Main Page   Modules   Data Structures   File List   Data Fields   Globals   Related Pages  

pcap.c File Reference

#include <pcap-stdinc.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include "pcap-int.h"

Go to the source code of this file.

Data Structures

struct  dlt_choice
struct  pkt_for_fakecallback
struct  singleton

Defines

#define DLT_CHOICE(code)   { #code, code }
#define DLT_CHOICE_SENTINEL   { NULL, 0 }

Functions

int pcap_dispatch (pcap_t *p, int cnt, pcap_handler callback, u_char *user)
 Deprecated

int pcap_loop (pcap_t *p, int cnt, pcap_handler callback, u_char *user)
 Deprecated

void pcap_oneshot (u_char *userData, const struct pcap_pkthdr *h, const u_char *pkt)
const u_char * pcap_next (pcap_t *p, struct pcap_pkthdr *h)
 Discouraged, use pcap_next_ex() instead.
Returns the next available packet.


void pcap_fakecallback (u_char *userData, const struct pcap_pkthdr *h, const u_char *pkt)
int pcap_next_ex (pcap_t *p, struct pcap_pkthdr **pkt_header, u_char **pkt_data)
 Read a packet from an interface or from an offline capture.

int pcap_datalink (pcap_t *p)
 Returns the link layer of an adapter.

int pcap_list_datalinks (pcap_t *p, int **dlt_buffer)
int pcap_set_datalink (pcap_t *p, int dlt)
int pcap_strcasecmp (const char *s1, const char *s2)
int pcap_datalink_name_to_val (const char *name)
const char * pcap_datalink_val_to_name (int dlt)
int pcap_snapshot (pcap_t *p)
 Returns the dimension of the packet portion (in bytes) that is delivered to the application.

int pcap_is_swapped (pcap_t *p)
 returns true if the current savefile uses a different byte order than the current system.

int pcap_major_version (pcap_t *p)
 returns the major version number of the pcap library used to write the savefile.

int pcap_minor_version (pcap_t *p)
 returns the minor version number of the pcap library used to write the savefile.

FILE * pcap_file (pcap_t *p)
  Discouraged, use pcap_dump() instead.
Returns the stdio stream of an offile capture.


int pcap_fileno (pcap_t *p)
 Discouraged: it returns the file descriptor of a capture device.

void pcap_perror (pcap_t *p, char *prefix)
 prints the text of the last pcap library error on stderr, prefixed by prefix.

char * pcap_geterr (pcap_t *p)
 returns the error text pertaining to the last pcap library error.

int pcap_getnonblock (pcap_t *p, char *errbuf)
 Gets the "non-blocking" state of an interface.

int pcap_setnonblock (pcap_t *p, int nonblock, char *errbuf)
 Switches between blocking and nonblocking mode.

char * pcap_win32strerror (void)
char * pcap_strerror (int errnum)
 pcap_strerror() is provided in case strerror() isn't available.

pcap_tpcap_open_dead (int linktype, int snaplen)
 Deprecated

void pcap_close (pcap_t *p)
 closes the files associated with p and deallocates resources.


Variables

const char rcsid []
dlt_choice dlt_choices []
const u_char charmap []


Define Documentation

#define DLT_CHOICE code       { #code, code }
 

Definition at line 295 of file pcap.c.

#define DLT_CHOICE_SENTINEL   { NULL, 0 }
 

Definition at line 296 of file pcap.c.


Function Documentation

void pcap_close pcap_t   p
 

closes the files associated with p and deallocates resources.

See also:
pcap_open_live(), pcap_open_offline(), pcap_open_dead()

Definition at line 657 of file pcap.c.

References PacketCloseAdapter(), pcap_close_remote(), and pcap_freecode().

