1PCAP(3PCAP)                                                        PCAP(3PCAP)
2
3
4

NAME

6       pcap - Packet Capture library
7

SYNOPSIS

9       #include <pcap/pcap.h>
10

DESCRIPTION

12       The  Packet  Capture  library provides a high level interface to packet
13       capture systems. All packets on the network, even  those  destined  for
14       other  hosts,  are accessible through this mechanism.  It also supports
15       saving captured packets to a ``savefile'', and reading packets  from  a
16       ``savefile''.
17
18   Opening a capture handle for reading
19       To  open  a handle for a live capture, given the name of the network or
20       other interface on which the capture should  be  done,  call  pcap_cre‐
21       ate(),  set the appropriate options on the handle, and then activate it
22       with pcap_activate().
23
24       To obtain a list of devices that can be opened for a live capture, call
25       pcap_findalldevs();  to  free  the list returned by pcap_findalldevs(),
26       call pcap_freealldevs().  pcap_lookupdev() will return the first device
27       on that list that is not a ``loopback`` network interface.
28
29       To  open  a handle for a ``savefile'' from which to read packets, given
30       the pathname of the ``savefile'', call pcap_open_offline(); to set up a
31       handle  for  a ``savefile'', given a FILE * referring to a file already
32       opened for reading, call pcap_fopen_offline().
33
34       In order to get a ``fake'' pcap_t for use in routines  that  require  a
35       pcap_t  as  an  argument,  such  as routines to open a ``savefile'' for
36       writing and to compile a filter expression, call pcap_open_dead().
37
38       pcap_create(),    pcap_open_offline(),    pcap_fopen_offline(),     and
39       pcap_open_dead() return a pointer to a pcap_t, which is the handle used
40       for reading packets from the capture stream or  the  ``savefile'',  and
41       for  finding  out information about the capture stream or ``savefile''.
42       To close a handle, use pcap_close().
43
44       The options that can be set on a capture handle include
45
46       snapshot length
47              If, when capturing, you  capture  the  entire  contents  of  the
48              packet,  that  requires more CPU time to copy the packet to your
49              application, more disk and possibly network bandwidth  to  write
50              the  packet  data  to  a  file,  and more disk space to save the
51              packet.  If you don't need the entire contents of the  packet  -
52              for  example,  if  you are only interested in the TCP headers of
53              packets - you can set the "snapshot length" for the  capture  to
54              an appropriate value.  If the snapshot length is set to snaplen,
55              and snaplen is less than the size of a packet that is  captured,
56              only the first snaplen bytes of that packet will be captured and
57              provided as packet data.
58
59              A snapshot length of 65535 should be sufficient, on most if  not
60              all networks, to capture all the data available from the packet.
61
62              The snapshot length is set with pcap_set_snaplen().
63
64       promiscuous mode
65              On  broadcast  LANs  such  as  Ethernet,  if  the  network isn't
66              switched, or if the adapter is connected to a "mirror port" on a
67              switch to which all packets passing through the switch are sent,
68              a network adapter receives all packets  on  the  LAN,  including
69              unicast  or multicast packets not sent to a network address that
70              the network adapter isn't configured to recognize.
71
72              Normally, the adapter will discard those packets; however,  many
73              network  adapters support "promiscuous mode", which is a mode in
74              which all packets, even if they are not sent to an address  that
75              the  adapter recognizes, are provided to the host.  This is use‐
76              ful for passively capturing traffic between two  or  more  other
77              hosts for analysis.
78
79              Note  that even if an application does not set promiscuous mode,
80              the adapter could well be in promiscuous  mode  for  some  other
81              reason.
82
83              For  now,  this doesn't work on the "any" device; if an argument
84              of "any" or NULL is supplied, the setting of promiscuous mode is
85              ignored.
86
87              Promiscuous mode is set with pcap_set_promisc().
88
89       monitor mode
90              On IEEE 802.11 wireless LANs, even if an adapter is in promiscu‐
91              ous mode, it will supply to the host only frames for the network
92              with  which  it's  associated.   It  might also supply only data
93              frames, not management or control frames, and might not  provide
94              the  802.11  header or radio information pseudo-header for those
95              frames.
96
97              In "monitor mode",  sometimes  also  called  "rfmon  mode"  (for
98              "Radio  Frequency  MONitor"), the adapter will supply all frames
99              that it receives,  with  802.11  headers,  and  might  supply  a
