1PCAP(3PCAP) PCAP(3PCAP)
2
3
4
6 pcap - Packet Capture library
7
9 #include <pcap/pcap.h>
10
12 The Packet Capture library provides a high level interface to packet
13 capture systems. All packets on the network, even those destined for
14 other hosts, are accessible through this mechanism. It also supports
15 saving captured packets to a ``savefile'', and reading packets from a
16 ``savefile''.
17
18 Opening a capture handle for reading
19 To open a handle for a live capture, given the name of the network or
20 other interface on which the capture should be done, call pcap_cre‐
21 ate(), set the appropriate options on the handle, and then activate it
22 with pcap_activate().
23
24 To obtain a list of devices that can be opened for a live capture, call
25 pcap_findalldevs(); to free the list returned by pcap_findalldevs(),
26 call pcap_freealldevs(). pcap_lookupdev() will return the first device
27 on that list that is not a ``loopback`` network interface.
28
29 To open a handle for a ``savefile'' from which to read packets, given
30 the pathname of the ``savefile'', call pcap_open_offline(); to set up a
31 handle for a ``savefile'', given a FILE * referring to a file already
32 opened for reading, call pcap_fopen_offline().
33
34 In order to get a ``fake'' pcap_t for use in routines that require a
35 pcap_t as an argument, such as routines to open a ``savefile'' for
36 writing and to compile a filter expression, call pcap_open_dead().
37
38 pcap_create(), pcap_open_offline(), pcap_fopen_offline(), and
39 pcap_open_dead() return a pointer to a pcap_t, which is the handle used
40 for reading packets from the capture stream or the ``savefile'', and
41 for finding out information about the capture stream or ``savefile''.
42 To close a handle, use pcap_close().
43
44 The options that can be set on a capture handle include
45
46 snapshot length
47 If, when capturing, you capture the entire contents of the
48 packet, that requires more CPU time to copy the packet to your
49 application, more disk and possibly network bandwidth to write
50 the packet data to a file, and more disk space to save the
51 packet. If you don't need the entire contents of the packet -
52 for example, if you are only interested in the TCP headers of
53 packets - you can set the "snapshot length" for the capture to
54 an appropriate value. If the snapshot length is set to snaplen,
55 and snaplen is less than the size of a packet that is captured,
56 only the first snaplen bytes of that packet will be captured and
57 provided as packet data.
58
59 A snapshot length of 65535 should be sufficient, on most if not
60 all networks, to capture all the data available from the packet.
61
62 The snapshot length is set with pcap_set_snaplen().
63
64 promiscuous mode
65 On broadcast LANs such as Ethernet, if the network isn't
66 switched, or if the adapter is connected to a "mirror port" on a
67 switch to which all packets passing through the switch are sent,
68 a network adapter receives all packets on the LAN, including
69 unicast or multicast packets not sent to a network address that
70 the network adapter isn't configured to recognize.
71
72 Normally, the adapter will discard those packets; however, many
73 network adapters support "promiscuous mode", which is a mode in
74 which all packets, even if they are not sent to an address that
75 the adapter recognizes, are provided to the host. This is use‐
76 ful for passively capturing traffic between two or more other
77 hosts for analysis.
78
79 Note that even if an application does not set promiscuous mode,
80 the adapter could well be in promiscuous mode for some other
81 reason.
82
83 For now, this doesn't work on the "any" device; if an argument
84 of "any" or NULL is supplied, the setting of promiscuous mode is
85 ignored.
86
87 Promiscuous mode is set with pcap_set_promisc().
88
89 monitor mode
90 On IEEE 802.11 wireless LANs, even if an adapter is in promiscu‐
91 ous mode, it will supply to the host only frames for the network
92 with which it's associated. It might also supply only data
93 frames, not management or control frames, and might not provide
94 the 802.11 header or radio information pseudo-header for those
95 frames.
96
97 In "monitor mode", sometimes also called "rfmon mode" (for
98 "Radio Frequency MONitor"), the adapter will supply all frames
99 that it receives, with 802.11 headers, and might supply a
100 pseudo-header with radio information about the frame as well.
