1PCAP(3PCAP)                                                        PCAP(3PCAP)
2
3
4

NAME

6       pcap - Packet Capture library
7

SYNOPSIS

9       #include <pcap/pcap.h>
10

DESCRIPTION

12       The  Packet  Capture  library provides a high level interface to packet
13       capture systems. All packets on the network, even  those  destined  for
14       other  hosts,  are accessible through this mechanism.  It also supports
15       saving captured packets to a ``savefile'', and reading packets  from  a
16       ``savefile''.
17
18   Initializing
19       pcap_init()  initializes  the  library.   It  takes  an argument giving
20       options; currently, the options are:
21
22       PCAP_CHAR_ENC_LOCAL
23              Treat all strings supplied as arguments, and return all  strings
24              to the caller, as being in the local character encoding.
25
26       PCAP_CHAR_ENC_UTF_8
27              Treat  all strings supplied as arguments, and return all strings
28              to the caller, as being in UTF-8.
29
30       On UNIX-like systems, the local character encoding  is  assumed  to  be
31       UTF-8, so no character encoding transformations are done.
32
33       On Windows, the local character encoding is the local ANSI code page.
34
35       If  pcap_init()  is  called,  the  deprecated  pcap_lookupdev() routine
36       always fails, so it should not be used, and, on Windows,  pcap_create()
37       does not attempt to handle UTF-16LE strings.
38
39       If pcap_init() is not called, strings are treated as being in the local
40       ANSI code page on Windows, pcap_lookupdev() will succeed if there is  a
41       device on which to capture, and pcap_create() makes an attempt to check
42       whether the string passed as an argument is a UTF-16LE  string  -  note
43       that this attempt is unsafe, as it may run past the end of the string -
44       to handle pcap_lookupdev() returning a UTF-16LE string.  Programs  that
45       don't  call  pcap_init()  should,  on Windows, call pcap_wsockinit() to
46       initialize Winsock; this is not necessary if pcap_init() is called,  as
47       pcap_init() will initialize Winsock itself on Windows.
48
49       Routines
50
51              pcap_init(3PCAP)
52                     initialize the library
53
54   Opening a capture handle for reading
55       To  open  a handle for a live capture, given the name of the network or
56       other interface on which the capture should  be  done,  call  pcap_cre‐
57       ate(),  set the appropriate options on the handle, and then activate it
58       with pcap_activate().  If pcap_activate() fails, the handle  should  be
59       closed with pcap_close().
60
61       To obtain a list of devices that can be opened for a live capture, call
62       pcap_findalldevs(); to free the list  returned  by  pcap_findalldevs(),
63       call pcap_freealldevs().  pcap_lookupdev() will return the first device
64       on that list that is not a ``loopback`` network interface.
65
66       To open a handle for a ``savefile'' from which to read  packets,  given
67       the pathname of the ``savefile'', call pcap_open_offline(); to set up a
68       handle for a ``savefile'', given a FILE * referring to a  file  already
69       opened for reading, call pcap_fopen_offline().
70
71       In  order  to  get a ``fake'' pcap_t for use in routines that require a
72       pcap_t as an argument, such as routines  to  open  a  ``savefile''  for
73       writing and to compile a filter expression, call pcap_open_dead().
74
75       pcap_create(),     pcap_open_offline(),    pcap_fopen_offline(),    and
76       pcap_open_dead() return a pointer to a pcap_t, which is the handle used
77       for  reading  packets  from the capture stream or the ``savefile'', and
78       for finding out information about the capture stream  or  ``savefile''.
79       To close a handle, use pcap_close().
80
81       The options that can be set on a capture handle include
82
83       snapshot length
84              If,  when  capturing,  you  capture  the  entire contents of the
85              packet, that requires more CPU time to copy the packet  to  your
86              application,  more  disk and possibly network bandwidth to write
87              the packet data to a file, and  more  disk  space  to  save  the
88              packet.   If  you don't need the entire contents of the packet -
89              for example, if you are only interested in the  TCP  headers  of
90              packets  -  you can set the "snapshot length" for the capture to
91              an appropriate value.  If the snapshot length is set to snaplen,
92              and  snaplen is less than the size of a packet that is captured,
93              only the first snaplen bytes of that packet will be captured and
94              provided as packet data.
