1Pcap(3) User Contributed Perl Documentation Pcap(3)
2
3
4
6 Net::Pcap - Interface to the pcap(3) LBL packet capture library
7
9 Version 0.18
10
12 use Net::Pcap;
13
14 my $err = '';
15 my $dev = pcap_lookupdev(\$err); # find a device
16
17 # open the device for live listening
18 my $pcap = pcap_open_live($dev, 1024, 1, 0, \$err);
19
20 # loop over next 10 packets
21 pcap_loop($pcap, 10, \&process_packet, "just for the demo");
22
23 # close the device
24 pcap_close($pcap);
25
26 sub process_packet {
27 my ($user_data, $header, $packet) = @_;
28 # do something ...
29 }
30
32 "Net::Pcap" is a Perl binding to the LBL pcap(3) library and its Win32
33 counterpart, the WinPcap library. Pcap (packet capture) is a portable
34 API to capture network packet: it allows applications to capture
35 packets at link-layer, bypassing the normal protocol stack. It also
36 provides features like kernel-level packet filtering and access to
37 internal statistics.
38
39 Common applications include network statistics collection, security
40 monitoring, network debugging, etc.
41
43 Signals handling
44 Since version 5.7.3, Perl uses a mechanism called "deferred signals" to
45 delay signals delivery until "safe" points in the interpreter. See
46 "Deferred Signals (Safe Signals)" in perlipc for a detailled
47 explanation.
48
49 Since "Net::Pcap" version 0.08, released in October 2005, the module
50 modified the internal variable "PL_signals" to re-enable immediate
51 signals delivery in Perl 5.8 and later within some XS functions (CPAN-
52 RT #6320). However, it can create situations where the Perl interpreter
53 is less stable and can crash (CPAN-RT #43308). Therefore, as of version
54 0.17, "Net::Pcap" no longer modifies "PL_signals" by itself, but
55 provides facilities so the user has full control of how signals are
56 delivered.
57
58 First, the "pcap_perl_settings()" function allows one to select how
59 signals are handled:
60
61 pcap_perl_settings(PERL_SIGNALS_UNSAFE);
62 pcap_loop($pcap, 10, \&process_packet, "");
63 pcap_perl_settings(PERL_SIGNALS_SAFE);
64
65 Then, to easily make code interruptable, "Net::Pcap" provides the
66 "UNSAFE_SIGNALS" pseudo-bloc:
67
68 UNSAFE_SIGNALS {
69 pcap_loop($pcap, 10, \&process_packet, "");
70 };
71
72 (Stolen from Rafael Garcia-Suarez's "Perl::Unsafe::Signals")
73
75 "Net::Pcap" supports the following "Exporter" tags:
76
77 · ":bpf" exports a few BPF related constants:
78
79 BPF_ALIGNMENT BPF_MAJOR_VERSION BPF_MAXBUFSIZE BPF_MAXINSNS
80 BPF_MEMWORDS BPF_MINBUFSIZE BPF_MINOR_VERSION BPF_RELEASE
81
82 · ":datalink" exports the data link types macros:
83
84 DLT_AIRONET_HEADER DLT_APPLE_IP_OVER_IEEE1394 DLT_ARCNET
85 DLT_ARCNET_LINUX DLT_ATM_CLIP DLT_ATM_RFC1483 DLT_AURORA
86 DLT_AX25 DLT_CHAOS DLT_CHDLC DLT_CISCO_IOS DLT_C_HDLC
87 DLT_DOCSIS DLT_ECONET DLT_EN10MB DLT_EN3MB DLT_ENC DLT_FDDI
88 DLT_FRELAY DLT_HHDLC DLT_IBM_SN DLT_IBM_SP DLT_IEEE802
89 DLT_IEEE802_11 DLT_IEEE802_11_RADIO DLT_IEEE802_11_RADIO_AVS
90 DLT_IPFILTER DLT_IP_OVER_FC DLT_JUNIPER_ATM1 DLT_JUNIPER_ATM2
91 DLT_JUNIPER_ES DLT_JUNIPER_GGSN DLT_JUNIPER_MFR DLT_JUNIPER_MLFR
92 DLT_JUNIPER_MLPPP DLT_JUNIPER_MONITOR DLT_JUNIPER_SERVICES
93 DLT_LINUX_IRDA DLT_LINUX_SLL DLT_LOOP DLT_LTALK DLT_NULL
94 DLT_OLD_PFLOG DLT_PCI_EXP DLT_PFLOG DLT_PFSYNC DLT_PPP