101
102 Note that in monitor mode the adapter might disassociate from
103 the network with which it's associated, so that you will not be
104 able to use any wireless networks with that adapter. This could
105 prevent accessing files on a network server, or resolving host
106 names or network addresses, if you are capturing in monitor mode
107 and are not connected to another network with another adapter.
108
109 Monitor mode is set with pcap_set_rfmon(), and
110 pcap_can_set_rfmon() can be used to determine whether an adapter
111 can be put into monitor mode.
112
113 packet buffer timeout
114 If, when capturing, packets are delivered as soon as they
115 arrive, the application capturing the packets will be woken up
116 for each packet as it arrives, and might have to make one or
117 more calls to the operating system to fetch each packet.
118
119 If, instead, packets are not delivered as soon as they arrive,
120 but are delivered after a short delay (called a "packet buffer
121 timeout"), more than one packet can be accumulated before the
122 packets are delivered, so that a single wakeup would be done for
123 multiple packets, and each set of calls made to the operating
124 system would supply multiple packets, rather than a single
125 packet. This reduces the per-packet CPU overhead if packets are
126 arriving at a high rate, increasing the number of packets per
127 second that can be captured.
128
129 The packet buffer timeout is required so that an application
130 won't wait for the operating system's capture buffer to fill up
131 before packets are delivered; if packets are arriving slowly,
132 that wait could take an arbitrarily long period of time.
133
134 Not all platforms support a packet buffer timeout; on platforms
135 that don't, the packet buffer timeout is ignored. A zero value
136 for the timeout, on platforms that support a packet buffer time‐
137 out, will cause a read to wait forever to allow enough packets
138 to arrive, with no timeout. A negative value is invalid; the
139 result of setting the timeout to a negative value is unpre‐
140 dictable.
141
142 NOTE: the packet buffer timeout cannot be used to cause calls
143 that read packets to return within a limited period of time,
144 because, on some platforms, the packet buffer timeout isn't sup‐
145 ported, and, on other platforms, the timer doesn't start until
146 at least one packet arrives. This means that the packet buffer
147 timeout should NOT be used, for example, in an interactive
148 application to allow the packet capture loop to ``poll'' for
149 user input periodically, as there's no guarantee that a call
150 reading packets will return after the timeout expires even if no
151 packets have arrived.
152
153 The packet buffer timeout is set with pcap_set_timeout().
154
155 immediate mode
156 In immediate mode, packets are always delivered as soon as they
157 arrive, with no buffering. Immediate mode is set with
158 pcap_set_immediate_mode().
159
160 buffer size
161 Packets that arrive for a capture are stored in a buffer, so
162 that they do not have to be read by the application as soon as
163 they arrive. On some platforms, the buffer's size can be set; a
164 size that's too small could mean that, if too many packets are
165 being captured and the snapshot length doesn't limit the amount
166 of data that's buffered, packets could be dropped if the buffer
167 fills up before the application can read packets from it, while
168 a size that's too large could use more non-pageable operating
169 system memory than is necessary to prevent packets from being
170 dropped.
171
172 The buffer size is set with pcap_set_buffer_size().
173
174 timestamp type
175 On some platforms, the time stamp given to packets on live cap‐
176 tures can come from different sources that can have different
177 resolutions or that can have different relationships to the time
178 values for the current time supplied by routines on the native
179 operating system. See pcap-tstamp(7) for a list of time stamp
180 types.
181
182 The time stamp type is set with pcap_set_tstamp_type().
183
184 Reading packets from a network interface may require that you have spe‐
185 cial privileges:
186
187 Under SunOS 3.x or 4.x with NIT or BPF:
188 You must have read access to /dev/nit or /dev/bpf*.
189
190 Under Solaris with DLPI:
191 You must have read/write access to the network pseudo device,
192 e.g. /dev/le. On at least some versions of Solaris, however,
193 this is not sufficient to allow tcpdump to capture in promiscu‐
194 ous mode; on those versions of Solaris, you must be root, or the
195 application capturing packets must be installed setuid to root,
196 in order to capture in promiscuous mode. Note that, on many
197 (perhaps all) interfaces, if you don't capture in promiscuous
198 mode, you will not see any outgoing packets, so a capture not
199 done in promiscuous mode may not be very useful.
