1PCAP(3PCAP) PCAP(3PCAP)
2
6 pcap - Packet Capture library
7
9 #include <pcap/pcap.h>
10
12 The Packet Capture library provides a high level interface to packet
13 capture systems. All packets on the network, even those destined for
14 other hosts, are accessible through this mechanism. It also supports
15 saving captured packets to a ``savefile'', and reading packets from a
16 ``savefile''.
17 Opening a capture handle for reading
19 To open a handle for a live capture, given the name of the network or
20 other interface on which the capture should be done, call pcap_cre‐
21 ate(), set the appropriate options on the handle, and then activate it
22 with pcap_activate().
23 To obtain a list of devices that can be opened for a live capture, call
25 pcap_findalldevs(); to free the list returned by pcap_findalldevs(),
26 call pcap_freealldevs(). pcap_lookupdev() will return the first device
27 on that list that is not a ``loopback`` network interface.
28 To open a handle for a ``savefile'' from which to read packets, given
30 the pathname of the ``savefile'', call pcap_open_offline(); to set up a
31 handle for a ``savefile'', given a FILE * referring to a file already
32 opened for reading, call pcap_fopen_offline().
33 In order to get a ``fake'' pcap_t for use in routines that require a
35 pcap_t as an argument, such as routines to open a ``savefile'' for
36 writing and to compile a filter expression, call pcap_open_dead().
37 pcap_create(), pcap_open_offline(), pcap_fopen_offline(), and
39 pcap_open_dead() return a pointer to a pcap_t, which is the handle used
40 for reading packets from the capture stream or the ``savefile'', and
41 for finding out information about the capture stream or ``savefile''.
42 To close a handle, use pcap_close().
43 The options that can be set on a capture handle include
45 snapshot length
47 If, when capturing, you capture the entire contents of the
48 packet, that requires more CPU time to copy the packet to your
49 application, more disk and possibly network bandwidth to write
50 the packet data to a file, and more disk space to save the
51 packet. If you don't need the entire contents of the packet -
52 for example, if you are only interested in the TCP headers of
53 packets - you can set the "snapshot length" for the capture to
54 an appropriate value. If the snapshot length is set to snaplen,
55 and snaplen is less than the size of a packet that is captured,
56 only the first snaplen bytes of that packet will be captured and
57 provided as packet data.
58 A snapshot length of 65535 should be sufficient, on most if not
60 all networks, to capture all the data available from the packet.
61 The snapshot length is set with pcap_set_snaplen().
63 promiscuous mode
65 On broadcast LANs such as Ethernet, if the network isn't
66 switched, or if the adapter is connected to a "mirror port" on a
67 switch to which all packets passing through the switch are sent,
68 a network adapter receives all packets on the LAN, including
69 unicast or multicast packets not sent to a network address that
70 the network adapter isn't configured to recognize.
71 Normally, the adapter will discard those packets; however, many
73 network adapters support "promiscuous mode", which is a mode in
74 which all packets, even if they are not sent to an address that
75 the adapter recognizes, are provided to the host. This is use‐
76 ful for passively capturing traffic between two or more other
77 hosts for analysis.
78 Note that even if an application does not set promiscuous mode,
80 the adapter could well be in promiscuous mode for some other
81 reason.
82 For now, this doesn't work on the "any" device; if an argument
84 of "any" or NULL is supplied, the setting of promiscuous mode is
85 ignored.
86 Promiscuous mode is set with pcap_set_promisc().
88 monitor mode
90 On IEEE 802.11 wireless LANs, even if an adapter is in promiscu‐
91 ous mode, it will supply to the host only frames for the network
92 with which it's associated. It might also supply only data
93 frames, not management or control frames, and might not provide
94 the 802.11 header or radio information pseudo-header for those
95 frames.
96 In "monitor mode", sometimes also called "rfmon mode" (for
98 "Radio Frequency MONitor"), the adapter will supply all frames
99 that it receives, with 802.11 headers, and might supply a
100 pseudo-header with radio information about the frame as well.
101 Note that in monitor mode the adapter might disassociate from
103 the network with which it's associated, so that you will not be
104 able to use any wireless networks with that adapter. This could
105 prevent accessing files on a network server, or resolving host
106 names or network addresses, if you are capturing in monitor mode
107 and are not connected to another network with another adapter.
