbuf variable.

Definition at line 1526 of file pcap-new.c.

References activeHosts, activehosts::host, hostlist, activehosts::next, RPCAP_HOSTLIST_SIZE, size, snprintf, and sock_getascii_addrport().

int pcap_sendpacket pcap_t   p,
u_char *    buf,
int    size
 

Win32 Specific. Sends a raw packet.

This function allows to send a raw packet to the network. p is the interface that will be used to send the packet, buf contains the data of the packet to send (including the various protocol headers), size is the dimension of the buffer pointed by buf, i.e. the size of the packet to send. The MAC CRC doesn't need to be included, because it is transparently calculated and added by the network interface driver. The return value is 0 if the packet is succesfully sent, -1 otherwise.

See also:
pcap_open_live()

Definition at line 337 of file Pcap-win32.c.

References PacketAllocatePacket(), PacketFreePacket(), PacketInitPacket(), PacketSendPacket(), and snprintf.

pcap_send_queue* pcap_sendqueue_alloc u_int    memsize
 

Win32 Specific. Allocate a send queue.

This function allocates a send queue, i.e. a buffer containing a set of raw packets that will be transimtted on the network with pcap_sendqueue_transmit().

memsize is the size, in bytes, of the queue, therefore it determines the maximum amount of data that the queue will contain.

Use pcap_sendqueue_queue() to insert packets in the queue.

See also:
pcap_sendqueue_queue(), pcap_sendqueue_transmit(), pcap_sendqueue_destroy()

Definition at line 82 of file Win32-Extensions.c.

void pcap_sendqueue_destroy pcap_send_queue   queue
 

Win32 Specific. Destroy a send queue.

Deletes a send queue and frees all the memory associated with it.

See also:
pcap_sendqueue_alloc(), pcap_sendqueue_queue(), pcap_sendqueue_transmit()

Definition at line 107 of file Win32-Extensions.c.

int pcap_sendqueue_queue pcap_send_queue   queue,
const struct pcap_pkthdr   pkt_header,
const u_char *    pkt_data
 

Win32 Specific. Add a packet to a send queue.

pcap_sendqueue_queue() adds a packet at the end of the send queue pointed by the queue parameter. pkt_header points to a pcap_pkthdr structure with the timestamp and the length of the packet, pkt_data points to a buffer with the data of the packet.

The pcap_pkthdr structure is the same used by WinPcap and libpcap to store the packets in a file, therefore sending a capture file is straightforward. 'Raw packet' means that the sending application will have to include the protocol headers, since every packet is sent to the network 'as is'. The CRC of the packets needs not to be calculated, because it will be transparently added by the network interface.

See also:
pcap_sendqueue_alloc(), pcap_sendqueue_transmit(), pcap_sendqueue_destroy()

Definition at line 114 of file Win32-Extensions.c.

u_int pcap_sendqueue_transmit pcap_t   p,
pcap_send_queue   queue,
int    sync
 

Win32 Specific. Sends a queue of raw packets to the network.

This function transmits the content of a queue to the wire. p is a pointer to the adapter on which the packets will be sent, queue points to a pcap_send_queue structure containing the packets to send (see pcap_sendqueue_alloc() and pcap_sendqueue_queue()), sync determines if the send operation must be synchronized: if it is non-zero, the packets are sent respecting the timestamps, otherwise they are sent as fast as possible.

The return value is the amount of bytes actually sent. If it is smaller than the size parameter, an error occurred during the send. The error can be caused by a driver/adapter problem or by an inconsistent/bogus send queue.

Note:
Using this function is more efficient than issuing a series of pcap_sendpacket(), because the packets are buffered in the kernel driver, so the number of context switches is reduced. Therefore, expect a better throughput when using pcap_sendqueue_transmit.

When Sync is set to TRUE, the packets are synchronized in the kernel with a high precision timestamp. This requires a non-negligible amount of CPU, but allows normally to send the packets with a precision of some microseconds (depending on the accuracy of the performance counter of the machine). Such a precision cannot be reached sending the packets with pcap_sendpacket().

See also:
pcap_sendqueue_alloc(), pcap_sendqueue_queue(), pcap_sendqueue_destroy()

Definition at line 133 of file Win32-Extensions.c.

fn int pcap_setbuff pcap_t   p,
int    dim
 

Win32 Specific. Sets the size of the kernel buffer associated with an adapter.

dim specifies the size of the buffer in bytes. The return value is 0 when the call succeeds, -1 otherwise. If an old buffer was already created with a previous call to pcap_setbuff(), it is deleted and its content is discarded. pcap_open_live() creates a 1 MByte buffer by default.

See also:
pcap_open_live(), pcap_loop(), pcap_dispatch()

Definition at line 359 of file Pcap-win32.c.

References PacketSetBuff(), and snprintf.

int pcap_setfilter pcap_t   p,
struct bpf_program   fp
 

Associates a filter to a capture.

pcap_setfilter() is used to specify a filter program. fp is a pointer to a bpf_program struct, usually the result of a call to pcap_compile(). -1 is returned on failure, in which case pcap_geterr() may be used to display the error text; 0 is returned on success.

See also:
pcap_compile(), pcap_compile_nopcap()

Definition at line 292 of file Pcap-win32.c.

References PacketSetBpf(), pcap_setfilter_remote(), pcap_win32strerror(), and snprintf.

Referenced by daemon_unpackapplyfilter(), and main().

int pcap_setmintocopy pcap_t   p,
int    size
 

Win32 Specific. Sets the minumum amount of data received by the kernel in a single call.

pcap_setmintocopy() changes the minimum amount of data in the kernel buffer that causes a read from the application to return (unless the timeout expires). If the value of size is large, the kernel is forced to wait the arrival of several packets before copying the data to the user. This guarantees a low number of system calls, i.e. low processor usage, and is a good setting for applications like packet-sniffers and protocol analyzers. Vice versa, in presence of a small value for this variable, the kernel will copy the packets as soon as the application is ready to receive them. This is useful for real time applications that need the best responsiveness from the kernel.