200
201 In newer versions of Solaris, you must have been given the
202 net_rawaccess privilege; this is both necessary and sufficient
203 to give you access to the network pseudo-device - there is no
204 need to change the privileges on that device. A user can be
205 given that privilege by, for example, adding that privilege to
206 the user's defaultpriv key with the usermod (8) command.
207
208 Under HP-UX with DLPI:
209 You must be root or the application capturing packets must be
210 installed setuid to root.
211
212 Under IRIX with snoop:
213 You must be root or the application capturing packets must be
214 installed setuid to root.
215
216 Under Linux:
217 You must be root or the application capturing packets must be
218 installed setuid to root (unless your distribution has a kernel
219 that supports capability bits such as CAP_NET_RAW and code to
220 allow those capability bits to be given to particular accounts
221 and to cause those bits to be set on a user's initial processes
222 when they log in, in which case you must have CAP_NET_RAW in
223 order to capture and CAP_NET_ADMIN to enumerate network devices
224 with, for example, the -D flag).
225
226 Under ULTRIX and Digital UNIX/Tru64 UNIX:
227 Any user may capture network traffic. However, no user (not
228 even the super-user) can capture in promiscuous mode on an
229 interface unless the super-user has enabled promiscuous-mode
230 operation on that interface using pfconfig(8), and no user (not
231 even the super-user) can capture unicast traffic received by or
232 sent by the machine on an interface unless the super-user has
233 enabled copy-all-mode operation on that interface using pfcon‐
234 fig, so useful packet capture on an interface probably requires
235 that either promiscuous-mode or copy-all-mode operation, or both
236 modes of operation, be enabled on that interface.
237
238 Under BSD (this includes macOS):
239 You must have read access to /dev/bpf* on systems that don't
240 have a cloning BPF device, or to /dev/bpf on systems that do.
241 On BSDs with a devfs (this includes macOS), this might involve
242 more than just having somebody with super-user access setting
243 the ownership or permissions on the BPF devices - it might
244 involve configuring devfs to set the ownership or permissions
245 every time the system is booted, if the system even supports
246 that; if it doesn't support that, you might have to find some
247 other way to make that happen at boot time.
248
249 Reading a saved packet file doesn't require special privileges.
250
251 The packets read from the handle may include a ``pseudo-header'' con‐
252 taining various forms of packet meta-data, and probably includes a
253 link-layer header whose contents can differ for different network
254 interfaces. To determine the format of the packets supplied by the
255 handle, call pcap_datalink(); https://www.tcpdump.org/linktypes.html
256 lists the values it returns and describes the packet formats that cor‐
257 respond to those values.
258
259 Do NOT assume that the packets for a given capture or ``savefile`` will
260 have any given link-layer header type, such as DLT_EN10MB for Ethernet.
261 For example, the "any" device on Linux will have a link-layer header
262 type of DLT_LINUX_SLL even if all devices on the system at the time the
263 "any" device is opened have some other data link type, such as
264 DLT_EN10MB for Ethernet.
265
266 To obtain the FILE * corresponding to a pcap_t opened for a ``save‐
267 file'', call pcap_file().