108 Monitor mode is set with pcap_set_rfmon(), and
110 pcap_can_set_rfmon() can be used to determine whether an adapter
111 can be put into monitor mode.
112 read timeout
114 If, when capturing, packets are delivered as soon as they
115 arrive, the application capturing the packets will be woken up
116 for each packet as it arrives, and might have to make one or
117 more calls to the operating system to fetch each packet.
118 If, instead, packets are not delivered as soon as they arrive,
120 but are delivered after a short delay (called a "read timeout"),
121 more than one packet can be accumulated before the packets are
122 delivered, so that a single wakeup would be done for multiple
123 packets, and each set of calls made to the operating system
124 would supply multiple packets, rather than a single packet.
125 This reduces the per-packet CPU overhead if packets are arriving
126 at a high rate, increasing the number of packets per second that
127 can be captured.
128 The read timeout is required so that an application won't wait
130 for the operating system's capture buffer to fill up before
131 packets are delivered; if packets are arriving slowly, that wait
132 could take an arbitrarily long period of time.
133 Not all platforms support a read timeout; on platforms that
135 don't, the read timeout is ignored. A zero value for the time‐
136 out, on platforms that support a read timeout, has platform-
137 dependent behavior that could cause a read to wait for an unlim‐
138 ited amount of time until the capture buffer fills up or could
139 cause a read timeout of 1 millisecond to be used. We recommend
140 that a value of zero not be used.
141 NOTE: the read timeout cannot be used to cause calls that read
143 packets to return within a limited period of time, because, on
144 some platforms, the read timeout isn't supported, and, on other
145 platforms, the timer doesn't start until at least one packet
146 arrives. This means that the read timeout should NOT be used,
147 for example, in an interactive application to allow the packet
148 capture loop to ``poll'' for user input periodically, as there's
149 no guarantee that a call reading packets will return after the
150 timeout expires even if no packets have arrived.
151 The read timeout is set with pcap_set_timeout().
153 buffer size
155 Packets that arrive for a capture are stored in a buffer, so
156 that they do not have to be read by the application as soon as
157 they arrive. On some platforms, the buffer's size can be set; a
158 size that's too small could mean that, if too many packets are
159 being captured and the snapshot length doesn't limit the amount
160 of data that's buffered, packets could be dropped if the buffer
161 fills up before the application can read packets from it, while
162 a size that's too large could use more non-pageable operating
163 system memory than is necessary to prevent packets from being
164 dropped.
165 The buffer size is set with pcap_set_buffer_size().
167 timestamp type
169 On some platforms, the time stamp given to packets on live cap‐
170 tures can come from different sources that can have different
171 resolutions or that can have different relationships to the time
172 values for the current time supplied by routines on the native
173 operating system. See pcap-tstamp(7) for a list of time stamp
174 types.
175 The time stamp type is set with pcap_set_tstamp_type().
177 Reading packets from a network interface may require that you have spe‐
179 cial privileges:
180 Under SunOS 3.x or 4.x with NIT or BPF:
182 You must have read access to /dev/nit or /dev/bpf*.
183 Under Solaris with DLPI:
185 You must have read/write access to the network pseudo device,
186 e.g. /dev/le. On at least some versions of Solaris, however,
187 this is not sufficient to allow tcpdump to capture in promiscu‐
188 ous mode; on those versions of Solaris, you must be root, or the
189 application capturing packets must be installed setuid to root,
190 in order to capture in promiscuous mode. Note that, on many
191 (perhaps all) interfaces, if you don't capture in promiscuous
192 mode, you will not see any outgoing packets, so a capture not
193 done in promiscuous mode may not be very useful.
194 In newer versions of Solaris, you must have been given the
196 net_rawaccess privilege; this is both necessary and sufficient
197 to give you access to the network pseudo-device - there is no
198 need to change the privileges on that device. A user can be
199 given that privilege by, for example, adding that privilege to
200 the user's defaultpriv key with the usermod (1M) command.
201 Under HP-UX with DLPI:
203 You must be root or the application capturing packets must be
204 installed setuid to root.