100              pseudo-header with radio information about the frame as well.
101
102              Note  that  in  monitor mode the adapter might disassociate from
103              the network with which it's associated, so that you will not  be
104              able to use any wireless networks with that adapter.  This could
105              prevent accessing files on a network server, or  resolving  host
106              names or network addresses, if you are capturing in monitor mode
107              and are not connected to another network with another adapter.
108
109              Monitor    mode    is    set    with    pcap_set_rfmon(),    and
110              pcap_can_set_rfmon() can be used to determine whether an adapter
111              can be put into monitor mode.
112
113       read timeout
114              If, when capturing,  packets  are  delivered  as  soon  as  they
115              arrive,  the  application capturing the packets will be woken up
116              for each packet as it arrives, and might have  to  make  one  or
117              more calls to the operating system to fetch each packet.
118
119              If,  instead,  packets are not delivered as soon as they arrive,
120              but are delivered after a short delay (called a "read timeout"),
121              more  than  one packet can be accumulated before the packets are
122              delivered, so that a single wakeup would be  done  for  multiple
123              packets,  and  each  set  of  calls made to the operating system
124              would supply multiple packets,  rather  than  a  single  packet.
125              This reduces the per-packet CPU overhead if packets are arriving
126              at a high rate, increasing the number of packets per second that
127              can be captured.
128
129              The  read  timeout is required so that an application won't wait
130              for the operating system's capture  buffer  to  fill  up  before
131              packets are delivered; if packets are arriving slowly, that wait
132              could take an arbitrarily long period of time.
133
134              Not all platforms support a  read  timeout;  on  platforms  that
135              don't,  the read timeout is ignored.  A zero value for the time‐
136              out, on platforms that support a  read  timeout,  has  platform-
137              dependent behavior that could cause a read to wait for an unlim‐
138              ited amount of time until the capture buffer fills up  or  could
139              cause  a read timeout of 1 millisecond to be used.  We recommend
140              that a value of zero not be used.
141
142              NOTE: the read timeout cannot be used to cause calls  that  read
143              packets  to  return within a limited period of time, because, on
144              some platforms, the read timeout isn't supported, and, on  other
145              platforms,  the  timer  doesn't  start until at least one packet
146              arrives.  This means that the read timeout should NOT  be  used,
147              for  example,  in an interactive application to allow the packet
148              capture loop to ``poll'' for user input periodically, as there's
149              no  guarantee  that a call reading packets will return after the
150              timeout expires even if no packets have arrived.
151
152              The read timeout is set with pcap_set_timeout().
153
154       buffer size
155              Packets that arrive for a capture are stored  in  a  buffer,  so
156              that  they  do not have to be read by the application as soon as
157              they arrive.  On some platforms, the buffer's size can be set; a
158              size  that's  too small could mean that, if too many packets are
159              being captured and the snapshot length doesn't limit the  amount
160              of  data that's buffered, packets could be dropped if the buffer
161              fills up before the application can read packets from it,  while
162              a  size  that's  too large could use more non-pageable operating
163              system memory than is necessary to prevent  packets  from  being
164              dropped.
165
166              The buffer size is set with pcap_set_buffer_size().
167
168       timestamp type
169              On  some platforms, the time stamp given to packets on live cap‐
170              tures can come from different sources that  can  have  different
171              resolutions or that can have different relationships to the time
172              values for the current time supplied by routines on  the  native
173              operating  system.   See pcap-tstamp(7) for a list of time stamp
174              types.
175
176              The time stamp type is set with pcap_set_tstamp_type().
177
178       Reading packets from a network interface may require that you have spe‐
179       cial privileges:
180
181       Under SunOS 3.x or 4.x with NIT or BPF:
182              You must have read access to /dev/nit or /dev/bpf*.
183
184       Under Solaris with DLPI:
185              You  must  have  read/write access to the network pseudo device,
186              e.g.  /dev/le.  On at least some versions of  Solaris,  however,