268
269 Routines
270
271 pcap_create(3PCAP)
272 get a pcap_t for live capture
273
274 pcap_activate(3PCAP)
275 activate a pcap_t for live capture
276
277 pcap_findalldevs(3PCAP)
278 get a list of devices that can be opened for a live cap‐
279 ture
280
281 pcap_freealldevs(3PCAP)
282 free list of devices
283
284 pcap_lookupdev(3PCAP)
285 get first non-loopback device on that list
286
287 pcap_open_offline(3PCAP)
288 open a pcap_t for a ``savefile'', given a pathname
289
290 pcap_open_offline_with_tstamp_precision(3PCAP)
291 open a pcap_t for a ``savefile'', given a pathname, and
292 specify the precision to provide for packet time stamps
293
294 pcap_fopen_offline(3PCAP)
295 open a pcap_t for a ``savefile'', given a FILE *
296
297 pcap_fopen_offline_with_tstamp_precision(3PCAP)
298 open a pcap_t for a ``savefile'', given a FILE *, and
299 specify the precision to provide for packet time stamps
300
301 pcap_open_dead(3PCAP)
302 create a ``fake'' pcap_t
303
304 pcap_close(3PCAP)
305 close a pcap_t
306
307 pcap_set_snaplen(3PCAP)
308 set the snapshot length for a not-yet-activated pcap_t
309 for live capture
310
311 pcap_snapshot(3PCAP)
312 get the snapshot length for a pcap_t
313
314 pcap_set_promisc(3PCAP)
315 set promiscuous mode for a not-yet-activated pcap_t for
316 live capture
317
318 pcap_set_protocol_linux(3PCAP)
319 set capture protocol for a not-yet-activated pcap_t for
320 live capture (Linux only)
321
322 pcap_set_rfmon(3PCAP)
323 set monitor mode for a not-yet-activated pcap_t for live
324 capture
325
326 pcap_can_set_rfmon(3PCAP)
327 determine whether monitor mode can be set for a pcap_t
328 for live capture
329
330 pcap_set_timeout(3PCAP)
331 set packet buffer timeout for a not-yet-activated pcap_t
332 for live capture
333
334 pcap_set_immediate_mode(3PCAP)
335 set immediate mode for a not-yet-activated pcap_t for
336 live capture
337
338 pcap_set_buffer_size(3PCAP)
339 set buffer size for a not-yet-activated pcap_t for live
340 capture
341
342 pcap_set_tstamp_type(3PCAP)
343 set time stamp type for a not-yet-activated pcap_t for
344 live capture
345
346 pcap_list_tstamp_types(3PCAP)
347 get list of available time stamp types for a not-yet-
348 activated pcap_t for live capture
349
350 pcap_free_tstamp_types(3PCAP)
351 free list of available time stamp types
352
353 pcap_tstamp_type_val_to_name(3PCAP)
354 get name for a time stamp type
355
356 pcap_tstamp_type_val_to_description(3PCAP)
357 get description for a time stamp type
358
359 pcap_tstamp_type_name_to_val(3PCAP)
360 get time stamp type corresponding to a name
361
362 pcap_set_tstamp_precision(3PCAP)
363 set time stamp precision for a not-yet-activated pcap_t
364 for live capture
365
366 pcap_get_tstamp_precision(3PCAP)
367 get the time stamp precision of a pcap_t for live capture
368
369 pcap_datalink(3PCAP)
370 get link-layer header type for a pcap_t
371
372 pcap_file(3PCAP)
373 get the FILE * for a pcap_t opened for a ``savefile''
374
375 pcap_is_swapped(3PCAP)
376 determine whether a ``savefile'' being read came from a
377 machine with the opposite byte order
378
379 pcap_major_version(3PCAP)
380 pcap_minor_version(3PCAP)
381 get the major and minor version of the file format ver‐
382 sion for a ``savefile''
383
384 Selecting a link-layer header type for a live capture
385 Some devices may provide more than one link-layer header type. To
386 obtain a list of all link-layer header types provided by a device, call
387 pcap_list_datalinks() on an activated pcap_t for the device. To free a
388 list of link-layer header types, call pcap_free_datalinks(). To set
389 the link-layer header type for a device, call pcap_set_datalink().
390 This should be done after the device has been activated but before any
391 packets are read and before any filters are compiled or installed.