95
96              A  snapshot length of 65535 should be sufficient, on most if not
97              all networks, to capture all the data available from the packet.
98
99              The snapshot length is set with pcap_set_snaplen().
100
101       promiscuous mode
102              On broadcast  LANs  such  as  Ethernet,  if  the  network  isn't
103              switched, or if the adapter is connected to a "mirror port" on a
104              switch to which all packets passing through the switch are sent,
105              a  network  adapter  receives  all packets on the LAN, including
106              unicast or multicast packets not sent to a network address  that
107              the network adapter isn't configured to recognize.
108
109              Normally,  the adapter will discard those packets; however, many
110              network adapters support "promiscuous mode", which is a mode  in
111              which  all packets, even if they are not sent to an address that
112              the adapter recognizes, are provided to the host.  This is  use‐
113              ful  for  passively  capturing traffic between two or more other
114              hosts for analysis.
115
116              Note that even if an application does not set promiscuous  mode,
117              the  adapter  could  well  be in promiscuous mode for some other
118              reason.
119
120              For now, this doesn't work on the "any" device; if  an  argument
121              of "any" or NULL is supplied, the setting of promiscuous mode is
122              ignored.
123
124              Promiscuous mode is set with pcap_set_promisc().
125
126       monitor mode
127              On IEEE 802.11 wireless LANs, even if an adapter is in promiscu‐
128              ous mode, it will supply to the host only frames for the network
129              with which it's associated.  It  might  also  supply  only  data
130              frames,  not management or control frames, and might not provide
131              the 802.11 header or radio information pseudo-header  for  those
132              frames.
133
134              In  "monitor  mode",  sometimes  also  called  "rfmon mode" (for
135              "Radio Frequency MONitor"), the adapter will supply  all  frames
136              that  it  receives,  with  802.11  headers,  and  might supply a
137              pseudo-header with radio information about the frame as well.
138
139              Note that in monitor mode the adapter  might  disassociate  from
140              the  network with which it's associated, so that you will not be
141              able to use any wireless networks with that adapter.  This could
142              prevent  accessing  files on a network server, or resolving host
143              names or network addresses, if you are capturing in monitor mode
144              and are not connected to another network with another adapter.
145
146              Monitor    mode    is    set    with    pcap_set_rfmon(),    and
147              pcap_can_set_rfmon() can be used to determine whether an adapter
148              can be put into monitor mode.
149
150       packet buffer timeout
151              If,  when  capturing,  packets  are  delivered  as  soon as they
152              arrive, the application capturing the packets will be  woken  up
153              for  each  packet  as  it arrives, and might have to make one or
154              more calls to the operating system to fetch each packet.
155
156              If, instead, packets are not delivered as soon as  they  arrive,
157              but  are  delivered after a short delay (called a "packet buffer
158              timeout"), more than one packet can be  accumulated  before  the
159              packets are delivered, so that a single wakeup would be done for
160              multiple packets, and each set of calls made  to  the  operating
161              system  would  supply  multiple  packets,  rather  than a single
162              packet.  This reduces the per-packet CPU overhead if packets are
163              arriving  at  a  high rate, increasing the number of packets per
164              second that can be captured.
165
166              The packet buffer timeout is required  so  that  an  application
167              won't  wait for the operating system's capture buffer to fill up
168              before packets are delivered; if packets  are  arriving  slowly,
169              that wait could take an arbitrarily long period of time.
170
171              Not  all platforms support a packet buffer timeout; on platforms
172              that don't, the packet buffer timeout is ignored.  A zero  value
173              for the timeout, on platforms that support a packet buffer time‐
174              out, will cause a read to wait forever to allow  enough  packets
175              to  arrive,  with  no timeout.  A negative value is invalid; the
176              result of setting the timeout to  a  negative  value  is  unpre‐
177              dictable.