95 DLT_PPP_BSDOS DLT_PPP_ETHER DLT_PPP_SERIAL DLT_PRISM_HEADER
96 DLT_PRONET DLT_RAW DLT_RIO DLT_SLIP DLT_SLIP_BSDOS DLT_SUNATM
97 DLT_SYMANTEC_FIREWALL DLT_TZSP DLT_USER0 DLT_USER1 DLT_USER2
98 DLT_USER3 DLT_USER4 DLT_USER5 DLT_USER6 DLT_USER7 DLT_USER8
99 DLT_USER9 DLT_USER10 DLT_USER11 DLT_USER12 DLT_USER13
100 DLT_USER14 DLT_USER15
101
102 · ":pcap" exports the following "pcap" constants:
103
104 PCAP_ERRBUF_SIZE PCAP_IF_LOOPBACK
105 PCAP_VERSION_MAJOR PCAP_VERSION_MINOR
106
107 · ":mode" exports the following constants:
108
109 MODE_CAPT MODE_MON MODE_STAT
110
111 · ":openflag" exports the following constants:
112
113 OPENFLAG_PROMISCUOUS OPENFLAG_DATATX_UDP OPENFLAG_NOCAPTURE_RPCAP
114
115 · ":source" exports the following constants:
116
117 PCAP_SRC_FILE PCAP_SRC_IFLOCAL PCAP_SRC_IFREMOTE
118
119 · ":sample" exports the following constants:
120
121 PCAP_SAMP_NOSAMP PCAP_SAMP_1_EVERY_N PCAP_SAMP_FIRST_AFTER_N_MS
122
123 · ":rpcap" exports the following constants:
124
125 RMTAUTH_NULL RMTAUTH_PWD
126
127 · ":functions" short names of the functions (without the "pcap_"
128 prefix) for those which would not cause a clash with an already
129 defined name. Namely, the following functions are not available in
130 short form: "open()", "close()", "next()", "dump()", "file()",
131 "fileno()". Using these short names is now discouraged, and may be
132 removed in the future.
133
134 By default, this module exports the symbols from the ":datalink" and
135 ":pcap" tags, and all the functions, with the same names as the C
136 library.
137
139 All functions defined by "Net::Pcap" are direct mappings to the libpcap
140 functions. Consult the pcap(3) documentation and source code for more
141 information.
142
143 Arguments that change a parameter, for example "pcap_lookupdev()", are
144 passed that parameter as a reference. This is to retain compatibility
145 with previous versions of "Net::Pcap".
146
147 Lookup functions
148 pcap_lookupdev(\$err)
149 Returns the name of a network device that can be used with
150 "pcap_open_live()" function. On error, the $err parameter is
151 filled with an appropriate error message else it is undefined.
152
153 Example
154
155 $dev = pcap_lookupdev();
156
157 pcap_findalldevs(\%devinfo, \$err)
158 Returns a list of all network device names that can be used with
159 "pcap_open_live()" function. On error, the $err parameter is
160 filled with an appropriate error message else it is undefined.
161
162 Example
163
164 @devs = pcap_findalldevs(\%devinfo, \$err);
165 for my $dev (@devs) {
166 print "$dev : $devinfo{$dev}\n"
167 }
168
169 Note
170 For backward compatibility reasons, this function can also be
171 called using the following signatures:
172
173 @devs = pcap_findalldevs(\$err);
174
175 @devs = pcap_findalldevs(\$err, \%devinfo);
176
177 The first form was introduced by Marco Carnut in "Net::Pcap"
178 version 0.05 and kept intact in versions 0.06 and 0.07. The
179 second form was introduced by Jean-Louis Morel for the Windows
180 only, ActivePerl port of "Net::Pcap", in versions 0.04.01 and
181 0.04.02.
182
183 The new syntax has been introduced for consistency with the
184 rest of the Perl API and the C API of libpcap(3), where $err is
185 always the last argument.