392
393 Routines
394
395 pcap_list_datalinks(3PCAP)
396 get a list of link-layer header types for a device
397
398 pcap_free_datalinks(3PCAP)
399 free list of link-layer header types
400
401 pcap_set_datalink(3PCAP)
402 set link-layer header type for a device
403
404 pcap_datalink_val_to_name(3PCAP)
405 get name for a link-layer header type
406
407 pcap_datalink_val_to_description(3PCAP)
408 get description for a link-layer header type
409
410 pcap_datalink_name_to_val(3PCAP)
411 get link-layer header type corresponding to a name
412
413 Reading packets
414 Packets are read with pcap_dispatch() or pcap_loop(), which process one
415 or more packets, calling a callback routine for each packet, or with
416 pcap_next() or pcap_next_ex(), which return the next packet. The call‐
417 back for pcap_dispatch() and pcap_loop() is supplied a pointer to a
418 struct pcap_pkthdr, which includes the following members:
419
420 ts a struct timeval containing the time when the packet was
421 captured
422
423 caplen a bpf_u_int32 giving the number of bytes of the packet
424 that are available from the capture
425
426 len a bpf_u_int32 giving the length of the packet, in bytes
427 (which might be more than the number of bytes available
428 from the capture, if the length of the packet is larger
429 than the maximum number of bytes to capture).
430
431 The callback is also supplied a const u_char pointer to the first
432 caplen (as given in the struct pcap_pkthdr mentioned above) bytes of
433 data from the packet. This won't necessarily be the entire packet; to
434 capture the entire packet, you will have to provide a value for snaplen
435 in your call to pcap_set_snaplen() that is sufficiently large to get
436 all of the packet's data - a value of 65535 should be sufficient on
437 most if not all networks). When reading from a ``savefile'', the snap‐
438 shot length specified when the capture was performed will limit the
439 amount of packet data available.
440
441 pcap_next() is passed an argument that points to a struct pcap_pkthdr
442 structure, and fills it in with the time stamp and length values for
443 the packet. It returns a const u_char to the first caplen bytes of the
444 packet on success, and NULL on error.
445
446 pcap_next_ex() is passed two pointer arguments, one of which points to
447 a structpcap_pkthdr* and one of which points to a const u_char*. It
448 sets the first pointer to point to a struct pcap_pkthdr structure with
449 the time stamp and length values for the packet, and sets the second
450 pointer to point to the first caplen bytes of the packet.
451
452 To force the loop in pcap_dispatch() or pcap_loop() to terminate, call
453 pcap_breakloop().
454
455 By default, when reading packets from an interface opened for a live
456 capture, pcap_dispatch(), pcap_next(), and pcap_next_ex() will, if no
457 packets are currently available to be read, block waiting for packets
458 to become available. On some, but not all, platforms, if a packet buf‐
459 fer timeout was specified, the wait will terminate after the packet
460 buffer timeout expires; applications should be prepared for this, as it
461 happens on some platforms, but should not rely on it, as it does not
462 happen on other platforms. Note that the wait might, or might not,
463 terminate even if no packets are available; applications should be pre‐
464 pared for this to happen, but must not rely on it happening.
465
466 A handle can be put into ``non-blocking mode'', so that those routines
467 will, rather than blocking, return an indication that no packets are
468 available to read. Call pcap_setnonblock() to put a handle into non-
469 blocking mode or to take it out of non-blocking mode; call pcap_getnon‐
470 block() to determine whether a handle is in non-blocking mode. Note
471 that non-blocking mode does not work correctly in Mac OS X 10.6.
472
473 Non-blocking mode is often combined with routines such as select(2) or
474 poll(2) or other routines a platform offers to wait for any of a set of
475 descriptors to be ready to read. To obtain, for a handle, a descriptor
476 that can be used in those routines, call pcap_get_selectable_fd(). If
477 the routine indicates that data is available to read on the descriptor,
478 an attempt should be made to read from the device.
479
480 Not all handles have such a descriptor available;
481 pcap_get_selectable_fd() will return PCAP_ERROR if no such descriptor
482 is available. If no such descriptor is available, this may be because
483 the device must be polled periodically for packets; in that case,
484 pcap_get_required_select_timeout() will return a pointer to a struct
485 timeval whose value can be used as a timeout in those routines. When
486 the routine returns, an attmept should be made to read packets from the
487 device. If pcap_get_required_select_timeout() returns NULL, no such
488 timeout is available, and those routines cannot be used with the
489 device.