178
179              NOTE:  the  packet  buffer timeout cannot be used to cause calls
180              that read packets to return within a  limited  period  of  time,
181              because, on some platforms, the packet buffer timeout isn't sup‐
182              ported, and, on other platforms, the timer doesn't  start  until
183              at  least one packet arrives.  This means that the packet buffer
184              timeout should NOT be  used,  for  example,  in  an  interactive
185              application  to  allow  the  packet capture loop to ``poll'' for
186              user input periodically, as there's no  guarantee  that  a  call
187              reading packets will return after the timeout expires even if no
188              packets have arrived.
189
190              The packet buffer timeout is set with pcap_set_timeout().
191
192       immediate mode
193              In immediate mode, packets are always delivered as soon as  they
194              arrive,   with   no  buffering.   Immediate  mode  is  set  with
195              pcap_set_immediate_mode().
196
197       buffer size
198              Packets that arrive for a capture are stored  in  a  buffer,  so
199              that  they  do not have to be read by the application as soon as
200              they arrive.  On some platforms, the buffer's size can be set; a
201              size  that's  too small could mean that, if too many packets are
202              being captured and the snapshot length doesn't limit the  amount
203              of  data that's buffered, packets could be dropped if the buffer
204              fills up before the application can read packets from it,  while
205              a  size  that's  too large could use more non-pageable operating
206              system memory than is necessary to prevent  packets  from  being
207              dropped.
208
209              The buffer size is set with pcap_set_buffer_size().
210
211       timestamp type
212              On  some platforms, the time stamp given to packets on live cap‐
213              tures can come from different sources that  can  have  different
214              resolutions or that can have different relationships to the time
215              values for the current time supplied by routines on  the  native
216              operating  system.   See pcap-tstamp(7) for a list of time stamp
217              types.
218
219              The time stamp type is set with pcap_set_tstamp_type().
220
221       Reading packets from a network interface may require that you have spe‐
222       cial privileges:
223
224       Under SunOS 3.x or 4.x with NIT or BPF:
225              You must have read access to /dev/nit or /dev/bpf*.
226
227       Under Solaris with DLPI:
228              You  must  have  read/write access to the network pseudo device,
229              e.g.  /dev/le.  On at least some versions of  Solaris,  however,
230              this  is not sufficient to allow tcpdump to capture in promiscu‐
231              ous mode; on those versions of Solaris, you must be root, or the
232              application  capturing packets must be installed setuid to root,
233              in order to capture in promiscuous mode.   Note  that,  on  many
234              (perhaps  all)  interfaces,  if you don't capture in promiscuous
235              mode, you will not see any outgoing packets, so  a  capture  not
236              done in promiscuous mode may not be very useful.
237
238              In  newer  versions  of  Solaris,  you  must have been given the
239              net_rawaccess privilege; this is both necessary  and  sufficient
240              to  give  you  access to the network pseudo-device - there is no
241              need to change the privileges on that device.   A  user  can  be
242              given  that  privilege by, for example, adding that privilege to
243              the user's defaultpriv key with the usermod(8) command.
244
245       Under HP-UX with DLPI:
246              You must be root or the application capturing  packets  must  be
247              installed setuid to root.
248
249       Under IRIX with snoop:
250              You  must  be  root or the application capturing packets must be
251              installed setuid to root.
252
253       Under Linux:
254              You must be root or the application capturing  packets  must  be
255              installed  setuid to root, unless your distribution has a kernel
256              that supports capability bits such as CAP_NET_RAW  and  code  to
257              allow  those  capability bits to be given to particular accounts
258              and to cause those bits to be set on a user's initial  processes
259              when  they  log  in,  in which case you must have CAP_NET_RAW in
260              order to capture.
261
262       Under ULTRIX and Digital UNIX/Tru64 UNIX:
263              Any user may capture network traffic.   However,  no  user  (not
264              even  the  super-user)  can  capture  in  promiscuous mode on an
265              interface unless the  super-user  has  enabled  promiscuous-mode
266              operation  on that interface using pfconfig(8), and no user (not
267              even the super-user) can capture unicast traffic received by  or
268              sent  by  the  machine on an interface unless the super-user has
269              enabled copy-all-mode operation on that interface  using  pfcon‐
270              fig,  so useful packet capture on an interface probably requires
271              that either promiscuous-mode or copy-all-mode operation, or both
272              modes of operation, be enabled on that interface.