205 Under IRIX with snoop:
207 You must be root or the application capturing packets must be
208 installed setuid to root.
209 Under Linux:
211 You must be root or the application capturing packets must be
212 installed setuid to root (unless your distribution has a kernel
213 that supports capability bits such as CAP_NET_RAW and code to
214 allow those capability bits to be given to particular accounts
215 and to cause those bits to be set on a user's initial processes
216 when they log in, in which case you must have CAP_NET_RAW in
217 order to capture and CAP_NET_ADMIN to enumerate network devices
218 with, for example, the -D flag).
219 Under ULTRIX and Digital UNIX/Tru64 UNIX:
221 Any user may capture network traffic. However, no user (not
222 even the super-user) can capture in promiscuous mode on an
223 interface unless the super-user has enabled promiscuous-mode
224 operation on that interface using pfconfig(8), and no user (not
225 even the super-user) can capture unicast traffic received by or
226 sent by the machine on an interface unless the super-user has
227 enabled copy-all-mode operation on that interface using pfcon‐
228 fig, so useful packet capture on an interface probably requires
229 that either promiscuous-mode or copy-all-mode operation, or both
230 modes of operation, be enabled on that interface.
231 Under BSD (this includes Mac OS X):
233 You must have read access to /dev/bpf* on systems that don't
234 have a cloning BPF device, or to /dev/bpf on systems that do.
235 On BSDs with a devfs (this includes Mac OS X), this might
236 involve more than just having somebody with super-user access
237 setting the ownership or permissions on the BPF devices - it
238 might involve configuring devfs to set the ownership or permis‐
239 sions every time the system is booted, if the system even sup‐
240 ports that; if it doesn't support that, you might have to find
241 some other way to make that happen at boot time.
242 Reading a saved packet file doesn't require special privileges.
244 The packets read from the handle may include a ``pseudo-header'' con‐
246 taining various forms of packet meta-data, and probably includes a
247 link-layer header whose contents can differ for different network
248 interfaces. To determine the format of the packets supplied by the
249 handle, call pcap_datalink(); http://www.tcpdump.org/linktypes.html
250 lists the values it returns and describes the packet formats that cor‐
251 respond to those values.
252 Do NOT assume that the packets for a given capture or ``savefile`` will
254 have any given link-layer header type, such as DLT_EN10MB for Ethernet.
255 For example, the "any" device on Linux will have a link-layer header
256 type of DLT_LINUX_SLL even if all devices on the system at the time the
257 "any" device is opened have some other data link type, such as
258 DLT_EN10MB for Ethernet.
259 To obtain the FILE * corresponding to a pcap_t opened for a ``save‐
261 file'', call pcap_file().
262 Routines
264 pcap_create(3PCAP)
266 get a pcap_t for live capture
267 pcap_activate(3PCAP)
269 activate a pcap_t for live capture
270 pcap_findalldevs(3PCAP)
272 get a list of devices that can be opened for a live cap‐
273 ture
274 pcap_freealldevs(3PCAP)
276 free list of devices
277 pcap_lookupdev(3PCAP)
279 get first non-loopback device on that list
280 pcap_open_offline(3PCAP)
282 open a pcap_t for a ``savefile'', given a pathname
283 pcap_fopen_offline(3PCAP)
285 open a pcap_t for a ``savefile'', given a FILE *
286 pcap_open_dead(3PCAP)
288 create a ``fake'' pcap_t
289 pcap_close(3PCAP)
291 close a pcap_t
292 pcap_set_snaplen(3PCAP)
294 set the snapshot length for a not-yet-activated pcap_t
295 for live capture
296 pcap_snapshot(3PCAP)
298 get the snapshot length for a pcap_t
299 pcap_set_promisc(3PCAP)
301 set promiscuous mode for a not-yet-activated pcap_t for
302 live capture
303 pcap_set_rfmon(3PCAP)
305 set monitor mode for a not-yet-activated pcap_t for live
306 capture
307 pcap_can_set_rfmon(3PCAP)
309 determine whether monitor mode can be set for a pcap_t
310 for live capture
311 pcap_set_timeout(3PCAP)
313 set read timeout for a not-yet-activated pcap_t for live
314 capture
315 pcap_set_buffer_size(3PCAP)