186
187 pcap_lookupnet($dev, \$net, \$mask, \$err)
188 Determine the network number and netmask for the device specified
189 in $dev. The function returns 0 on success and sets the $net and
190 $mask parameters with values. On failure it returns -1 and the
191 $err parameter is filled with an appropriate error message.
192
193 Packet capture functions
194 pcap_open_live($dev, $snaplen, $promisc, $to_ms, \$err)
195 Returns a packet capture descriptor for looking at packets on the
196 network. The $dev parameter specifies which network interface to
197 capture packets from. The $snaplen and $promisc parameters specify
198 the maximum number of bytes to capture from each packet, and
199 whether to put the interface into promiscuous mode, respectively.
200 The $to_ms parameter specifies a read timeout in milliseconds. The
201 packet descriptor will be undefined if an error occurs, and the
202 $err parameter will be set with an appropriate error message.
203
204 Example
205
206 $dev = pcap_lookupdev();
207 $pcap = pcap_open_live($dev, 1024, 1, 0, \$err)
208 or die "Can't open device $dev: $err\n";
209
210 pcap_open_dead($linktype, $snaplen)
211 Creates and returns a new packet descriptor to use when calling the
212 other functions in "libpcap". It is typically used when just using
213 "libpcap" for compiling BPF code.
214
215 Example
216
217 $pcap = pcap_open_dead(0, 1024);
218
219 pcap_open_offline($filename, \$err)
220 Return a packet capture descriptor to read from a previously
221 created "savefile". The returned descriptor is undefined if there
222 was an error and in this case the $err parameter will be filled.
223 Savefiles are created using the "pcap_dump_*" commands.
224
225 Example
226
227 $pcap = pcap_open_offline($dump, \$err)
228 or die "Can't read '$dump': $err\n";
229
230 pcap_loop($pcap, $count, \&callback, $user_data)
231 Read $count packets from the packet capture descriptor $pcap and
232 call the perl function &callback with an argument of $user_data.
233 If $count is negative, then the function loops forever or until an
234 error occurs. Returns 0 if $count is exhausted, -1 on error, and -2
235 if the loop terminated due to a call to pcap_breakloop() before any
236 packets were processed.
237
238 The callback function is also passed packet header information and
239 packet data like so:
240
241 sub process_packet {
242 my ($user_data, $header, $packet) = @_;
243
244 ...
245 }
246
247 The header information is a reference to a hash containing the
248 following fields.
249
250 · "len" - the total length of the packet.
251
252 · "caplen" - the actual captured length of the packet data. This
253 corresponds to the snapshot length parameter passed to
254 "open_live()".
255
256 · "tv_sec" - seconds value of the packet timestamp.
257
258 · "tv_usec" - microseconds value of the packet timestamp.
259
260 Example
261
262 pcap_loop($pcap, 10, \&process_packet, "user data");
263
264 sub process_packet {
265 my ($user_data, $header, $packet) = @_;
266 # ...
267 }
268
269 pcap_breakloop($pcap)
270 Sets a flag that will force "pcap_dispatch()" or "pcap_loop()" to
271 return rather than looping; they will return the number of packets
272 that have been processed so far, or -2 if no packets have been
273 processed so far.
274
275 This routine is safe to use inside a signal handler on UNIX or a
276 console control handler on Windows, as it merely sets a flag that
277 is checked within the loop.
278
279 Please see the section on "pcap_breakloop()" in pcap(3) for more
280 information.
281
282 pcap_close($pcap)
283 Close the packet capture device associated with the descriptor
284 $pcap.
285
286 pcap_dispatch($pcap, $count, \&callback, $user_data)
287 Collect $count packets and process them with callback function
288 &callback. if $count is -1, all packets currently buffered are
289 processed. If $count is 0, process all packets until an error
290 occurs.
291
292 pcap_next($pcap, \%header)
293 Return the next available packet on the interface associated with
294 packet descriptor $pcap. Into the %header hash is stored the
295 received packet header. If not packet is available, the return
296 value and header is undefined.