273
274       Under BSD (this includes macOS):
275              You  must  have  read  access to /dev/bpf* on systems that don't
276              have a cloning BPF device, or to /dev/bpf on  systems  that  do.
277              On  BSDs  with a devfs (this includes macOS), this might involve
278              more than just having somebody with  super-user  access  setting
279              the  ownership  or  permissions  on  the  BPF devices - it might
280              involve configuring devfs to set the  ownership  or  permissions
281              every  time  the  system  is booted, if the system even supports
282              that; if it doesn't support that, you might have  to  find  some
283              other way to make that happen at boot time.
284
285       Reading a saved packet file doesn't require special privileges.
286
287       The  packets  read from the handle may include a ``pseudo-header'' con‐
288       taining various forms of packet  meta-data,  and  probably  includes  a
289       link-layer  header  whose  contents  can  differ  for different network
290       interfaces.  To determine the format of the  packets  supplied  by  the
291       handle,  call  pcap_datalink();  https://www.tcpdump.org/linktypes.html
292       lists the values it returns and describes the packet formats that  cor‐
293       respond to those values.
294
295       Do NOT assume that the packets for a given capture or ``savefile`` will
296       have any given link-layer header type, such as DLT_EN10MB for Ethernet.
297       For  example,  the  "any" device on Linux will have a link-layer header
298       type of DLT_LINUX_SLL or DLT_LINUX_SLL2 even if all devices on the sys‐
299       tem  at  the  time the "any" device is opened have some other data link
300       type, such as DLT_EN10MB for Ethernet.
301
302       To obtain the FILE * corresponding to a pcap_t  opened  for  a  ``save‐
303       file'', call pcap_file().
304
305       Routines
306
307              pcap_create(3PCAP)
308                     get a pcap_t for live capture
309
310              pcap_activate(3PCAP)
311                     activate a pcap_t for live capture
312
313              pcap_findalldevs(3PCAP)
314                     get  a list of devices that can be opened for a live cap‐
315                     ture
316
317              pcap_freealldevs(3PCAP)
318                     free list of devices
319
320              pcap_lookupdev(3PCAP)
321                     get first non-loopback device on that list
322
323              pcap_open_offline(3PCAP)
324                     open a pcap_t for a ``savefile'', given a pathname
325
326              pcap_open_offline_with_tstamp_precision(3PCAP)
327                     open a pcap_t for a ``savefile'', given a  pathname,  and
328                     specify the precision to provide for packet time stamps
329
330              pcap_fopen_offline(3PCAP)
331                     open a pcap_t for a ``savefile'', given a FILE *
332
333              pcap_fopen_offline_with_tstamp_precision(3PCAP)
334                     open  a  pcap_t  for  a ``savefile'', given a FILE *, and
335                     specify the precision to provide for packet time stamps
336
337              pcap_open_dead(3PCAP)
338                     create a ``fake'' pcap_t
339
340              pcap_close(3PCAP)
341                     close a pcap_t
342
343              pcap_set_snaplen(3PCAP)
344                     set the snapshot length for  a  not-yet-activated  pcap_t
345                     for live capture
346
347              pcap_snapshot(3PCAP)
348                     get the snapshot length for a pcap_t
349
350              pcap_set_promisc(3PCAP)
351                     set  promiscuous  mode for a not-yet-activated pcap_t for
352                     live capture
353
354              pcap_set_protocol_linux(3PCAP)
355                     set capture protocol for a not-yet-activated  pcap_t  for
356                     live capture (Linux only)
357
358              pcap_set_rfmon(3PCAP)
359                     set  monitor mode for a not-yet-activated pcap_t for live
360                     capture
361
362              pcap_can_set_rfmon(3PCAP)
363                     determine whether monitor mode can be set  for  a  pcap_t
364                     for live capture
365
366              pcap_set_timeout(3PCAP)
367                     set  packet buffer timeout for a not-yet-activated pcap_t
368                     for live capture
369