See also:
pcap_open_live(), pcap_loop(), pcap_dispatch()

Definition at line 385 of file Pcap-win32.c.

References PacketSetMinToCopy(), and snprintf.

int pcap_setmode pcap_t   p,
int    mode
 

Win32 Specific. Sets the working mode of the interface p to mode.

Valid values for mode are MODE_CAPT (default capture mode) and MODE_STAT (statistical mode). See the tutorial "Gathering Statistics on the network traffic " for details about statistical mode.

Definition at line 318 of file Pcap-win32.c.

References PacketSetMode(), and snprintf.

int pcap_setnonblock pcap_t   p,
int    nonblock,
char *    errbuf
 

Switches between blocking and nonblocking mode.

pcap_setnonblock() puts a capture descriptor, opened with pcap_open_live(), into "non-blocking" mode, or takes it out of "non-blocking" mode, depending on whether the nonblock argument is non-zero or zero. It has no effect on "savefiles". If there is an error, -1 is returned and errbuf is filled in with an appropriate error message; otherwise, 0 is returned. In "non-blocking" mode, an attempt to read from the capture descriptor with pcap_dispatch() will, if no packets are currently available to be read, return 0 immediately rather than blocking waiting for packets to arrive. pcap_loop() and pcap_next() will not work in "non-blocking" mode.

See also:
pcap_getnonblock(), pcap_dispatch()

Definition at line 532 of file pcap.c.

References PacketSetReadTimeout(), pcap_strerror(), pcap_win32strerror(), and snprintf.

struct pcap_samp* pcap_setsampling pcap_t   p
 

It defines a sampling method for packet capture.

This function allows applying a sampling method to the packet capture process. The currently sampling methods (and the way to set them) are described into the struct pcap_samp. In other words, the user must set the appropriate parameters into it; these will be applied as soon as the capture starts.

Warning:
Sampling parameters cannot be changed when a capture is active. These parameters must be applied before starting the capture. If they are applied when the capture is in progress, the new settings are ignored.

Definition at line 1169 of file pcap-new.c.

References pcap_setsampling(), and pcap_t.

Referenced by pcap_setsampling().

int pcap_snapshot pcap_t   p
 

Returns the dimension of the packet portion (in bytes) that is delivered to the application.

pcap_snapshot() returns the snapshot length specified when pcap_open_live was called.

See also:
pcap_open_live(), pcap_compile(), pcap_compile_nopcap()

Definition at line 438 of file pcap.c.

Referenced by pcap_compile().

int pcap_stats pcap_t   p,
struct pcap_stat   ps
 

Discouraged, Use pcap_stats_ex() instead.
Returns statistics on current capture.

pcap_stats() returns 0 and fills in a pcap_stat struct. The values represent packet statistics from the start of the run to the time of the call. If there is an error or the underlying packet capture doesn't support packet statistics, -1 is returned and the error text can be obtained with pcap_perror() or pcap_geterr(). pcap_stats() is supported only on live captures, not on "savefiles"; no statistics are stored in "savefiles", so no statistics are available when reading from a "savefile".

See also:
pcap_stats_ex(), pcap_open_live()

Definition at line 60 of file Pcap-win32.c.

References PacketGetStats(), pcap_stats_remote(), pcap_win32strerror(), and snprintf.

Referenced by daemon_getstats(), and daemon_serviceloop().

struct pcap_stat* pcap_stats_ex pcap_t   p,
int *    pcap_stat_size
 

Win32 Specific. Returns statistics on current capture.

pcap_stats_ex() extends the pcap_stats() allowing to return more statistical parameters than the old call. One of the advantages of this new call is that the pcap_stat structure is not allocated by the user; instead, it is returned back by the system. This allow to extend the pcap_stat structure without affecting backward compatibility on older applications. These will simply check at the values of the members at the beginning of the structure, while only newest applications are able to read new statistical values, which are appended in tail.

To be sure not to read a piece of mamory which has not been allocated by the system, the variable pcap_stat_size will return back the size of the structure pcap_stat allocated by the system.

Parameters:
p: pointer to the pcap_t currently in use.
pcap_stat_size: pointer to an integer that will contain (when the function returns back) the size of the structure pcap_stat as it has been allocated by the system.
Returns:
: a pointer to a pcap_stat structure, that will contain the statistics related to the current device. The return value is NULL in case of errors, and the error text can be obtained with pcap_perror() or pcap_geterr().
Warning:
pcap_stats_ex() is supported only on live captures, not on "savefiles"; no statistics are stored in "savefiles", so no statistics are available when reading from a "savefile".
See also:
pcap_stats()

Definition at line 62 of file Win32-Extensions.c.

Referenced by pcap_stats_ex().

char* pcap_strerror int    error
 

pcap_strerror() is provided in case strerror() isn't available.

See also:
pcap_perror(), pcap_geterr()

Definition at line 621 of file pcap.c.

References snprintf.

Referenced by add_addr_to_iflist(), add_or_find_if(), daemon_AuthUserPwd(), daemon_checkauth(), daemon_unpackapplyfilter(), main_active(), main_passive(), pcap_dump_open(), pcap_findalldevs_ex(), pcap_getnonblock(), pcap_list_datalinks(), pcap_open_live(), pcap_open_offline(), pcap_opensource_remote(), pcap_remoteact_accept(), pcap_setnonblock(), pcap_startcapture_remote(), and rpcap_deseraddr().


documentation. Copyright (c) 2002-2003 Politecnico di Torino. All rights reserved.