1PCAP(3PCAP)                                                        PCAP(3PCAP)
2
3
4

NAME

6       pcap - Packet Capture library
7

SYNOPSIS

9       #include <pcap/pcap.h>
10

DESCRIPTION

12       The  Packet  Capture  library provides a high level interface to packet
13       capture systems. All packets on the network, even  those  destined  for
14       other  hosts,  are accessible through this mechanism.  It also supports
15       saving captured packets to a ``savefile'', and reading packets  from  a
16       ``savefile''.
17
18       To open a handle for a live capture, call pcap_create(), set the appro‐
19       priate options on the handle, and  then  activate  it  with  pcap_acti‐
20       vate().   To  open  a  handle for a ``savefile'' with captured packets,
21       call pcap_open_offline().  Both pcap_create()  and  pcap_open_offline()
22       return  a  pointer  to  a  pcap_t, which is the handle used for reading
23       packets from the capture stream or the ``savefile'',  and  for  finding
24       out information about the capture stream or ``savefile''.
25
26       The options that can be set on a capture handle include
27
28       snapshot length
29              If,  when  capturing,  you  capture  the  entire contents of the
30              packet, that requires more CPU time to copy the packet  to  your
31              application,  more  disk and possibly network bandwidth to write
32              the packet data to a file, and  more  disk  space  to  save  the
33              packet.   If  you don't need the entire contents of the packet -
34              for example, if you are only interested in the  TCP  headers  of
35              packets  -  you can set the "snapshot length" for the capture to
36              an appropriate value.  If the snapshot length is set to snaplen,
37              and  snaplen is less than the size of a packet that is captured,
38              only the first snaplen bytes of that packet will be captured and
39              provided as packet data.
40
41              A  snapshot length of 65535 should be sufficient, on most if not
42              all networks, to capture all the data available from the packet.
43
44              The snapshot length is set with pcap_set_snaplen().
45
46       promiscuous mode
47              On broadcast  LANs  such  as  Ethernet,  if  the  network  isn't
48              switched, or if the adapter is connected to a "mirror port" on a
49              switch to which all packets passing through the switch are sent,
50              a  network  adapter  receives  all packets on the LAN, including
51              unicast or multicast packets not sent to a network address  that
52              the network adapter isn't configured to recognize.
53
54              Normally,  the adapter will discard those packets; however, many
55              network adapters support "promiscuous mode", which is a mode  in
56              which  all packets, even if they are not sent to an address that
57              the adapter recognizes, are provided to the host.  This is  use‐
58              ful  for  passively  capturing traffic between two or more other
59              hosts for analysis.
60
61              Note that even if an application does not set promiscuous  mode,
62              the  adapter  could  well  be in promiscuous mode for some other
63              reason.
64
65              For now, this doesn't work on the "any" device; if  an  argument
66              of "any" or NULL is supplied, the setting of promiscuous mode is
67              ignored.
68
69              Promiscuous mode is set with pcap_set_promisc().
70
71       monitor mode
72              On IEEE 802.11 wireless LANs, even if an adapter is in promiscu‐
73              ous mode, it will supply to the host only frames for the network
74              with which it's associated.  It  might  also  supply  only  data
75              frames,  not management or control frames, and might not provide
76              the 802.11 header or radio information pseudo-header  for  those
77              frames.
78
79              In  "monitor  mode",  sometimes  also  called  "rfmon mode" (for
80              "Radio Frequency MONitor"), the adapter will supply  all  frames
81              that  it  receives,  with  802.11  headers,  and  might supply a
82              pseudo-header with radio information about the frame as well.
83
84              Note that in monitor mode the adapter  might  disassociate  from
85              the  network with which it's associated, so that you will not be
86              able to use any wireless networks with that adapter.  This could
87              prevent  accessing  files on a network server, or resolving host
88              names or network addresses, if you are capturing in monitor mode
89              and are not connected to another network with another adapter.
90
91              Monitor    mode    is    set    with    pcap_set_rfmon(),    and
92              pcap_can_set_rfmon() can be used to determine whether an adapter
93              can be put into monitor mode.
94
95       read timeout
96              If,  when  capturing,  packets  are  delivered  as  soon as they
97              arrive, the application capturing the packets will be  woken  up
98              for  each  packet  as  it arrives, and might have to make one or
99              more calls to the operating system to fetch each packet.
100
101              If, instead, packets are not delivered as soon as  they  arrive,
102              but are delivered after a short delay (called a "read timeout"),
103              more than one packet can be accumulated before the  packets  are
104              delivered,  so  that  a single wakeup would be done for multiple
105              packets, and each set of calls  made  to  the  operating  system
106              would  supply  multiple  packets,  rather  than a single packet.
107              This reduces the per-packet CPU overhead if packets are arriving
108              at a high rate, increasing the number of packets per second that
109              can be captured.
110
111              The read timeout is required so that an application  won't  wait
112              for  the  operating  system's  capture  buffer to fill up before
113              packets are delivered; if packets are arriving slowly, that wait
114              could take an arbitrarily long period of time.
115
116              Not  all  platforms  support  a  read timeout; on platforms that
117              don't, the read timeout is ignored.  A zero value for the  time‐
118              out, on platforms that support a read timeout, will cause a read
119              to wait forever to allow enough packets to arrive, with no time‐
120              out.
121
122              NOTE:  the  read timeout cannot be used to cause calls that read
123              packets to return within a limited period of time,  because,  on
124              some  platforms, the read timeout isn't supported, and, on other
125              platforms, the timer doesn't start until  at  least  one  packet
126              arrives.   This  means that the read timeout should NOT be used,
127              for example, in an interactive application to allow  the  packet
128              capture loop to ``poll'' for user input periodically, as there's
129              no guarantee that a call reading packets will return  after  the