370              pcap_set_immediate_mode(3PCAP)
371                     set immediate mode for  a  not-yet-activated  pcap_t  for
372                     live capture
373
374              pcap_set_buffer_size(3PCAP)
375                     set  buffer  size for a not-yet-activated pcap_t for live
376                     capture
377
378              pcap_set_tstamp_type(3PCAP)
379                     set time stamp type for a  not-yet-activated  pcap_t  for
380                     live capture
381
382              pcap_list_tstamp_types(3PCAP)
383                     get  list  of  available  time stamp types for a not-yet-
384                     activated pcap_t for live capture
385
386              pcap_free_tstamp_types(3PCAP)
387                     free list of available time stamp types
388
389              pcap_tstamp_type_val_to_name(3PCAP)
390                     get name for a time stamp type
391
392              pcap_tstamp_type_val_to_description(3PCAP)
393                     get description for a time stamp type
394
395              pcap_tstamp_type_name_to_val(3PCAP)
396                     get time stamp type corresponding to a name
397
398              pcap_set_tstamp_precision(3PCAP)
399                     set time stamp precision for a  not-yet-activated  pcap_t
400                     for live capture
401
402              pcap_get_tstamp_precision(3PCAP)
403                     get the time stamp precision of a pcap_t for live capture
404
405              pcap_datalink(3PCAP)
406                     get link-layer header type for a pcap_t
407
408              pcap_file(3PCAP)
409                     get the FILE * for a pcap_t opened for a ``savefile''
410
411              pcap_is_swapped(3PCAP)
412                     determine  whether  a ``savefile'' being read came from a
413                     machine with the opposite byte order
414
415              pcap_major_version(3PCAP)
416              pcap_minor_version(3PCAP)
417                     get the major and minor version of the file  format  ver‐
418                     sion for a ``savefile''
419
420   Selecting a link-layer header type for a live capture
421       Some  devices  may  provide  more  than one link-layer header type.  To
422       obtain a list of all link-layer header types provided by a device, call
423       pcap_list_datalinks() on an activated pcap_t for the device.  To free a
424       list of link-layer header types, call  pcap_free_datalinks().   To  set
425       the  link-layer  header  type  for  a device, call pcap_set_datalink().
426       This should be done after the device has been activated but before  any
427       packets are read and before any filters are compiled or installed.
428
429       Routines
430
431              pcap_list_datalinks(3PCAP)
432                     get a list of link-layer header types for a device
433
434              pcap_free_datalinks(3PCAP)
435                     free list of link-layer header types
436
437              pcap_set_datalink(3PCAP)
438                     set link-layer header type for a device
439
440              pcap_datalink_val_to_name(3PCAP)
441                     get name for a link-layer header type
442
443              pcap_datalink_val_to_description(3PCAP)
444              pcap_datalink_val_to_description_or_dlt(3PCAP)
445                     get description for a link-layer header type
446
447              pcap_datalink_name_to_val(3PCAP)
448                     get link-layer header type corresponding to a name
449
450   Reading packets
451       Packets are read with pcap_dispatch() or pcap_loop(), which process one
452       or more packets, calling a callback routine for each  packet,  or  with
453       pcap_next() or pcap_next_ex(), which return the next packet.  The call‐
454       back for pcap_dispatch() and pcap_loop() is supplied  a  pointer  to  a
455       struct pcap_pkthdr, which includes the following members:
456
457              ts     a  struct timeval containing the time when the packet was
458                     captured
459
460              caplen a bpf_u_int32 giving the number of bytes  of  the  packet
461                     that are available from the capture
462
463              len    a  bpf_u_int32  giving the length of the packet, in bytes
464                     (which might be more than the number of  bytes  available
465                     from  the  capture, if the length of the packet is larger
466                     than the maximum number of bytes to capture).