317 set buffer size for a not-yet-activated pcap_t for live
318 capture
319 pcap_set_tstamp_type(3PCAP)
321 set time stamp type for a not-yet-activated pcap_t for
322 live capture
323 pcap_list_tstamp_types(3PCAP)
325 get list of available time stamp types for a not-yet-
326 activated pcap_t for live capture
327 pcap_free_tstamp_types(3PCAP)
329 free list of available time stamp types
330 pcap_tstamp_type_val_to_name(3PCAP)
332 get name for a time stamp type
333 pcap_tstamp_type_val_to_description(3PCAP)
335 get description for a time stamp type
336 pcap_tstamp_name_to_val(3PCAP)
338 get time stamp type corresponding to a name
339 pcap_datalink(3PCAP)
341 get link-layer header type for a pcap_t
342 pcap_file(3PCAP)
344 get the FILE * for a pcap_t opened for a ``savefile''
345 pcap_is_swapped(3PCAP)
347 determine whether a ``savefile'' being read came from a
348 machine with the opposite byte order
349 pcap_major_version(3PCAP)
351 pcap_minor_version(3PCAP)
352 get the major and minor version of the file format ver‐
353 sion for a ``savefile''
354 Selecting a link-layer header type for a live capture
356 Some devices may provide more than one link-layer header type. To
357 obtain a list of all link-layer header types provided by a device, call
358 pcap_list_datalinks() on an activated pcap_t for the device. To free a
359 list of link-layer header types, call pcap_free_datalinks(). To set
360 the link-layer header type for a device, call pcap_set_datalink().
361 This should be done after the device has been activated but before any
362 packets are read and before any filters are compiled or installed.
363 Routines
365 pcap_list_datalinks(3PCAP)
367 get a list of link-layer header types for a device
368 pcap_free_datalinks(3PCAP)
370 free list of link-layer header types
371 pcap_set_datalink(3PCAP)
373 set link-layer header type for a device
374 pcap_datalink_val_to_name(3PCAP)
376 get name for a link-layer header type
377 pcap_datalink_val_to_description(3PCAP)
379 get description for a link-layer header type
380 pcap_datalink_name_to_val(3PCAP)
382 get link-layer header type corresponding to a name
383 Reading packets
385 Packets are read with pcap_dispatch() or pcap_loop(), which process one
386 or more packets, calling a callback routine for each packet, or with
387 pcap_next() or pcap_next_ex(), which return the next packet. The call‐
388 back for pcap_dispatch() and pcap_loop() is supplied a pointer to a
389 struct pcap_pkthdr, which includes the following members:
390 ts a struct timeval containing the time when the packet was
392 captured
393 caplen a bpf_u_int32 giving the number of bytes of the packet
395 that are available from the capture
396 len a bpf_u_int32 giving the length of the packet, in bytes
398 (which might be more than the number of bytes available
399 from the capture, if the length of the packet is larger
400 than the maximum number of bytes to capture).
401 The callback is also supplied a const u_char pointer to the first
403 caplen (as given in the struct pcap_pkthdr mentioned above) bytes of
404 data from the packet. This won't necessarily be the entire packet; to
405 capture the entire packet, you will have to provide a value for snaplen
406 in your call to pcap_set_snaplen() that is sufficiently large to get
407 all of the packet's data - a value of 65535 should be sufficient on
408 most if not all networks). When reading from a ``savefile'', the snap‐
409 shot length specified when the capture was performed will limit the
410 amount of packet data available.
411 pcap_next() is passed an argument that points to a struct pcap_pkthdr
413 structure, and fills it in with the time stamp and length values for
414 the packet. It returns a const u_char to the first caplen bytes of the
415 packet on success, and NULL on error.
416 pcap_next_ex() is passed two pointer arguments, one of which points to
418 a structpcap_pkthdr* and one of which points to a const u_char*. It
419 sets the first pointer to point to a struct pcap_pkthdr structure with
420 the time stamp and length values for the packet, and sets the second
421 pointer to point to the first caplen bytes of the packet.
422 To force the loop in pcap_dispatch() or pcap_loop() to terminate, call
424 pcap_breakloop().