130              timeout expires even if no packets have arrived.
131
132              The read timeout is set with pcap_set_timeout().
133
134       buffer size
135              Packets  that  arrive  for  a capture are stored in a buffer, so
136              that they do not have to be read by the application as  soon  as
137              they arrive.  On some platforms, the buffer's size can be set; a
138              size that's too small could mean that, if too many  packets  are
139              being  captured and the snapshot length doesn't limit the amount
140              of data that's buffered, packets could be dropped if the  buffer
141              fills  up before the application can read packets from it, while
142              a size that's too large could use  more  non-pageable  operating
143              system  memory  than  is necessary to prevent packets from being
144              dropped.
145
146              The buffer size is set with pcap_set_buffer_size().
147
148       Reading packets from a network interface may require that you have spe‐
149       cial privileges:
150
151       Under SunOS 3.x or 4.x with NIT or BPF:
152              You must have read access to /dev/nit or /dev/bpf*.
153
154       Under Solaris with DLPI:
155              You  must  have  read/write access to the network pseudo device,
156              e.g.  /dev/le.  On at least some versions of  Solaris,  however,
157              this  is not sufficient to allow tcpdump to capture in promiscu‐
158              ous mode; on those versions of Solaris, you must be root, or the
159              application  capturing packets must be installed setuid to root,
160              in order to capture in promiscuous mode.   Note  that,  on  many
161              (perhaps  all)  interfaces,  if you don't capture in promiscuous
162              mode, you will not see any outgoing packets, so  a  capture  not
163              done in promiscuous mode may not be very useful.
164
165              In  newer  versions  of  Solaris,  you  must have been given the
166              net_rawaccess privilege; this is both necessary  and  sufficient
167              to  give  you  access to the network pseudo-device - there is no
168              need to change the privileges on that device.   A  user  can  be
169              given  that  privilege by, for example, adding that privilege to
170              the user's defaultpriv key with the usermod (1M) command.
171
172       Under HP-UX with DLPI:
173              You must be root or the application capturing  packets  must  be
174              installed setuid to root.
175
176       Under IRIX with snoop:
177              You  must  be  root or the application capturing packets must be
178              installed setuid to root.
179
180       Under Linux:
181              You must be root or the application capturing  packets  must  be
182              installed  setuid to root (unless your distribution has a kernel
183              that supports capability bits such as CAP_NET_RAW  and  code  to
184              allow  those  capability bits to be given to particular accounts
185              and to cause those bits to be set on a user's initial  processes
186              when  they  log  in, in which case you  must have CAP_NET_RAW in
187              order to capture and CAP_NET_ADMIN to enumerate network  devices
188              with, for example, the -D flag).
189
190       Under ULTRIX and Digital UNIX/Tru64 UNIX:
191              Any  user  may  capture  network traffic.  However, no user (not
192              even the super-user) can  capture  in  promiscuous  mode  on  an
193              interface  unless  the  super-user  has enabled promiscuous-mode
194              operation on that interface using pfconfig(8), and no user  (not
195              even  the super-user) can capture unicast traffic received by or
196              sent by the machine on an interface unless  the  super-user  has
197              enabled  copy-all-mode  operation on that interface using pfcon‐
198              fig, so useful packet capture on an interface probably  requires
199              that either promiscuous-mode or copy-all-mode operation, or both
200              modes of operation, be enabled on that interface.
201
202       Under BSD (this includes Mac OS X):
203              You must have read access to /dev/bpf*  on  systems  that  don't
204              have  a  cloning  BPF device, or to /dev/bpf on systems that do.
205              On BSDs with a devfs  (this  includes  Mac  OS  X),  this  might
206              involve  more  than  just having somebody with super-user access
207              setting the ownership or permissions on the  BPF  devices  -  it
208              might  involve configuring devfs to set the ownership or permis‐
209              sions every time the system is booted, if the system  even  sup‐
210              ports  that;  if it doesn't support that, you might have to find
211              some other way to make that happen at boot time.
212
213       Reading a saved packet file doesn't require special privileges.
214
215       To  open   a   ``savefile``   to   which   to   write   packets,   call
216       pcap_dump_open().   It  returns  a pointer to a pcap_dumper_t, which is
217       the handle used for writing packets to the ``savefile''.
218
219       Packets are read with pcap_dispatch() or pcap_loop(), which process one
220       or  more  packets,  calling a callback routine for each packet, or with
221       pcap_next() or pcap_next_ex(), which return the next packet.  The call‐
222       back  for  pcap_dispatch()  and  pcap_loop() is supplied a pointer to a
223       struct pcap_pkthdr, which includes the following members:
224
225              ts     a struct timeval containing the time when the packet  was
226                     captured
227
228              caplen a  bpf_u_int32  giving  the number of bytes of the packet
229                     that are available from the capture
230
231              len    a bpf_u_int32 giving the length of the packet,  in  bytes
232                     (which  might  be more than the number of bytes available
233                     from the capture, if the length of the packet  is  larger
234                     than the maximum number of bytes to capture).
235
236       pcap_next_ex()  supplies  that  pointer  through  a  pointer  argument.
237       pcap_next() is passed an argument that points to a  struct  pcap_pkthdr
238       structure, and fills it in.
239
240       The  callback  is  also  supplied  a  const u_char pointer to the first
241       caplen (as given in the struct pcap_pkthdr a pointer to which is passed
242       to  the  callback  routine)  bytes of data from the packet.  This won't
243       necessarily be the entire packet; to capture  the  entire  packet,  you
244       will   have   to   provide   a  value  for  snaplen  in  your  call  to
245       pcap_open_live() that is sufficiently large to get all of the  packet's
246       data  -  a  value of 65535 should be sufficient on most if not all net‐
247       works).  When reading from a ``savefile'', the snapshot  length  speci‐
248       fied  when  the  capture  was performed will limit the amount of packet
249       data available.  pcap_next() returns that pointer; pcap_next_ex()  sup‐
250       plies that pointer through a pointer argument.
251