467
468       The callback is also supplied a  const  u_char  pointer  to  the  first
469       caplen  (as  given  in the struct pcap_pkthdr mentioned above) bytes of
470       data from the packet.  This won't necessarily be the entire packet;  to
471       capture the entire packet, you will have to provide a value for snaplen
472       in your call to pcap_set_snaplen() that is sufficiently  large  to  get
473       all  of  the  packet's  data - a value of 65535 should be sufficient on
474       most if not all networks).  When reading from a ``savefile'', the snap‐
475       shot  length  specified  when  the capture was performed will limit the
476       amount of packet data available.
477
478       pcap_next() is passed an argument that points to a  struct  pcap_pkthdr
479       structure,  and  fills  it in with the time stamp and length values for
480       the packet.  It returns a const u_char to the first caplen bytes of the
481       packet on success, and NULL on error.
482
483       pcap_next_ex()  is passed two pointer arguments, one of which points to
484       a structpcap_pkthdr* and one of which points to a  const  u_char*.   It
485       sets  the first pointer to point to a struct pcap_pkthdr structure with
486       the time stamp and length values for the packet, and  sets  the  second
487       pointer to point to the first caplen bytes of the packet.
488
489       To  force the loop in pcap_dispatch() or pcap_loop() to terminate, call
490       pcap_breakloop().
491
492       By default, when reading packets from an interface opened  for  a  live
493       capture,  pcap_dispatch(),  pcap_next(), and pcap_next_ex() will, if no
494       packets are currently available to be read, block waiting  for  packets
495       to become available.  On some, but not all, platforms, if a packet buf‐
496       fer timeout was specified, the wait will  terminate  after  the  packet
497       buffer timeout expires; applications should be prepared for this, as it
498       happens on some platforms, but should not rely on it, as  it  does  not
499       happen  on  other  platforms.   Note that the wait might, or might not,
500       terminate even if no packets are available; applications should be pre‐
501       pared for this to happen, but must not rely on it happening.
502
503       A  handle can be put into ``non-blocking mode'', so that those routines
504       will, rather than blocking, return an indication that  no  packets  are
505       available  to  read.  Call pcap_setnonblock() to put a handle into non-
506       blocking mode or to take it out of non-blocking mode; call pcap_getnon‐
507       block()  to  determine  whether a handle is in non-blocking mode.  Note
508       that non-blocking mode does not work correctly in Mac OS X 10.6.
509
510       Non-blocking mode is often combined with routines such as select(2)  or
511       poll(2) or other routines a platform offers to wait for any of a set of
512       descriptors to be ready to read.  To obtain, for a handle, a descriptor
513       that  can be used in those routines, call pcap_get_selectable_fd().  If
514       the routine indicates that data is available to read on the descriptor,
515       an attempt should be made to read from the device.
516
517       Not     all    handles    have    such    a    descriptor    available;
518       pcap_get_selectable_fd() will return -1 if no such descriptor is avail‐
519       able.   If  no  such  descriptor  is available, this may be because the
520       device  must  be  polled  periodically  for  packets;  in  that   case,
521       pcap_get_required_select_timeout()  will  return  a pointer to a struct
522       timeval whose value can be used as a timeout in those  routines.   When
523       the routine returns, an attmept should be made to read packets from the
524       device.  If pcap_get_required_select_timeout() returns  NULL,  no  such
525       timeout  is  available,  and  those  routines  cannot  be used with the
526       device.
527
528       In addition, for various reasons, one or more of  those  routines  will
529       not   work   properly   with  the  descriptor;  the  documentation  for
530       pcap_get_selectable_fd() gives details.  Note that, just as an  attempt
531       to  read packets from a pcap_t may not return any packets if the packet
532       buffer timeout expires, a select(), poll(), or other such call may,  if
533       the  packet buffer timeout expires, indicate that a descriptor is ready
534       to read even if there are no packets available to read.