Referenced by add_or_find_if(), daemon_endcapture(), daemon_opensource(), daemon_serviceloop(), daemon_startcapture(), pcap_compile_nopcap(), pcap_findalldevs_ex(), pcap_opensource_remote(), and pcap_startcapture_remote().

int pcap_datalink pcap_t   p
 

Returns the link layer of an adapter.

pcap_datalink() returns the link layer type; link layer types it can return include:

  • DLT_NULL BSD loopback encapsulation; the link layer header is a 4-byte field, in host byte order, containing a PF_ value from socket.h for the network-layer protocol of the packet Note that "host byte order" is the byte order of the machine on which the packets are captured, and the PF_ values are for the OS of the machine on which the packets are captured; if a live capture is being done, "host byte order" is the byte order of the machine capturing the packets, and the PF_ values are those of the OS of the machine capturing the packets, but if a "savefile" is being read, the byte order and PF_ values are not necessarily those of the machine reading the capture file.
  • DLT_EN10MB Ethernet (10Mb, 100Mb, 1000Mb, and up)
  • DLT_IEEE802 IEEE 802.5 Token Ring
  • DLT_ARCNET ARCNET SLIP; the link layer header contains, in order: a 1-byte flag, which is 0 for packets received by the machine and 1 for packets sent by the machine; a 1-byte field, the upper 4 bits of which indicate the type of packet, as per RFC 1144:
    • 0x40 an unmodified IP datagram (TYPE_IP);
    • 0x70 an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being the first byte of the raw IP header on the wire, containing the connection number in the protocol field;
    • 0x80 a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the first byte of the compressed TCP/IP datagram header; for UNCOMPRESSED_TCP, the rest of the modified IP header, and for COMPRESSED_TCP, the compressed TCP/IP datagram header; for a total of 16 bytes; the uncompressed IP datagram follows the header
  • DLT_PPP PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like framing, with the PPP header following those two bytes, otherwise it's PPP without framing, and the packet begins with the PPP header
  • DLT_FDDI FDDI
  • DLT_ATM_RFC1483 RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2 LLC header
  • DLT_RAW raw IP; the packet begins with an IP header
  • DLT_PPP_SERIAL PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC framing, as per section or 0x8F for Cisco PPP with HDLC framing
  • DLT_PPP_ETHER PPPoE; the packet begins with a PPPoE header, as per RFC 2516
  • DLT_C_HDLC Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547
  • DLT_IEEE802_11 IEEE 802.11 wireless LAN
  • DLT_LOOP OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in network byte order, containing a PF_ value from OpenBSD's socket.h for the network-layer protocol of the packet Note that, if a "savefile" is being read, those PF_ values are not necessarily those of the machine reading the capture file.
  • DLT_LINUX_SLL Linux "cooked" capture encapsulation; the link layer header contains, in order: a 2-byte "packet type", in network byte order, which is one of:
    • 0 packet was sent to us by somebody else
    • 1 packet was broadcast by somebody else
    • 2 packet was multicast, but not broadcast, by somebody else
    • 3 packet was sent by somebody else to somebody else
    • 4 packet was sent by us a 2-byte field, in network byte order, containing a Linux ARPHRD_ value for the link layer device type; a 2-byte field, in network byte order, containing the length of the link layer address of the sender of the packet (which could be 0); bytes of the link layer header (if there are more than 8 bytes, only the first 8 are present); a 2-byte field containing an Ethernet protocol type, in network byte order, or containing 1 for Novell 802.3 frames without an 802.2 LLC header or 4 for frames beginning with an 802.2 LLC header.
  • DLT_LTALK Apple LocalTalk; the packet begins with an AppleTalk LLAP header

Definition at line 209 of file pcap.c.

Referenced by pcap_compile().

int pcap_datalink_name_to_val const char *    name
 

Definition at line 413 of file pcap.c.

References dlt_choice::dlt, dlt_choices, dlt_choice::name, and pcap_strcasecmp().

const char* pcap_datalink_val_to_name int    dlt
 

Definition at line 426 of file pcap.c.

References dlt_choice::dlt, dlt_choices, and dlt_choice::name.