187              this  is not sufficient to allow tcpdump to capture in promiscu‐
188              ous mode; on those versions of Solaris, you must be root, or the
189              application  capturing packets must be installed setuid to root,
190              in order to capture in promiscuous mode.   Note  that,  on  many
191              (perhaps  all)  interfaces,  if you don't capture in promiscuous
192              mode, you will not see any outgoing packets, so  a  capture  not
193              done in promiscuous mode may not be very useful.
194
195              In  newer  versions  of  Solaris,  you  must have been given the
196              net_rawaccess privilege; this is both necessary  and  sufficient
197              to  give  you  access to the network pseudo-device - there is no
198              need to change the privileges on that device.   A  user  can  be
199              given  that  privilege by, for example, adding that privilege to
200              the user's defaultpriv key with the usermod (1M) command.
201
202       Under HP-UX with DLPI:
203              You must be root or the application capturing  packets  must  be
204              installed setuid to root.
205
206       Under IRIX with snoop:
207              You  must  be  root or the application capturing packets must be
208              installed setuid to root.
209
210       Under Linux:
211              You must be root or the application capturing  packets  must  be
212              installed  setuid to root (unless your distribution has a kernel
213              that supports capability bits such as CAP_NET_RAW  and  code  to
214              allow  those  capability bits to be given to particular accounts
215              and to cause those bits to be set on a user's initial  processes
216              when  they  log  in, in which case you  must have CAP_NET_RAW in
217              order to capture and CAP_NET_ADMIN to enumerate network  devices
218              with, for example, the -D flag).
219
220       Under ULTRIX and Digital UNIX/Tru64 UNIX:
221              Any  user  may  capture  network traffic.  However, no user (not
222              even the super-user) can  capture  in  promiscuous  mode  on  an
223              interface  unless  the  super-user  has enabled promiscuous-mode
224              operation on that interface using pfconfig(8), and no user  (not
225              even  the super-user) can capture unicast traffic received by or
226              sent by the machine on an interface unless  the  super-user  has
227              enabled  copy-all-mode  operation on that interface using pfcon‐
228              fig, so useful packet capture on an interface probably  requires
229              that either promiscuous-mode or copy-all-mode operation, or both
230              modes of operation, be enabled on that interface.
231
232       Under BSD (this includes Mac OS X):
233              You must have read access to /dev/bpf*  on  systems  that  don't
234              have  a  cloning  BPF device, or to /dev/bpf on systems that do.
235              On BSDs with a devfs  (this  includes  Mac  OS  X),  this  might
236              involve  more  than  just having somebody with super-user access
237              setting the ownership or permissions on the  BPF  devices  -  it
238              might  involve configuring devfs to set the ownership or permis‐
239              sions every time the system is booted, if the system  even  sup‐
240              ports  that;  if it doesn't support that, you might have to find
241              some other way to make that happen at boot time.
242
243       Reading a saved packet file doesn't require special privileges.
244
245       The packets read from the handle may include a  ``pseudo-header''  con‐
246       taining  various  forms  of  packet  meta-data, and probably includes a
247       link-layer header whose  contents  can  differ  for  different  network
248       interfaces.   To  determine  the  format of the packets supplied by the
249       handle,  call  pcap_datalink();   http://www.tcpdump.org/linktypes.html
250       lists  the values it returns and describes the packet formats that cor‐
251       respond to those values.
252
253       Do NOT assume that the packets for a given capture or ``savefile`` will
254       have any given link-layer header type, such as DLT_EN10MB for Ethernet.
255       For example, the "any" device on Linux will have  a  link-layer  header
256       type of DLT_LINUX_SLL even if all devices on the system at the time the
257       "any" device is  opened  have  some  other  data  link  type,  such  as
258       DLT_EN10MB for Ethernet.
259
260       To  obtain  the  FILE *  corresponding to a pcap_t opened for a ``save‐
261       file'', call pcap_file().
262
263       Routines
264
265              pcap_create(3PCAP)
266                     get a pcap_t for live capture
267
268              pcap_activate(3PCAP)
269                     activate a pcap_t for live capture
270
271              pcap_findalldevs(3PCAP)
272                     get a list of devices that can be opened for a live  cap‐
273                     ture
274
275              pcap_freealldevs(3PCAP)
276                     free list of devices
277
278              pcap_lookupdev(3PCAP)