297
298 pcap_next_ex($pcap, \%header, \$packet)
299 Reads the next available packet on the interface associated with
300 packet descriptor $pcap, stores its header in "\%header" and its
301 data in "\$packet" and returns a success/failure indication:
302
303 · 1 means that the packet was read without problems;
304
305 · 0 means that packets are being read from a live capture, and
306 the timeout expired;
307
308 · "-1" means that an error occurred while reading the packet;
309
310 · "-2" packets are being read from a dump file, and there are no
311 more packets to read from the savefile.
312
313 pcap_compile($pcap, \$filter, $filter_str, $optimize, $netmask)
314 Compile the filter string contained in $filter_str and store it in
315 $filter. A description of the filter language can be found in the
316 libpcap source code, or the manual page for tcpdump(8) . The
317 filter is optimized if the $optimize variable is true. The netmask
318 of the network device must be specified in the $netmask parameter.
319 The function returns 0 if the compilation was successful, or -1 if
320 there was a problem.
321
322 pcap_compile_nopcap($snaplen, $linktype, \$filter, $filter_str,
323 $optimize, $netmask)
324 Similar to "compile()" except that instead of passing a $pcap
325 descriptor, one passes $snaplen and $linktype directly. Returns -1
326 if there was an error, but the error message is not available.
327
328 pcap_setfilter($pcap, $filter)
329 Associate the compiled filter stored in $filter with the packet
330 capture descriptor $pcap.
331
332 pcap_freecode($filter)
333 Used to free the allocated memory used by a compiled filter, as
334 created by "pcap_compile()".
335
336 pcap_offline_filter($filter, \%header, $packet)
337 Check whether $filter matches the packet described by header
338 %header and packet data $packet. Returns true if the packet
339 matches.
340
341 pcap_setnonblock($pcap, $mode, \$err)
342 Set the non-blocking mode of a live capture descriptor, depending
343 on the value of $mode (zero to activate and non-zero to
344 deactivate). It has no effect on offline descriptors. If there is
345 an error, it returns -1 and sets $err.
346
347 In non-blocking mode, an attempt to read from the capture
348 descriptor with "pcap_dispatch()" will, if no packets are currently
349 available to be read, return 0 immediately rather than blocking
350 waiting for packets to arrive. "pcap_loop()" and "pcap_next()"
351 will not work in non-blocking mode.
352
353 pcap_getnonblock($pcap, \$err)
354 Returns the non-blocking state of the capture descriptor $pcap.
355 Always returns 0 on savefiles. If there is an error, it returns -1
356 and sets $err.
357
358 Savefile commands
359 pcap_dump_open($pcap, $filename)
360 Open a savefile for writing and return a descriptor for doing so.
361 If $filename is "-" data is written to standard output. On error,
362 the return value is undefined and "pcap_geterr()" can be used to
363 retrieve the error text.
364
365 pcap_dump($dumper, \%header, $packet)
366 Dump the packet described by header %header and packet data $packet
367 to the savefile associated with $dumper. The packet header has the
368 same format as that passed to the "pcap_loop()" callback.
369
370 Example
371
372 my $dump_file = 'network.dmp';
373 my $dev = pcap_lookupdev();
374 my $pcap = pcap_open_live($dev, 1024, 1, 0, \$err);
375
376 my $dumper = pcap_dump_open($pcap, $dump_file);
377 pcap_loop($pcap, 10, \&process_packet, '');
378 pcap_dump_close($dumper);
379
380 sub process_packet {
381 my ($user_data, $header, $packet) = @_;
382 pcap_dump($dumper, $header, $packet);
383 }
384
385 pcap_dump_file($dumper)
386 Returns the filehandle associated with a savefile opened with
387 "pcap_dump_open()".
388
389 pcap_dump_flush($dumper)
390 Flushes the output buffer to the corresponding save file, so that
391 any packets written with "pcap_dump()" but not yet written to the
392 save file will be written. Returns -1 on error, 0 on success.
393
394 pcap_dump_close($dumper)
395 Close the savefile associated with the descriptor $dumper.
396
397 Status functions
398 pcap_datalink($pcap)
399 Returns the link layer type associated with the given pcap
400 descriptor.
401
402 Example
403
404 $linktype = pcap_datalink($pcap);
405
406 pcap_set_datalink($pcap, $linktype)
407 Sets the data link type of the given pcap descriptor to the type
408 specified by $linktype. Returns -1 on failure.