Referenced by pcap_set_datalink().

int pcap_dispatch pcap_t   p,
int    cnt,
pcap_handler    callback,
u_char *    user
 

Deprecated

Deprecated:
Use the pcap_next_ex() instead.
It collects a group of packets. Returns when cnt packets have been received or when the timeout set with pcap_open_live() expires.

pcap_dispatch() is used to collect and process packets. cnt specifies the maximum number of packets to process before returning. This is not a minimum number; when reading a live capture, only one bufferful of packets is read at a time, so fewer than cnt packets may be processed. A cnt of -1 processes all the packets received in one buffer when reading a live capture, or all the packets in the file when reading a "savefile". callback specifies a routine to be called with three arguments: a u_char pointer which is passed in from pcap_dispatch(), a pointer packet data.

The number of packets read is returned. 0 is returned if no packets were read from a live capture (if, for example, they were discarded because they didn't pass the packet filter, or if, on platforms that support a read timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read) or if no more packets are available in a "savefile." A return of -1 indicates an error in which case pcap_perror() or pcap_geterr() may be used to display the error text.

Note:
when reading a live capture, pcap_dispatch() will not necessarily return when the read times out; on some platforms, the read timeout isn't supported, and, on other platforms, the timer doesn't start until at least one packet arrives. This means that the read timeout should NOT be used in, for example, an interactive application, to allow the packet capture loop to "poll" for user input periodically, as there's no guarantee that pcap_dispatch() will return after the timeout expires.
See also:
pcap_loop(), pcap_next(), pcap_open_live(), pcap_open_offline(), pcap_handler

Definition at line 69 of file pcap.c.

References pcap_offline_read(), and pcap_read().

Referenced by pcap_next().

void pcap_fakecallback u_char *    userData,
const struct pcap_pkthdr   h,
const u_char *    pkt
[static]
 

Definition at line 139 of file pcap.c.

References pkt_for_fakecallback::hdr, and pkt_for_fakecallback::pkt.

FILE* pcap_file pcap_t   p
 

Discouraged, use pcap_dump() instead.
Returns the stdio stream of an offile capture.

pcap_file() returns the standard I/O stream of the "savefile", if a "savefile" was opened with pcap_open_offline(), or NULL, if a network device was opened with pcap_open_live().

See also:
pcap_open_offline(), pcap_open_live()

Definition at line 462 of file pcap.c.

int pcap_fileno pcap_t   p
 

Discouraged: it returns the file descriptor of a capture device.

pcap_fileno() returns the file descriptor number from which captured packets are read, if a network device was opened with pcap_open_live(), or -1, if a "savefile" was opened with pcap_open_offline().

See also:
pcap_open_offline(), pcap_open_live()

Definition at line 468 of file pcap.c.

char* pcap_geterr pcap_t   p
 

returns the error text pertaining to the last pcap library error.

Note:
the pointer it returns will no longer point to a valid error message string after the pcap_t passed to it is closed; you must use or copy the string before closing the pcap_t.
See also:
pcap_perror()

Definition at line 491 of file pcap.c.

Referenced by bpf_error(), and daemon_thrdatamain().

int pcap_getnonblock pcap_t   p,
char *    errbuf
 

Gets the "non-blocking" state of an interface.

pcap_getnonblock() returns the current "non-blocking" state of the capture descriptor; it always returns 0 on "savefiles". If there is an error, -1 is returned and errbuf is filled in with an appropriate error message.

See also:
pcap_setnonblock()

Definition at line 502 of file pcap.c.

References pcap_strerror(), and snprintf.

int pcap_is_swapped pcap_t   p
 

returns true if the current savefile uses a different byte order than the current system.

Definition at line 444 of file pcap.c.

int pcap_list_datalinks pcap_t   p,
int **    dlt_buffer
 

Definition at line 215 of file pcap.c.

References pcap_strerror(), and snprintf.

int pcap_loop pcap_t   p,
int    cnt,
pcap_handler    callback,
u_char *    user
 

Deprecated

Deprecated:
Use the pcap_next_ex() instead.
It collects a group of packets. Returns when cnt packets have been received, but doesn't respect the timeout set with pcap_open_live(), therefore it can block forever.

pcap_loop() is similar to pcap_dispatch() except it keeps reading packets until cnt packets are processed or an error occurs. It does not return when live read timeouts occur. Rather, specifying a non-zero read timeout to pcap_open_live() and then calling pcap_dispatch() allows the reception and processing of any packets that arrive when the timeout occurs. A negative cnt causes pcap_loop() to loop forever (or at least until an error occur s).

