1 .\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap.3,v 1.12 2000-10-22 02:21:34 guy Exp $
3 .\" Copyright (c) 1994, 1996, 1997
4 .\" The Regents of the University of California. All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that: (1) source code distributions
8 .\" retain the above copyright notice and this paragraph in its entirety, (2)
9 .\" distributions including binary code include the above copyright notice and
10 .\" this paragraph in its entirety in the documentation or other materials
11 .\" provided with the distribution, and (3) all advertising materials mentioning
12 .\" features or use of this software display the following acknowledgement:
13 .\" ``This product includes software developed by the University of California,
14 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 .\" the University nor the names of its contributors may be used to endorse
16 .\" or promote products derived from this software without specific prior
17 .\" written permission.
18 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 .TH PCAP 3 "24 July 2000"
24 pcap \- Packet Capture library
32 pcap_t *pcap_open_live(char *device, int snaplen,
34 int promisc, int to_ms, char *ebuf)
35 pcap_t *pcap_open_dead(int linktype, int snaplen)
36 pcap_t *pcap_open_offline(char *fname, char *ebuf)
37 pcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname)
41 char errbuf[PCAP_ERRBUF_SIZE];
42 char *pcap_lookupdev(char *errbuf)
43 int pcap_lookupnet(char *device, bpf_u_int32 *netp,
45 bpf_u_int32 *maskp, char *errbuf)
49 int pcap_dispatch(pcap_t *p, int cnt,
51 pcap_handler callback, u_char *user)
52 int pcap_loop(pcap_t *p, int cnt,
54 pcap_handler callback, u_char *user)
55 void pcap_dump(u_char *user, struct pcap_pkthdr *h,
61 int pcap_compile(pcap_t *p, struct bpf_program *fp,
63 char *str, int optimize, bpf_u_int32 netmask)
64 int pcap_setfilter(pcap_t *p, struct bpf_program *fp)
68 u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h)
72 int pcap_datalink(pcap_t *p)
73 int pcap_snapshot(pcap_t *p)
74 int pcap_is_swapped(pcap_t *p)
75 int pcap_major_version(pcap_t *p)
76 int pcap_minor_version(pcap_t *p)
77 int pcap_stats(pcap_t *p, struct pcap_stat *ps)
78 FILE *pcap_file(pcap_t *p)
79 int pcap_fileno(pcap_t *p)
80 void pcap_perror(pcap_t *p, char *prefix)
81 char *pcap_geterr(pcap_t *p)
82 char *pcap_strerror(int error)
86 void pcap_close(pcap_t *p)
87 void pcap_dump_close(pcap_dumper_t *p)
91 The Packet Capture library
92 provides a high level interface to packet capture systems. All packets
93 on the network, even those destined for other hosts, are accessible
94 through this mechanism.
101 .B pcap_open_offline(),
105 is assumed to be able to hold at least
110 is used to obtain a packet capture descriptor to look
111 at packets on the network.
113 is a string that specifies the network device to open; on Linux systems
114 with 2.2 or later kernels, a
118 can be used to capture packets from all interfaces.
120 specifies the maximum number of bytes to capture.
122 specifies if the interface is to be put into promiscuous mode.
123 (Note that even if this parameter is false, the interface
124 could well be in promiscuous mode for some other reason.)
126 specifies the read timeout in milliseconds.
128 is used to return error text and is only set when
134 is used for creating a
136 structure to use when calling the other functions in libpcap. It is
137 typically used when just using libpcap for compiling BPF code.
139 .B pcap_open_offline()
140 is called to open a ``savefile'' for reading.
142 specifies the name of the file to open. The file has
143 the same format as those used by
147 The name "-" in a synonym for
150 is used to return error text and is only set when
151 .B pcap_open_offline()
156 is called to open a ``savefile'' for writing. The name "-" in a synonym
160 is returned on failure.
164 struct as returned by
165 .B pcap_open_offline()
167 .BR pcap_open_live() .
169 specifies the name of the file to open.
174 can be used to get the error text.
177 returns a pointer to a network device suitable for use with
180 .BR pcap_lookupnet() .
181 If there is an error,
185 is filled in with an appropriate error message.
188 is used to determine the network number and mask
189 associated with the network device
198 A return of -1 indicates an error in which case
200 is filled in with an appropriate error message.
203 is used to collect and process packets.
205 specifies the maximum number of packets to process before returning. A
207 of -1 processes all the packets received in one buffer. A
209 of 0 processes all packets until an error occurs,
211 is reached, or the read times out (when doing live reads and a non-zero
212 read timeout is specified).
214 specifies a routine to be called with three arguments:
217 pointer which is passed in from
218 .BR pcap_dispatch() ,
221 struct (which precede the actual network headers and data),
224 pointer to the packet data. The number of packets read is returned.
225 Zero is returned when
227 is reached in a ``savefile.'' A return of -1 indicates
228 an error in which case
232 may be used to display the error text.
235 outputs a packet to the ``savefile'' opened with
236 .BR pcap_dump_open() .
237 Note that its calling arguments are suitable for use with
238 .BR pcap_dispatch() .
241 is used to compile the string
243 into a filter program.
247 struct and is filled in by
250 controls whether optimization on the resulting code is performed.
252 specifies the netmask of the local net.
254 .B pcap_compile_nopcap()
257 except that instead of passing a pcap structure, one passes the
258 snaplen and linktype explicitly. It is intended to be used for
259 compiling filters for direct bpf usage, without necessarily having
264 is used to specify a filter program.
266 is a pointer to an array of
268 struct, usually the result of a call to
271 is returned on failure;
273 is returned on success.
278 except it keeps reading packets until
280 packets are processed or an error occurs.
283 return when live read timeouts occur.
284 Rather, specifying a non-zero read timeout to
288 allows the reception and processing of any packets that arrive when the
294 to loop forever (or at least until an error occurs).
299 pointer to the next packet.
302 returns the link layer type, e.g.
306 returns the snapshot length specified when
311 returns true if the current ``savefile'' uses a different byte order
312 than the current system.
314 .B pcap_major_version()
315 returns the major number of the version of the pcap used to write the
318 .B pcap_minor_version()
319 returns the minor number of the version of the pcap used to write the
323 returns the name of the ``savefile.''
326 returns 0 and fills in a
328 struct. The values represent packet statistics from the start of the
329 run to the time of the call. If there is an error or the under lying
330 packet capture doesn't support packet statistics, -1 is returned and
331 the error text can be obtained with
337 returns the file descriptor number of the ``savefile.''
340 prints the text of the last pcap library error on
346 returns the error text pertaining to the last pcap library error.
354 closes the files associated with
356 and deallocates resources.
359 closes the ``savefile.''
362 tcpdump(1), tcpslice(1)
364 The original authors are:
368 Steven McCanne, all of the
369 Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
371 The current version is available from "The Tcpdump Group"'s Web site at
374 .I http://www.tcpdump.org/
377 Please send problems, bugs, questions, desirable enhancements, etc. to:
380 tcpdump-workers@tcpdump.org
383 Please send source code contributions, etc. to:
projects / libpcap / blob