BACKWARDS COMPATIBILITY

253       In  versions of libpcap prior to 1.0, the pcap.h header file was not in
254       a pcap directory on most platforms; if you are writing  an  application
255       that  must  work on versions of libpcap prior to 1.0, include <pcap.h>,
256       which  will  include  <pcap/pcap.h>  for  you,  rather  than  including
257       <pcap/pcap.h>.
258
259       pcap_create()  and  pcap_activate()  were  not available in versions of
260       libpcap prior to 1.0; if you are writing an application that must  work
261       on versions of libpcap prior to 1.0, either use pcap_open_live() to get
262       a handle for a live capture or, if you want to be able to use the addi‐
263       tional capabilities offered by using pcap_create() and pcap_activate(),
264       use an autoconf(1) script or some other configuration script  to  check
265       whether  the  libpcap  1.0 APIs are available and use them only if they
266       are.
267

SEE ALSO

269       autoconf(1),  tcpdump(8),  tcpslice(8),  pcap-filter(7),   pfconfig(8),
270       usermod(1M)
271

AUTHORS

273       The original authors of libpcap are:
274
275       Van  Jacobson,  Craig  Leres  and  Steven  McCanne, all of the Lawrence
276       Berkeley National Laboratory, University of California, Berkeley, CA.
277
278       The current version is available from "The Tcpdump Group"'s Web site at
279
280              http://www.tcpdump.org/
281

BUGS

283       Please send problems, bugs, questions, desirable enhancements, etc. to:
284
285              tcpdump-workers@lists.tcpdump.org
286
287
288
289                                 4 April 2008                      PCAP(3PCAP)
Impressum