See also:
pcap_dispatch(), pcap_next(), pcap_open_live(), pcap_open_offline(), pcap_handler

Definition at line 78 of file pcap.c.

References n, pcap_offline_read(), and pcap_read().

Referenced by main().

int pcap_major_version pcap_t   p
 

returns the major version number of the pcap library used to write the savefile.

See also:
pcap_minor_version()

Definition at line 450 of file pcap.c.

int pcap_minor_version pcap_t   p
 

returns the minor version number of the pcap library used to write the savefile.

See also:
pcap_major_version()

Definition at line 456 of file pcap.c.

const u_char* pcap_next pcap_t   p,
struct pcap_pkthdr   h
 

Discouraged, use pcap_next_ex() instead.
Returns the next available packet.

pcap_next() reads the next packet (by calling pcap_dispatch() with a cnt of 1) and returns a u_char pointer to the data in that packet. (The pcap_pkthdr struct for that packet is not supplied.)

See also:
pcap_dispatch(), pcap_loop()

Definition at line 119 of file pcap.c.

References singleton::hdr, pcap_dispatch(), and singleton::pkt.

int pcap_next_ex pcap_t   p,
struct pcap_pkthdr **    pkt_header,
u_char **    pkt_data
 

Read a packet from an interface or from an offline capture.

This function is used to retrieve the next available packet, bypassing the callback method traditionally provided by libpcap.

pcap_next_ex fills the pkt_header and pkt_data parameters (see pcap_handler()) with the pointers to the header and to the data of the next captured packet.

The return value can be:

  • 1 if the packet has been read without problems
  • 0 if the timeout set with pcap_open_live() has elapsed. In this case pkt_header and pkt_data don't point to a valid packet
  • -1 if an error occurred
  • -2 if EOF was reached reading from an offline capture

See also:
pcap_open_live(), pcap_loop(), pcap_dispatch(), pcap_handler()

Definition at line 148 of file pcap.c.

References pkt_for_fakecallback::hdr, pcap_offline_read(), pcap_read(), pcap_read_nocb_remote(), pcap_startcapture_remote(), and pkt_for_fakecallback::pkt.

Referenced by daemon_thrdatamain(), and main().

void pcap_oneshot u_char *    userData,
const struct pcap_pkthdr   h,
const u_char *    pkt
[static]
 

Definition at line 111 of file pcap.c.

References singleton::hdr, and singleton::pkt.

pcap_t* pcap_open_dead int    linktype,
int    snaplen
 

Deprecated

Deprecated:
Use the pcap_open() instead.
It creates a pcap_t structure without starting a capture.

pcap_open_dead() is used for creating a pcap_t structure to use when calling the other functions in libpcap. It is typically used when just using libpcap for compiling BPF code.

See also:
pcap_open_offline(), pcap_open_live(), pcap_findalldevs(), pcap_compile(), pcap_setfilter(), pcap_close()

Definition at line 638 of file pcap.c.

References pcap_t.

Referenced by pcap_compile_nopcap().

void pcap_perror pcap_t   p,
char *    prefix
 

prints the text of the last pcap library error on stderr, prefixed by prefix.

See also:
pcap_geterr()

Definition at line 485 of file pcap.c.

int pcap_set_datalink pcap_t   p,
int    dlt
 

Definition at line 246 of file pcap.c.

References pcap_datalink_val_to_name(), pcap_set_datalink_platform(), and snprintf.

int pcap_setnonblock pcap_t   p,
int    nonblock,
char *    errbuf
 

Switches between blocking and nonblocking mode.

pcap_setnonblock() puts a capture descriptor, opened with pcap_open_live(), into "non-blocking" mode, or takes it out of "non-blocking" mode, depending on whether the nonblock argument is non-zero or zero. It has no effect on "savefiles". If there is an error, -1 is returned and errbuf is filled in with an appropriate error message; otherwise, 0 is returned. In "non-blocking" mode, an attempt to read from the capture descriptor with pcap_dispatch() will, if no packets are currently available to be read, return 0 immediately rather than blocking waiting for packets to arrive. pcap_loop() and pcap_next() will not work in "non-blocking" mode.