425 By default, when reading packets from an interface opened for a live
427 capture, pcap_dispatch(), pcap_next(), and pcap_next_ex() will, if no
428 packets are currently available to be read, block waiting for packets
429 to become available. On some, but not all, platforms, if a read time‐
430 out was specified, the wait will terminate after the read timeout
431 expires; applications should be prepared for this, as it happens on
432 some platforms, but should not rely on it, as it does not happen on
433 other platforms.
434 A handle can be put into ``non-blocking mode'', so that those routines
436 will, rather than blocking, return an indication that no packets are
437 available to read. Call pcap_setnonblock() to put a handle into non-
438 blocking mode or to take it out of non-blocking mode; call pcap_getnon‐
439 block() to determine whether a handle is in non-blocking mode. Note
440 that non-blocking mode does not work correctly in Mac OS X 10.6.
441 Non-blocking mode is often combined with routines such as select(2) or
443 poll(2) or other routines a platform offers to wait for the availabil‐
444 ity of data on any of a set of descriptors. To obtain, for a handle, a
445 descriptor that can be used in those routines, call
446 pcap_get_selectable_fd(). Not all handles have such a descriptor
447 available; pcap_get_selectable_fd() will return -1 if no such descrip‐
448 tor exists. In addition, for various reasons, one or more of those
449 routines will not work properly with the descriptor; the documentation
450 for pcap_get_selectable_fd() gives details.
451 Routines
453 pcap_dispatch(3PCAP)
455 read a bufferful of packets from a pcap_t open for a live
456 capture or the full set of packets from a pcap_t open for
457 a ``savefile''
458 pcap_loop(3PCAP)
460 read packets from a pcap_t until an interrupt or error
461 occurs
462 pcap_next(3PCAP)
464 read the next packet from a pcap_t without an indication
465 whether an error occurred
466 pcap_next_ex(3PCAP)
468 read the next packet from a pcap_t with an error indica‐
469 tion on an error
470 pcap_breakloop(3PCAP)
472 prematurely terminate the loop in pcap_dispatch() or
473 pcap_loop()
474 pcap_setnonblock(3PCAP)
476 set or clear non-blocking mode on a pcap_t
477 pcap_getnonblock(3PCAP)
479 get the state of non-blocking mode for a pcap_t
480 pcap_get_selectable_fd(3PCAP)
482 attempt to get a descriptor for a pcap_t that can be used
483 in calls such as select(2) and poll(2)
484 Filters
486 In order to cause only certain packets to be returned when reading
487 packets, a filter can be set on a handle. For a live capture, the fil‐
488 tering will be performed in kernel mode, if possible, to avoid copying
489 ``uninteresting'' packets from the kernel to user mode.
490 A filter can be specified as a text string; the syntax and semantics of
492 the string are as described by pcap-filter(7). A filter string is com‐
493 piled into a program in a pseudo-machine-language by pcap_compile() and
494 the resulting program can be made a filter for a handle with pcap_set‐
495 filter(). The result of pcap_compile() can be freed with a call to
496 pcap_freecode(). pcap_compile() may require a network mask for certain
497 expressions in the filter string; pcap_lookupnet() can be used to find
498 the network address and network mask for a given capture device.
499 A compiled filter can also be applied directly to a packet that has
501 been read using pcap_offline_filter().
502 Routines
504 pcap_compile(3PCAP)
506 compile filter expression to a pseudo-machine-language
507 code program
508 pcap_freecode(3PCAP)
510 free a filter program
511 pcap_setfilter(3PCAP)
513 set filter for a pcap_t
514 pcap_lookupnet(3PCAP)
516 get network address and network mask for a capture device
517 pcap_offline_filter(3PCAP)
519 apply a filter program to a packet
520 Incoming and outgoing packets
522 By default, libpcap will attempt to capture both packets sent by the
523 machine and packets received by the machine. To limit it to capturing
524 only packets received by the machine or, if possible, only packets sent
525 by the machine, call pcap_setdirection().
526 Routines
528 pcap_setdirection(3PCAP)
530 specify whether to capture incoming packets, outgoing
531 packets, or both
532 Capture statistics
534 To get statistics about packets received and dropped in a live capture,
535 call pcap_stats().