409
410 pcap_datalink_name_to_val($name)
411 Translates a data link type name, which is a "DLT_" name with the
412 "DLT_" part removed, to the corresponding data link type value. The
413 translation is case-insensitive. Returns -1 on failure.
414
415 Example
416
417 $linktype = pcap_datalink_name_to_val('LTalk'); # returns DLT_LTALK
418
419 pcap_datalink_val_to_name($linktype)
420 Translates a data link type value to the corresponding data link
421 type name.
422
423 Example
424
425 $name = pcap_datalink_val_to_name(DLT_LTALK); # returns 'LTALK'
426
427 pcap_datalink_val_to_description($linktype)
428 Translates a data link type value to a short description of that
429 data link type.
430
431 Example
432
433 $descr = pcap_datalink_val_to_description(DLT_LTALK); # returns 'Localtalk'
434
435 pcap_snapshot($pcap)
436 Returns the snapshot length (snaplen) specified in the call to
437 "pcap_open_live()".
438
439 pcap_is_swapped($pcap)
440 This function returns true if the endianness of the currently open
441 savefile is different from the endianness of the machine.
442
443 pcap_major_version($pcap)
444 Return the major version number of the pcap library used to write
445 the currently open savefile.
446
447 pcap_minor_version($pcap)
448 Return the minor version of the pcap library used to write the
449 currently open savefile.
450
451 pcap_stats($pcap, \%stats)
452 Returns a hash containing information about the status of packet
453 capture device $pcap. The hash contains the following fields.
454
455 This function is supported only on live captures, not on savefiles;
456 no statistics are stored in savefiles, so no statistics are
457 available when reading from a savefile.
458
459 · "ps_recv" - the number of packets received by the packet
460 capture software.
461
462 · "ps_drop" - the number of packets dropped by the packet capture
463 software.
464
465 · "ps_ifdrop" - the number of packets dropped by the network
466 interface.
467
468 pcap_file($pcap)
469 Returns the filehandle associated with a savefile opened with
470 "pcap_open_offline()" or "undef" if the device was opened with
471 "pcap_open_live()".
472
473 pcap_fileno($pcap)
474 Returns the file number of the network device opened with
475 "pcap_open_live()".
476
477 pcap_get_selectable_fd($pcap)
478 Returns, on Unix, a file descriptor number for a file descriptor on
479 which one can do a "select()" or "poll()" to wait for it to be
480 possible to read packets without blocking, if such a descriptor
481 exists, or -1, if no such descriptor exists. Some network devices
482 opened with "pcap_open_live()" do not support "select()" or
483 "poll()", so -1 is returned for those devices. See pcap(3) for
484 more details.
485
486 Error handling
487 pcap_geterr($pcap)
488 Returns an error message for the last error associated with the
489 packet capture device $pcap.
490
491 pcap_strerror($errno)
492 Returns a string describing error number $errno.
493
494 pcap_perror($pcap, $prefix)
495 Prints the text of the last error associated with descriptor $pcap
496 on standard error, prefixed by $prefix.
497
498 Information
499 pcap_lib_version()
500 Returns the name and version of the "pcap" library the module was
501 linked against.
502
503 Perl specific functions
504 The following functions are specific to the Perl binding of libpcap.
505
506 pcap_perl_settings($setting)
507 Modify internal behaviour of the Perl interpreter.
508
509 · "PERL_SIGNALS_SAFE", "PERL_SIGNALS_UNSAFE" respectively enable
510 safe or unsafe signals delivery. Returns the previous value of
511 "PL_signals". See "Signals handling".
512
513 Example:
514
515 local $SIG{ALRM} = sub { pcap_breakloop() };
516 alarm 60;
517
518 pcap_perl_settings(PERL_SIGNALS_UNSAFE);
519 pcap_loop($pcap, 10, \&process_packet, "");
520 pcap_perl_settings(PERL_SIGNALS_SAFE);
521
522 WinPcap specific functions
523 The following functions are only available with WinPcap, the Win32 port
524 of the Pcap library. If a called function is not available, it will
525 cleanly "croak()".
526
527 pcap_createsrcstr(\$source, $type, $host, $port, $name, \$err)
528 Accepts a set of strings (host name, port, ...), and stores the
529 complete source string according to the new format (e.g.