279                     get first non-loopback device on that list
280
281              pcap_open_offline(3PCAP)
282                     open a pcap_t for a ``savefile'', given a pathname
283
284              pcap_fopen_offline(3PCAP)
285                     open a pcap_t for a ``savefile'', given a FILE *
286
287              pcap_open_dead(3PCAP)
288                     create a ``fake'' pcap_t
289
290              pcap_close(3PCAP)
291                     close a pcap_t
292
293              pcap_set_snaplen(3PCAP)
294                     set  the  snapshot  length for a not-yet-activated pcap_t
295                     for live capture
296
297              pcap_snapshot(3PCAP)
298                     get the snapshot length for a pcap_t
299
300              pcap_set_promisc(3PCAP)
301                     set promiscuous mode for a not-yet-activated  pcap_t  for
302                     live capture
303
304              pcap_set_rfmon(3PCAP)
305                     set  monitor mode for a not-yet-activated pcap_t for live
306                     capture
307
308              pcap_can_set_rfmon(3PCAP)
309                     determine whether monitor mode can be set  for  a  pcap_t
310                     for live capture
311
312              pcap_set_timeout(3PCAP)
313                     set  read timeout for a not-yet-activated pcap_t for live
314                     capture
315
316              pcap_set_buffer_size(3PCAP)
317                     set buffer size for a not-yet-activated pcap_t  for  live
318                     capture
319
320              pcap_set_tstamp_type(3PCAP)
321                     set  time  stamp  type for a not-yet-activated pcap_t for
322                     live capture
323
324              pcap_list_tstamp_types(3PCAP)
325                     get list of available time stamp  types  for  a  not-yet-
326                     activated pcap_t for live capture
327
328              pcap_free_tstamp_types(3PCAP)
329                     free list of available time stamp types
330
331              pcap_tstamp_type_val_to_name(3PCAP)
332                     get name for a time stamp type
333
334              pcap_tstamp_type_val_to_description(3PCAP)
335                     get description for a time stamp type
336
337              pcap_tstamp_name_to_val(3PCAP)
338                     get time stamp type corresponding to a name
339
340              pcap_datalink(3PCAP)
341                     get link-layer header type for a pcap_t
342
343              pcap_file(3PCAP)
344                     get the FILE * for a pcap_t opened for a ``savefile''
345
346              pcap_is_swapped(3PCAP)
347                     determine  whether  a ``savefile'' being read came from a
348                     machine with the opposite byte order
349
350              pcap_major_version(3PCAP)
351              pcap_minor_version(3PCAP)
352                     get the major and minor version of the file  format  ver‐
353                     sion for a ``savefile''
354
355   Selecting a link-layer header type for a live capture
356       Some  devices  may  provide  more  than one link-layer header type.  To
357       obtain a list of all link-layer header types provided by a device, call
358       pcap_list_datalinks() on an activated pcap_t for the device.  To free a
359       list of link-layer header types, call  pcap_free_datalinks().   To  set
360       the  link-layer  header  type  for  a device, call pcap_set_datalink().
361       This should be done after the device has been activated but before  any
362       packets are read and before any filters are compiled or installed.
363
364       Routines
365
366              pcap_list_datalinks(3PCAP)
367                     get a list of link-layer header types for a device
368
369              pcap_free_datalinks(3PCAP)
370                     free list of link-layer header types
371
372              pcap_set_datalink(3PCAP)
373                     set link-layer header type for a device
374
375              pcap_datalink_val_to_name(3PCAP)
376                     get name for a link-layer header type
377
378              pcap_datalink_val_to_description(3PCAP)
379                     get description for a link-layer header type
380
381              pcap_datalink_name_to_val(3PCAP)
382                     get link-layer header type corresponding to a name
383
384   Reading packets
385       Packets are read with pcap_dispatch() or pcap_loop(), which process one
386       or more packets, calling a callback routine for each  packet,  or  with
387       pcap_next() or pcap_next_ex(), which return the next packet.  The call‐
388       back for pcap_dispatch() and pcap_loop() is supplied  a  pointer  to  a
389       struct pcap_pkthdr, which includes the following members:
390
391              ts     a  struct timeval containing the time when the packet was
392                     captured
393
394              caplen a bpf_u_int32 giving the number of bytes  of  the  packet
395                     that are available from the capture
396
397              len    a  bpf_u_int32  giving the length of the packet, in bytes
398                     (which might be more than the number of  bytes  available
399                     from  the  capture, if the length of the packet is larger