535
536       Routines
537
538              pcap_dispatch(3PCAP)
539                     read a bufferful of packets from a pcap_t open for a live
540                     capture or the full set of packets from a pcap_t open for
541                     a ``savefile''
542
543              pcap_loop(3PCAP)
544                     read packets from a pcap_t until an  interrupt  or  error
545                     occurs
546
547              pcap_next(3PCAP)
548                     read  the next packet from a pcap_t without an indication
549                     whether an error occurred
550
551              pcap_next_ex(3PCAP)
552                     read the next packet from a pcap_t with an error  indica‐
553                     tion on an error
554
555              pcap_breakloop(3PCAP)
556                     prematurely  terminate  the  loop  in  pcap_dispatch() or
557                     pcap_loop()
558
559              pcap_setnonblock(3PCAP)
560                     set or clear non-blocking mode on a pcap_t
561
562              pcap_getnonblock(3PCAP)
563                     get the state of non-blocking mode for a pcap_t
564
565              pcap_get_selectable_fd(3PCAP)
566                     attempt to get a descriptor for a pcap_t that can be used
567                     in calls such as select(2) and poll(2)
568
569              pcap_get_required_select_timeout(3PCAP)
570                     attempt  to  get a timeout required for using a pcap_t in
571                     calls such as select(2) and poll(2)
572
573   Filters
574       In order to cause only certain packets  to  be  returned  when  reading
575       packets, a filter can be set on a handle.  For a live capture, the fil‐
576       tering will be performed in kernel mode, if possible, to avoid  copying
577       ``uninteresting'' packets from the kernel to user mode.
578
579       A filter can be specified as a text string; the syntax and semantics of
580       the string are as described by pcap-filter(7).  A filter string is com‐
581       piled into a program in a pseudo-machine-language by pcap_compile() and
582       the resulting program can be made a filter for a handle with  pcap_set‐
583       filter().   The  result  of  pcap_compile() can be freed with a call to
584       pcap_freecode().  pcap_compile() may require a network mask for certain
585       expressions  in the filter string; pcap_lookupnet() can be used to find
586       the network address and network mask for a given capture device.
587
588       A compiled filter can also be applied directly to  a  packet  that  has
589       been read using pcap_offline_filter().
590
591       Routines
592
593              pcap_compile(3PCAP)
594                     compile  filter  expression  to a pseudo-machine-language
595                     code program
596
597              pcap_freecode(3PCAP)
598                     free a filter program
599
600              pcap_setfilter(3PCAP)
601                     set filter for a pcap_t
602
603              pcap_lookupnet(3PCAP)
604                     get network address and network mask for a capture device
605
606              pcap_offline_filter(3PCAP)
607                     apply a filter program to a packet
608
609   Incoming and outgoing packets
610       By default, libpcap will attempt to capture both packets  sent  by  the
611       machine  and packets received by the machine.  To limit it to capturing
612       only packets received by the machine or, if possible, only packets sent
613       by the machine, call pcap_setdirection().
614
615       Routines
616
617              pcap_setdirection(3PCAP)
618                     specify  whether  to  capture  incoming packets, outgoing
619                     packets, or both
620
621   Capture statistics
622       To get statistics about packets received and dropped in a live capture,
623       call pcap_stats().
624
625       Routines
626
627              pcap_stats(3PCAP)
628                     get capture statistics
629
630   Opening a handle for writing captured packets
631       To  open  a  ``savefile`` to which to write packets, given the pathname
632       the ``savefile'' should have, call pcap_dump_open().  To open a ``save‐
633       file``  to  which to write packets, given the pathname the ``savefile''
634       should have, call pcap_dump_open(); to set up a handle  for  a  ``save‐
635       file'',  given a FILE * referring to a file already opened for writing,
636       call pcap_dump_fopen().  They each return pointers to a  pcap_dumper_t,
637       which  is  the handle used for writing packets to the ``savefile''.  If
638       it succeeds, it will have created the file  if  it  doesn't  exist  and
639       truncated  the  file  if it does exist.  To close a pcap_dumper_t, call
640       pcap_dump_close().