530 "rpcap://1.2.3.4/eth0") in $source.
531
532 This function is provided in order to help the user creating the
533 source string according to the new format. An unique source string
534 is used in order to make easy for old applications to use the
535 remote facilities. Think about tcpdump(1), for example, which has
536 only one way to specify the interface on which the capture has to
537 be started. However, GUI-based programs can find more useful to
538 specify hostname, port and interface name separately. In that case,
539 they can use this function to create the source string before
540 passing it to the "pcap_open()" function.
541
542 Returns 0 if everything is fine, -1 if some errors occurred. The
543 string containing the complete source is returned in the $source
544 variable.
545
546 pcap_parsesrcstr($source, \$type, \$host, \$port, \$name, \$err)
547 Parse the source string and stores the pieces in which the source
548 can be split in the corresponding variables.
549
550 This call is the other way round of "pcap_createsrcstr()". It
551 accepts a null-terminated string and it returns the parameters
552 related to the source. This includes:
553
554 · the type of the source (file, WinPcap on a remote adapter,
555 WinPcap on local adapter), which is determined by the source
556 prefix ("PCAP_SRC_IF_STRING" and so on);
557
558 · the host on which the capture has to be started (only for
559 remote captures);
560
561 · the raw name of the source (file name, name of the remote
562 adapter, name of the local adapter), without the source prefix.
563 The string returned does not include the type of the source
564 itself (i.e. the string returned does not include "file://" or
565 "rpcap://" or such).
566
567 The user can omit some parameters in case it is not interested in
568 them.
569
570 Returns 0 if everything is fine, -1 if some errors occurred. The
571 requested values (host name, network port, type of the source) are
572 returned into the proper variables passed by reference.
573
574 pcap_open($source, $snaplen, $flags, $read_timeout, \$auth, \$err)
575 Open a generic source in order to capture / send (WinPcap only)
576 traffic.
577
578 The "pcap_open()" replaces all the "pcap_open_xxx()" functions with
579 a single call.
580
581 This function hides the differences between the different
582 "pcap_open_xxx()" functions so that the programmer does not have to
583 manage different opening function. In this way, the true "open()"
584 function is decided according to the source type, which is included
585 into the source string (in the form of source prefix).
586
587 Returns a pointer to a pcap descriptor which can be used as a
588 parameter to the following calls ("compile()" and so on) and that
589 specifies an opened WinPcap session. In case of problems, it
590 returns "undef" and the $err variable keeps the error message.
591
592 pcap_setbuff($pcap, $dim)
593 Sets the size of the kernel buffer associated with an adapter.
594 $dim specifies the size of the buffer in bytes. The return value
595 is 0 when the call succeeds, -1 otherwise.
596
597 If an old buffer was already created with a previous call to
598 "setbuff()", it is deleted and its content is discarded.
599 "open_live()" creates a 1 MB buffer by default.
600
601 pcap_setmode($pcap, $mode)
602 Sets the working mode of the interface $pcap to $mode. Valid
603 values for $mode are "MODE_CAPT" (default capture mode) and
604 "MODE_STAT" (statistical mode).
605
606 pcap_setmintocopy($pcap_t, $size)
607 Changes the minimum amount of data in the kernel buffer that causes
608 a read from the application to return (unless the timeout expires).
609
610 pcap_getevent($pcap)
611 Returns the "Win32::Event" object associated with the interface
612 $pcap. Can be used to wait until the driver's buffer contains some
613 data without performing a read. See Win32::Event.
614
615 pcap_sendpacket($pcap, $packet)
616 Send a raw packet to the network. $pcap is the interface that will
617 be used to send the packet, $packet contains the data of the packet
618 to send (including the various protocol headers). The MAC CRC
619 doesn't need to be included, because it is transparently calculated
620 and added by the network interface driver. The return value is 0 if
621 the packet is successfully sent, -1 otherwise.
622
623 pcap_sendqueue_alloc($memsize)
624 This function allocates and returns a send queue, i.e. a buffer
625 containing a set of raw packets that will be transmitted on the
626 network with "sendqueue_transmit()".
627
628 $memsize is the size, in bytes, of the queue, therefore it
629 determines the maximum amount of data that the queue will contain.