536 Routines
538 pcap_stats(3PCAP)
540 get capture statistics
541 Opening a handle for writing captured packets
543 To open a ``savefile`` to which to write packets, given the pathname
544 the ``savefile'' should have, call pcap_dump_open(). To open a ``save‐
545 file`` to which to write packets, given the pathname the ``savefile''
546 should have, call pcap_dump_open(); to set up a handle for a ``save‐
547 file'', given a FILE * referring to a file already opened for writing,
548 call pcap_dump_fopen(). They each return pointers to a pcap_dumper_t,
549 which is the handle used for writing packets to the ``savefile''. If
550 it succeeds, it will have created the file if it doesn't exist and
551 truncated the file if it does exist. To close a pcap_dumper_t, call
552 pcap_dump_close().
553 Routines
555 pcap_dump_open(3PCAP)
557 open a pcap_dumper_t for a ``savefile``, given a pathname
558 pcap_dump_fopen(3PCAP)
560 open a pcap_dumper_t for a ``savefile``, given a FILE *
561 pcap_dump_close(3PCAP)
563 close a pcap_dumper_t
564 pcap_dump_file(3PCAP)
566 get the FILE * for a pcap_dumper_t opened for a ``save‐
567 file''
568 Writing packets
570 To write a packet to a pcap_dumper_t, call pcap_dump(). Packets writ‐
571 ten with pcap_dump() may be buffered, rather than being immediately
572 written to the ``savefile''. Closing the pcap_dumper_t will cause all
573 buffered-but-not-yet-written packets to be written to the ``savefile''.
574 To force all packets written to the pcap_dumper_t, and not yet written
575 to the ``savefile'' because they're buffered by the pcap_dumper_t, to
576 be written to the ``savefile'', without closing the pcap_dumper_t, call
577 pcap_dump_flush().
578 Routines
580 pcap_dump(3PCAP)
582 write packet to a pcap_dumper_t
583 pcap_dump_flush(3PCAP)
585 flush buffered packets written to a pcap_dumper_t to the
586 ``savefile''
587 pcap_dump_ftell(3PCAP)
589 get current file position for a pcap_dumper_t
590 Injecting packets
592 If you have the required privileges, you can inject packets onto a net‐
593 work with a pcap_t for a live capture, using pcap_inject() or
594 pcap_sendpacket(). (The two routines exist for compatibility with both
595 OpenBSD and WinPcap; they perform the same function, but have different
596 return values.)
597 Routines
599 pcap_inject(3PCAP)
601 pcap_sendpacket(3PCAP)
602 transmit a packet
603 Reporting errors
605 Some routines return error or warning status codes; to convert them to
606 a string, use pcap_statustostr().
607 Routines
609 pcap_statustostr(3PCAP)
611 get a string for an error or warning status code
612 Getting library version information
614 To get a string giving version information about libpcap, call
615 pcap_library_version().
616 Routines
618 pcap_library_version(3PCAP)
620 get library version string
621
623 In versions of libpcap prior to 1.0, the pcap.h header file was not in
624 a pcap directory on most platforms; if you are writing an application
625 that must work on versions of libpcap prior to 1.0, include <pcap.h>,
626 which will include <pcap/pcap.h> for you, rather than including
627 <pcap/pcap.h>.
628 pcap_create() and pcap_activate() were not available in versions of
630 libpcap prior to 1.0; if you are writing an application that must work
631 on versions of libpcap prior to 1.0, either use pcap_open_live() to get
632 a handle for a live capture or, if you want to be able to use the addi‐
633 tional capabilities offered by using pcap_create() and pcap_activate(),
634 use an autoconf(1) script or some other configuration script to check
635 whether the libpcap 1.0 APIs are available and use them only if they
636 are.
637
639 autoconf(1), tcpdump(8), tcpslice(8), pcap-filter(7), pfconfig(8),
640 usermod(1M)
641
643 The original authors of libpcap are:
644 Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence
646 Berkeley National Laboratory, University of California, Berkeley, CA.
647 The current version is available from "The Tcpdump Group"'s Web site at
649 http://www.tcpdump.org/
651
653 Please send problems, bugs, questions, desirable enhancements, etc. to:
654 tcpdump-workers@lists.tcpdump.org
656 1 July 2013 PCAP(3PCAP)