400                     than the maximum number of bytes to capture).
401
402       The callback is also supplied a  const  u_char  pointer  to  the  first
403       caplen  (as  given  in the struct pcap_pkthdr mentioned above) bytes of
404       data from the packet.  This won't necessarily be the entire packet;  to
405       capture the entire packet, you will have to provide a value for snaplen
406       in your call to pcap_set_snaplen() that is sufficiently  large  to  get
407       all  of  the  packet's  data - a value of 65535 should be sufficient on
408       most if not all networks).  When reading from a ``savefile'', the snap‐
409       shot  length  specified  when  the capture was performed will limit the
410       amount of packet data available.
411
412       pcap_next() is passed an argument that points to a  struct  pcap_pkthdr
413       structure,  and  fills  it in with the time stamp and length values for
414       the packet.  It returns a const u_char to the first caplen bytes of the
415       packet on success, and NULL on error.
416
417       pcap_next_ex()  is passed two pointer arguments, one of which points to
418       a structpcap_pkthdr* and one of which points to a  const  u_char*.   It
419       sets  the first pointer to point to a struct pcap_pkthdr structure with
420       the time stamp and length values for the packet, and  sets  the  second
421       pointer to point to the first caplen bytes of the packet.
422
423       To  force the loop in pcap_dispatch() or pcap_loop() to terminate, call
424       pcap_breakloop().
425
426       By default, when reading packets from an interface opened  for  a  live
427       capture,  pcap_dispatch(),  pcap_next(), and pcap_next_ex() will, if no
428       packets are currently available to be read, block waiting  for  packets
429       to  become available.  On some, but not all, platforms, if a read time‐
430       out was specified, the wait  will  terminate  after  the  read  timeout
431       expires;  applications  should  be  prepared for this, as it happens on
432       some platforms, but should not rely on it, as it  does  not  happen  on
433       other platforms.
434
435       A  handle can be put into ``non-blocking mode'', so that those routines
436       will, rather than blocking, return an indication that  no  packets  are
437       available  to  read.  Call pcap_setnonblock() to put a handle into non-
438       blocking mode or to take it out of non-blocking mode; call pcap_getnon‐
439       block()  to  determine  whether a handle is in non-blocking mode.  Note
440       that non-blocking mode does not work correctly in Mac OS X 10.6.
441
442       Non-blocking mode is often combined with routines such as select(2)  or
443       poll(2)  or other routines a platform offers to wait for the availabil‐
444       ity of data on any of a set of descriptors.  To obtain, for a handle, a
445       descriptor    that    can    be    used   in   those   routines,   call
446       pcap_get_selectable_fd().  Not  all  handles  have  such  a  descriptor
447       available;  pcap_get_selectable_fd() will return -1 if no such descrip‐
448       tor exists.  In addition, for various reasons, one  or  more  of  those
449       routines  will not work properly with the descriptor; the documentation
450       for pcap_get_selectable_fd() gives details.
451
452       Routines
453
454              pcap_dispatch(3PCAP)
455                     read a bufferful of packets from a pcap_t open for a live
456                     capture or the full set of packets from a pcap_t open for
457                     a ``savefile''
458
459              pcap_loop(3PCAP)
460                     read packets from a pcap_t until an  interrupt  or  error
461                     occurs
462
463              pcap_next(3PCAP)
464                     read  the next packet from a pcap_t without an indication
465                     whether an error occurred
466
467              pcap_next_ex(3PCAP)
468                     read the next packet from a pcap_t with an error  indica‐
469                     tion on an error
470
471              pcap_breakloop(3PCAP)
472                     prematurely  terminate  the  loop  in  pcap_dispatch() or
473                     pcap_loop()
474
475              pcap_setnonblock(3PCAP)
476                     set or clear non-blocking mode on a pcap_t
477
478              pcap_getnonblock(3PCAP)
479                     get the state of non-blocking mode for a pcap_t
480
481              pcap_get_selectable_fd(3PCAP)
482                     attempt to get a descriptor for a pcap_t that can be used
483                     in calls such as select(2) and poll(2)
484
485   Filters
486       In  order  to  cause  only  certain packets to be returned when reading
487       packets, a filter can be set on a handle.  For a live capture, the fil‐
488       tering  will be performed in kernel mode, if possible, to avoid copying
489       ``uninteresting'' packets from the kernel to user mode.
490
491       A filter can be specified as a text string; the syntax and semantics of
492       the string are as described by pcap-filter(7).  A filter string is com‐
493       piled into a program in a pseudo-machine-language by pcap_compile() and
494       the  resulting program can be made a filter for a handle with pcap_set‐