630 This memory is automatically deallocated when the queue ceases to
631 exist.
632
633 pcap_sendqueue_queue($queue, \%header, $packet)
634 Adds a packet at the end of the send queue pointed by $queue. The
635 packet header %header has the same format as that passed to the
636 "loop()" callback. $ackekt is a buffer with the data of the packet.
637
638 The %headerr header structure is the same used by WinPcap and
639 libpcap to store the packets in a file, therefore sending a capture
640 file is straightforward. "Raw packet" means that the sending
641 application will have to include the protocol headers, since every
642 packet is sent to the network as is. The CRC of the packets needs
643 not to be calculated, because it will be transparently added by the
644 network interface.
645
646 pcap_sendqueue_transmit($pcap, $queue, $sync)
647 This function transmits the content of a queue to the wire. $pcapt
648 is the interface on which the packets will be sent, $queue is to a
649 "send_queue" containing the packets to send, $sync determines if
650 the send operation must be synchronized: if it is non-zero, the
651 packets are sent respecting the timestamps, otherwise they are sent
652 as fast as possible.
653
654 The return value is the amount of bytes actually sent. If it is
655 smaller than the size parameter, an error occurred during the send.
656 The error can be caused by a driver/adapter problem or by an
657 inconsistent/bogus send queue.
658
660 "Net::Pcap" exports by default the names of several constants in order
661 to ease the development of programs. See "EXPORTS" for details about
662 which constants are exported.
663
664 Here are the descriptions of a few data link types. See pcap(3) for a
665 more complete description and semantics associated with each data link.
666
667 · "DLT_NULL" - BSD loopback encapsulation
668
669 · "DLT_EN10MB" - Ethernet (10Mb, 100Mb, 1000Mb, and up)
670
671 · "DLT_RAW" - raw IP
672
673 · "DLT_IEEE802" - IEEE 802.5 Token Ring
674
675 · "DLT_IEEE802_11" - IEEE 802.11 wireless LAN
676
677 · "DLT_FRELAY" - Frame Relay
678
679 · "DLT_FDDI" - FDDI
680
681 · "DLT_SLIP" - Serial Line IP
682
683 · "DLT_PPP" - PPP (Point-to-point Protocol)
684
685 · "DLT_PPP_SERIAL" - PPP over serial with HDLC encapsulation
686
687 · "DLT_PPP_ETHER" - PPP over Ethernet
688
689 · "DLT_IP_OVER_FC" - RFC 2625 IP-over-Fibre Channel
690
691 · "DLT_AX25" - Amateur Radio AX.25
692
693 · "DLT_LINUX_IRDA" - Linux-IrDA
694
695 · "DLT_LTALK" - Apple LocalTalk
696
697 · "DLT_APPLE_IP_OVER_IEEE1394" - Apple IP-over-IEEE 1394 (a.k.a.
698 Firewire)
699
701 "arg%d not a scalar ref"
702 "arg%d not a hash ref"
703 "arg%d not a reference"
704 (F) These errors occur if you forgot to give a reference to a
705 function which expect one or more of its arguments to be
706 references.
707
709 Please report any bugs or feature requests to
710 "bug-Net-Pcap@rt.cpan.org", or through the web interface at
711 <http://rt.cpan.org/Dist/Display.html?Queue=Net-Pcap>. I will be
712 notified, and then you'll automatically be notified of progress on your
713 bug as I make changes.
714
715 Currently known bugs:
716
717 · the "ps_recv" field is not correctly set; see t/07-stats.t
718
719 · "pcap_file()" seems to always returns "undef" for live connection
720 and causes segmentation fault for dump files; see t/10-fileno.t
721
722 · "pcap_fileno()" is documented to return -1 when called on save
723 file, but seems to always return an actual file number. See
724 t/10-fileno.t
725
726 · "pcap_dump_file()" seems to corrupt something somewhere, and makes
727 scripts dump core. See t/05-dump.t
728
730 See the eg/ and t/ directories of the "Net::Pcap" distribution for
731 examples on using this module.
732
734 Perl Modules
735 the NetPacket or Net::Frame modules to assemble and disassemble
736 packets.