641
642       Routines
643
644              pcap_dump_open(3PCAP)
645                     open a pcap_dumper_t for a ``savefile``, given a pathname
646
647              pcap_dump_fopen(3PCAP)
648                     open a pcap_dumper_t for a ``savefile``, given a FILE *
649
650              pcap_dump_close(3PCAP)
651                     close a pcap_dumper_t
652
653              pcap_dump_file(3PCAP)
654                     get the FILE * for a pcap_dumper_t opened for  a  ``save‐
655                     file''
656
657   Writing packets
658       To  write a packet to a pcap_dumper_t, call pcap_dump().  Packets writ‐
659       ten with pcap_dump() may be buffered,  rather  than  being  immediately
660       written  to the ``savefile''.  Closing the pcap_dumper_t will cause all
661       buffered-but-not-yet-written packets to be written to the ``savefile''.
662       To  force all packets written to the pcap_dumper_t, and not yet written
663       to the ``savefile'' because they're buffered by the  pcap_dumper_t,  to
664       be written to the ``savefile'', without closing the pcap_dumper_t, call
665       pcap_dump_flush().
666
667       Routines
668
669              pcap_dump(3PCAP)
670                     write packet to a pcap_dumper_t
671
672              pcap_dump_flush(3PCAP)
673                     flush buffered packets written to a pcap_dumper_t to  the
674                     ``savefile''
675
676              pcap_dump_ftell(3PCAP)
677                     get current file position for a pcap_dumper_t
678
679   Injecting packets
680       If you have the required privileges, you can inject packets onto a net‐
681       work  with  a  pcap_t  for  a  live  capture,  using  pcap_inject()  or
682       pcap_sendpacket().  (The two routines exist for compatibility with both
683       OpenBSD and WinPcap/Npcap; they perform the  same  function,  but  have
684       different return values.)
685
686       Routines
687
688              pcap_inject(3PCAP)
689              pcap_sendpacket(3PCAP)
690                     transmit a packet
691
692   Reporting errors
693       Some  routines return error or warning status codes; to convert them to
694       a string, use pcap_statustostr().
695
696       Routines
697
698              pcap_statustostr(3PCAP)
699                     get a string for an error or warning status code
700
701   Getting library version information
702       To  get  a  string  giving  version  information  about  libpcap,  call
703       pcap_lib_version().
704
705       Routines
706
707              pcap_lib_version(3PCAP)
708                     get library version string
709

BACKWARD COMPATIBILITY

711       In  versions of libpcap prior to 1.0, the pcap.h header file was not in
712       a pcap directory on most platforms; if you are writing  an  application
713       that  must  work on versions of libpcap prior to 1.0, include <pcap.h>,
714       which  will  include  <pcap/pcap.h>  for  you,  rather  than  including
715       <pcap/pcap.h>.
716
717       pcap_create()  and  pcap_activate()  were  not available in versions of
718       libpcap prior to 1.0; if you are writing an application that must  work
719       on versions of libpcap prior to 1.0, either use pcap_open_live() to get
720       a handle for a live capture or, if you want to be able to use the addi‐
721       tional capabilities offered by using pcap_create() and pcap_activate(),
722       use an autoconf(1) script or some other configuration script  to  check
723       whether  the  libpcap  1.0 APIs are available and use them only if they
724       are.
725

SEE ALSO

727       autoconf(1),  tcpdump(8),  tcpslice(8),  pcap-filter(7),   pfconfig(8),
728       usermod(8)
729

AUTHORS

731       The original authors of libpcap are:
732
733       Van  Jacobson,  Craig  Leres  and  Steven  McCanne, all of the Lawrence
734       Berkeley National Laboratory, University of California, Berkeley, CA.
735
736       The current version is available from "The Tcpdump Group"'s Web site at
737
738              https://www.tcpdump.org/
739

BUGS

741       To report a security issue  please  send  an  e-mail  to  security@tcp‐
742       dump.org.
743
744       To  report  bugs and other problems, contribute patches, request a fea‐
745       ture, provide generic feedback etc please see the file  CONTRIBUTING.md
746       in the libpcap source tree root.
747
748
749
750                               9 September 2020                    PCAP(3PCAP)
Impressum