495       filter().  The result of pcap_compile() can be freed  with  a  call  to
496       pcap_freecode().  pcap_compile() may require a network mask for certain
497       expressions in the filter string; pcap_lookupnet() can be used to  find
498       the network address and network mask for a given capture device.
499
500       A  compiled  filter  can  also be applied directly to a packet that has
501       been read using pcap_offline_filter().
502
503       Routines
504
505              pcap_compile(3PCAP)
506                     compile filter expression  to  a  pseudo-machine-language
507                     code program
508
509              pcap_freecode(3PCAP)
510                     free a filter program
511
512              pcap_setfilter(3PCAP)
513                     set filter for a pcap_t
514
515              pcap_lookupnet(3PCAP)
516                     get network address and network mask for a capture device
517
518              pcap_offline_filter(3PCAP)
519                     apply a filter program to a packet
520
521   Incoming and outgoing packets
522       By  default,  libpcap  will attempt to capture both packets sent by the
523       machine and packets received by the machine.  To limit it to  capturing
524       only packets received by the machine or, if possible, only packets sent
525       by the machine, call pcap_setdirection().
526
527       Routines
528
529              pcap_setdirection(3PCAP)
530                     specify whether to  capture  incoming  packets,  outgoing
531                     packets, or both
532
533   Capture statistics
534       To get statistics about packets received and dropped in a live capture,
535       call pcap_stats().
536
537       Routines
538
539              pcap_stats(3PCAP)
540                     get capture statistics
541
542   Opening a handle for writing captured packets
543       To open a ``savefile`` to which to write packets,  given  the  pathname
544       the ``savefile'' should have, call pcap_dump_open().  To open a ``save‐
545       file`` to which to write packets, given the pathname  the  ``savefile''
546       should  have,  call  pcap_dump_open(); to set up a handle for a ``save‐
547       file'', given a FILE * referring to a file already opened for  writing,
548       call  pcap_dump_fopen().  They each return pointers to a pcap_dumper_t,
549       which is the handle used for writing packets to the  ``savefile''.   If
550       it  succeeds,  it  will  have  created the file if it doesn't exist and
551       truncated the file if it does exist.  To close  a  pcap_dumper_t,  call
552       pcap_dump_close().
553
554       Routines
555
556              pcap_dump_open(3PCAP)
557                     open a pcap_dumper_t for a ``savefile``, given a pathname
558
559              pcap_dump_fopen(3PCAP)
560                     open a pcap_dumper_t for a ``savefile``, given a FILE *
561
562              pcap_dump_close(3PCAP)
563                     close a pcap_dumper_t
564
565              pcap_dump_file(3PCAP)
566                     get  the  FILE * for a pcap_dumper_t opened for a ``save‐
567                     file''
568
569   Writing packets
570       To write a packet to a pcap_dumper_t, call pcap_dump().  Packets  writ‐
571       ten  with  pcap_dump()  may  be buffered, rather than being immediately
572       written to the ``savefile''.  Closing the pcap_dumper_t will cause  all
573       buffered-but-not-yet-written packets to be written to the ``savefile''.
574       To force all packets written to the pcap_dumper_t, and not yet  written
575       to  the  ``savefile'' because they're buffered by the pcap_dumper_t, to
576       be written to the ``savefile'', without closing the pcap_dumper_t, call
577       pcap_dump_flush().
578
579       Routines
580
581              pcap_dump(3PCAP)
582                     write packet to a pcap_dumper_t
583
584              pcap_dump_flush(3PCAP)
585                     flush  buffered packets written to a pcap_dumper_t to the
586                     ``savefile''
587
588              pcap_dump_ftell(3PCAP)
589                     get current file position for a pcap_dumper_t
590
591   Injecting packets
592       If you have the required privileges, you can inject packets onto a net‐
593       work  with  a  pcap_t  for  a  live  capture,  using  pcap_inject()  or
594       pcap_sendpacket().  (The two routines exist for compatibility with both
595       OpenBSD and WinPcap; they perform the same function, but have different
596       return values.)
597
598       Routines
599
600              pcap_inject(3PCAP)
601              pcap_sendpacket(3PCAP)
602                     transmit a packet
603
604   Reporting errors
605       Some routines return error or warning status codes; to convert them  to
606       a string, use pcap_statustostr().
607
608       Routines
609
610              pcap_statustostr(3PCAP)
611                     get a string for an error or warning status code
612
613   Getting library version information
614       To  get  a  string  giving  version  information  about  libpcap,  call
615       pcap_library_version().
616
617       Routines
618
619              pcap_library_version(3PCAP)
620                     get library version string
621