490
491 In addition, for various reasons, one or more of those routines will
492 not work properly with the descriptor; the documentation for
493 pcap_get_selectable_fd() gives details. Note that, just as an attempt
494 to read packets from a pcap_t may not return any packets if the packet
495 buffer timeout expires, a select(), poll(), or other such call may, if
496 the packet buffer timeout expires, indicate that a descriptor is ready
497 to read even if there are no packets available to read.
498
499 Routines
500
501 pcap_dispatch(3PCAP)
502 read a bufferful of packets from a pcap_t open for a live
503 capture or the full set of packets from a pcap_t open for
504 a ``savefile''
505
506 pcap_loop(3PCAP)
507 read packets from a pcap_t until an interrupt or error
508 occurs
509
510 pcap_next(3PCAP)
511 read the next packet from a pcap_t without an indication
512 whether an error occurred
513
514 pcap_next_ex(3PCAP)
515 read the next packet from a pcap_t with an error indica‐
516 tion on an error
517
518 pcap_breakloop(3PCAP)
519 prematurely terminate the loop in pcap_dispatch() or
520 pcap_loop()
521
522 pcap_setnonblock(3PCAP)
523 set or clear non-blocking mode on a pcap_t
524
525 pcap_getnonblock(3PCAP)
526 get the state of non-blocking mode for a pcap_t
527
528 pcap_get_selectable_fd(3PCAP)
529 attempt to get a descriptor for a pcap_t that can be used
530 in calls such as select(2) and poll(2)
531
532 pcap_get_required_select_timeout(3PCAP)
533 if no descriptor usable with select(2) and poll(2) is
534 available for the pcap_t, attempt to get a timeout usable
535 with those routines
536
537 Filters
538 In order to cause only certain packets to be returned when reading
539 packets, a filter can be set on a handle. For a live capture, the fil‐
540 tering will be performed in kernel mode, if possible, to avoid copying
541 ``uninteresting'' packets from the kernel to user mode.
542
543 A filter can be specified as a text string; the syntax and semantics of
544 the string are as described by pcap-filter(7). A filter string is com‐
545 piled into a program in a pseudo-machine-language by pcap_compile() and
546 the resulting program can be made a filter for a handle with pcap_set‐
547 filter(). The result of pcap_compile() can be freed with a call to
548 pcap_freecode(). pcap_compile() may require a network mask for certain
549 expressions in the filter string; pcap_lookupnet() can be used to find
550 the network address and network mask for a given capture device.
551
552 A compiled filter can also be applied directly to a packet that has
553 been read using pcap_offline_filter().
554
555 Routines
556
557 pcap_compile(3PCAP)
558 compile filter expression to a pseudo-machine-language
559 code program
560
561 pcap_freecode(3PCAP)
562 free a filter program
563
564 pcap_setfilter(3PCAP)
565 set filter for a pcap_t
566
567 pcap_lookupnet(3PCAP)
568 get network address and network mask for a capture device
569
570 pcap_offline_filter(3PCAP)
571 apply a filter program to a packet
572
573 Incoming and outgoing packets
574 By default, libpcap will attempt to capture both packets sent by the
575 machine and packets received by the machine. To limit it to capturing
576 only packets received by the machine or, if possible, only packets sent
577 by the machine, call pcap_setdirection().
578
579 Routines
580
581 pcap_setdirection(3PCAP)
582 specify whether to capture incoming packets, outgoing
583 packets, or both
584
585 Capture statistics
586 To get statistics about packets received and dropped in a live capture,
587 call pcap_stats().
588
589 Routines
590
591 pcap_stats(3PCAP)
592 get capture statistics
593
594 Opening a handle for writing captured packets
595 To open a ``savefile`` to which to write packets, given the pathname
596 the ``savefile'' should have, call pcap_dump_open(). To open a ``save‐
597 file`` to which to write packets, given the pathname the ``savefile''
598 should have, call pcap_dump_open(); to set up a handle for a ``save‐
599 file'', given a FILE * referring to a file already opened for writing,
600 call pcap_dump_fopen(). They each return pointers to a pcap_dumper_t,
601 which is the handle used for writing packets to the ``savefile''. If
602 it succeeds, it will have created the file if it doesn't exist and
603 truncated the file if it does exist. To close a pcap_dumper_t, call
604 pcap_dump_close().