See also:
pcap_getnonblock(), pcap_dispatch()

Definition at line 532 of file pcap.c.

References PacketSetReadTimeout(), pcap_strerror(), pcap_win32strerror(), and snprintf.

int pcap_snapshot pcap_t   p
 

Returns the dimension of the packet portion (in bytes) that is delivered to the application.

pcap_snapshot() returns the snapshot length specified when pcap_open_live was called.

See also:
pcap_open_live(), pcap_compile(), pcap_compile_nopcap()

Definition at line 438 of file pcap.c.

Referenced by pcap_compile().

int pcap_strcasecmp const char *    s1,
const char *    s2
[static]
 

Definition at line 400 of file pcap.c.

References charmap, s1, and s2.

Referenced by pcap_datalink_name_to_val().

char* pcap_strerror int    error
 

pcap_strerror() is provided in case strerror() isn't available.

See also:
pcap_perror(), pcap_geterr()

Definition at line 621 of file pcap.c.

References snprintf.

Referenced by add_addr_to_iflist(), add_or_find_if(), daemon_AuthUserPwd(), daemon_checkauth(), daemon_unpackapplyfilter(), main_active(), main_passive(), pcap_dump_open(), pcap_findalldevs_ex(), pcap_getnonblock(), pcap_list_datalinks(), pcap_open_live(), pcap_open_offline(), pcap_opensource_remote(), pcap_remoteact_accept(), pcap_setnonblock(), pcap_startcapture_remote(), and rpcap_deseraddr().

char* pcap_win32strerror void   
 

Definition at line 594 of file pcap.c.

References errbuf, and PCAP_ERRBUF_SIZE.

Referenced by pcap_open_live(), pcap_setfilter(), pcap_setnonblock(), pcap_stats(), and pcap_stats_ex().


Variable Documentation

const u_char charmap[] [static]
 

Definition at line 332 of file pcap.c.

Referenced by pcap_strcasecmp().

struct dlt_choice dlt_choices[] [static]
 

Initial value:

 {
    DLT_CHOICE(DLT_ARCNET),
    DLT_CHOICE(DLT_ARCNET_LINUX),
    DLT_CHOICE(DLT_EN10MB),
    DLT_CHOICE(DLT_SLIP),
    DLT_CHOICE(DLT_SLIP_BSDOS),
    DLT_CHOICE(DLT_NULL),
    DLT_CHOICE(DLT_LOOP),
    DLT_CHOICE(DLT_PPP),
    DLT_CHOICE(DLT_C_HDLC),
    DLT_CHOICE(DLT_PPP_SERIAL),
    DLT_CHOICE(DLT_PPP_ETHER),
    DLT_CHOICE(DLT_PPP_BSDOS),
    DLT_CHOICE(DLT_FDDI),
    DLT_CHOICE(DLT_IEEE802),
    DLT_CHOICE(DLT_IEEE802_11),
    DLT_CHOICE(DLT_PRISM_HEADER),
    DLT_CHOICE(DLT_IEEE802_11_RADIO),
    DLT_CHOICE(DLT_ATM_RFC1483),
    DLT_CHOICE(DLT_ATM_CLIP),
    DLT_CHOICE(DLT_SUNATM),
    DLT_CHOICE(DLT_RAW),
    DLT_CHOICE(DLT_LINUX_SLL),
    DLT_CHOICE(DLT_LTALK),
    DLT_CHOICE(DLT_IP_OVER_FC),
    DLT_CHOICE(DLT_FRELAY),
    DLT_CHOICE_SENTINEL
}

Definition at line 298 of file pcap.c.

Referenced by pcap_datalink_name_to_val(), and pcap_datalink_val_to_name().

const char rcsid[] [static]
 

Initial value:

    "@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.45 2003/01/23 07:24:52 guy Exp $ (LBL)"

Definition at line 35 of file pcap.c.


documentation. Copyright (c) 2002-2003 Politecnico di Torino. All rights reserved.