BACKWARDS COMPATIBILITY

623       In versions of libpcap prior to 1.0, the pcap.h header file was not  in
624       a  pcap  directory on most platforms; if you are writing an application
625       that must work on versions of libpcap prior to 1.0,  include  <pcap.h>,
626       which  will  include  <pcap/pcap.h>  for  you,  rather  than  including
627       <pcap/pcap.h>.
628
629       pcap_create() and pcap_activate() were not  available  in  versions  of
630       libpcap  prior to 1.0; if you are writing an application that must work
631       on versions of libpcap prior to 1.0, either use pcap_open_live() to get
632       a handle for a live capture or, if you want to be able to use the addi‐
633       tional capabilities offered by using pcap_create() and pcap_activate(),
634       use  an  autoconf(1) script or some other configuration script to check
635       whether the libpcap 1.0 APIs are available and use them  only  if  they
636       are.
637

SEE ALSO

639       autoconf(1),   tcpdump(8),  tcpslice(8),  pcap-filter(7),  pfconfig(8),
640       usermod(1M)
641

AUTHORS

643       The original authors of libpcap are:
644
645       Van Jacobson, Craig Leres and  Steven  McCanne,  all  of  the  Lawrence
646       Berkeley National Laboratory, University of California, Berkeley, CA.
647
648       The current version is available from "The Tcpdump Group"'s Web site at
649
650              http://www.tcpdump.org/
651

BUGS

653       Please send problems, bugs, questions, desirable enhancements, etc. to:
654
655              tcpdump-workers@lists.tcpdump.org
656
657
658
659                                  1 July 2013                      PCAP(3PCAP)
Impressum