605
606 Routines
607
608 pcap_dump_open(3PCAP)
609 open a pcap_dumper_t for a ``savefile``, given a pathname
610
611 pcap_dump_fopen(3PCAP)
612 open a pcap_dumper_t for a ``savefile``, given a FILE *
613
614 pcap_dump_close(3PCAP)
615 close a pcap_dumper_t
616
617 pcap_dump_file(3PCAP)
618 get the FILE * for a pcap_dumper_t opened for a ``save‐
619 file''
620
621 Writing packets
622 To write a packet to a pcap_dumper_t, call pcap_dump(). Packets writ‐
623 ten with pcap_dump() may be buffered, rather than being immediately
624 written to the ``savefile''. Closing the pcap_dumper_t will cause all
625 buffered-but-not-yet-written packets to be written to the ``savefile''.
626 To force all packets written to the pcap_dumper_t, and not yet written
627 to the ``savefile'' because they're buffered by the pcap_dumper_t, to
628 be written to the ``savefile'', without closing the pcap_dumper_t, call
629 pcap_dump_flush().
630
631 Routines
632
633 pcap_dump(3PCAP)
634 write packet to a pcap_dumper_t
635
636 pcap_dump_flush(3PCAP)
637 flush buffered packets written to a pcap_dumper_t to the
638 ``savefile''
639
640 pcap_dump_ftell(3PCAP)
641 get current file position for a pcap_dumper_t
642
643 Injecting packets
644 If you have the required privileges, you can inject packets onto a net‐
645 work with a pcap_t for a live capture, using pcap_inject() or
646 pcap_sendpacket(). (The two routines exist for compatibility with both
647 OpenBSD and WinPcap; they perform the same function, but have different
648 return values.)
649
650 Routines
651
652 pcap_inject(3PCAP)
653 pcap_sendpacket(3PCAP)
654 transmit a packet
655
656 Reporting errors
657 Some routines return error or warning status codes; to convert them to
658 a string, use pcap_statustostr().
659
660 Routines
661
662 pcap_statustostr(3PCAP)
663 get a string for an error or warning status code
664
665 Getting library version information
666 To get a string giving version information about libpcap, call
667 pcap_lib_version().
668
669 Routines
670
671 pcap_lib_version(3PCAP)
672 get library version string
673
675 In versions of libpcap prior to 1.0, the pcap.h header file was not in
676 a pcap directory on most platforms; if you are writing an application
677 that must work on versions of libpcap prior to 1.0, include <pcap.h>,
678 which will include <pcap/pcap.h> for you, rather than including
679 <pcap/pcap.h>.
680
681 pcap_create() and pcap_activate() were not available in versions of
682 libpcap prior to 1.0; if you are writing an application that must work
683 on versions of libpcap prior to 1.0, either use pcap_open_live() to get
684 a handle for a live capture or, if you want to be able to use the addi‐
685 tional capabilities offered by using pcap_create() and pcap_activate(),
686 use an autoconf(1) script or some other configuration script to check
687 whether the libpcap 1.0 APIs are available and use them only if they
688 are.
689
691 autoconf(1), tcpdump(8), tcpslice(8), pcap-filter(7), pfconfig(8),
692 usermod(8)
693
695 The original authors of libpcap are:
696
697 Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence
698 Berkeley National Laboratory, University of California, Berkeley, CA.
699
700 The current version is available from "The Tcpdump Group"'s Web site at
701
702 https://www.tcpdump.org/
703
705 To report a security issue please send an e-mail to security@tcp‐
706 dump.org.
707
708 To report bugs and other problems, contribute patches, request a fea‐
709 ture, provide generic feedback etc please see the file CONTRIBUTING in
710 the libpcap source tree root.
711
712
713
714 25 July 2018 PCAP(3PCAP)