737
738 Net::Pcap::Reassemble for reassembly of TCP/IP fragments.
739
740 POE::Component::Pcap for using "Net::Pcap" within POE-based programs.
741
742 AnyEvent::Pcap for using "Net::Pcap" within AnyEvent-based programs.
743
744 Net::Packet or NetPacket for decoding and creating network packets.
745
746 Net::Pcap::Easy is a module which provides an easier, more Perl-ish API
747 than "Net::Pcap" and integrates some facilities from Net::Netmask and
748 NetPacket.
749
750 Base Libraries
751 pcap(3), tcpdump(8)
752
753 The source code for the pcap(3) library is available from
754 <http://www.tcpdump.org/>
755
756 The source code and binary for the Win32 version of the pcap library,
757 WinPcap, is available from <http://www.winpcap.org/>
758
759 Articles
760 Hacking Linux Exposed: Sniffing with Net::Pcap to stealthily managing
761 iptables rules remotely,
762 <http://www.hackinglinuxexposed.com/articles/20030730.html>
763
764 PerlMonks node about Net::Pcap, <http://perlmonks.org/?node_id=170648>
765
767 Current maintainer is Sébastien Aperghis-Tramoni (SAPER) with the help
768 of Tim Wilde (TWILDE).
769
770 Complete list of authors & contributors:
771
772 · Bo Adler (BOADLER) <thumper (at) alumni.caltech.edu>
773
774 · Craig Davison
775
776 · David Farrell
777
778 · David N. Blank-Edelman <dnb (at) ccs.neu.edu>
779
780 · James Rouzier (ROUZIER)
781
782 · Jean-Louis Morel (JLMOREL) <jl_morel (at) bribes.org>
783
784 · Marco Carnut (KCARNUT) <kiko (at) tempest.com.br>
785
786 · Patrice Auffret (GOMOR)
787
788 · Peter Lister (PLISTER) <p.lister (at) cranfield.ac.uk>
789
790 · Rafaël Garcia-Suarez (RGARCIA)
791
792 · Sébastien Aperghis-Tramoni (SAPER) <sebastien (at) aperghis.net>
793
794 · Tim Potter (TIMPOTTER) <tpot (at) frungy.org>
795
796 · Tim Wilde (TWILDE)
797
799 The original version of "Net::Pcap", version 0.01, was written by Peter
800 Lister using SWIG.
801
802 Version 0.02 was created by Bo Adler with a few bugfixes but not
803 uploaded to CPAN. It could be found at:
804 <http://www.buttsoft.com/~thumper/software/perl/Net-Pcap/>
805
806 Versions 0.03 and 0.04 were created by Tim Potter who entirely rewrote
807 "Net::Pcap" using XS and wrote the documentation, with the help of
808 David N. Blank-Edelman for testing and general polishing.
809
810 Version 0.05 was released by Marco Carnut with fixes to make it work
811 with Cygwin and WinPcap.
812
813 Version 0.04.02 was independantly created by Jean-Louis Morel but not
814 uploaded on the CPAN. It can be found here:
815 <http://www.bribes.org/perl/wnetpcap.html>
816
817 Based on Tim Potter's version 0.04, it included fixes for WinPcap and
818 added wrappers for several new libpcap functions as well as WinPcap
819 specific functions.
820
822 To Paul Johnson for his module Devel::Cover and his patience for
823 helping me using it with XS code, which revealed very useful for
824 writing more tests.
825
826 To the beta-testers: Jean-Louis Morel, Max Maischen, Philippe Bruhat,
827 David Morel, Scott Lanning, Rafael Garcia-Suarez, Karl Y. Pradene.
828
830 Copyright (C) 2005-2016 Sébastien Aperghis-Tramoni and contributors.
831 All rights reserved.
832
833 Copyright (C) 2003 Marco Carnut. All rights reserved.
834
835 Copyright (C) 1999, 2000 Tim Potter. All rights reserved.
836
837 Copyright (C) 1998 Bo Adler. All rights reserved.
838
839 Copyright (C) 1997 Peter Lister. All rights reserved.
840
841 This program is free software; you can redistribute it and/or modify it
842 under the same terms as Perl itself.
843
844
845
846perl v5.30.1 2020-01-30 Pcap(3)