]> The Tcpdump Group git mirrors - libpcap/blob - pcap_loop.3pcap
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
CI: Call print_so_deps() on rpcapd in remote enabled build
[libpcap] / pcap_loop.3pcap
1 .\" Copyright (c) 1994, 1996, 1997
2 .\" The Regents of the University of California. All rights reserved.
3 .\"
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that: (1) source code distributions
6 .\" retain the above copyright notice and this paragraph in its entirety, (2)
7 .\" distributions including binary code include the above copyright notice and
8 .\" this paragraph in its entirety in the documentation or other materials
9 .\" provided with the distribution, and (3) all advertising materials mentioning
10 .\" features or use of this software display the following acknowledgement:
11 .\" ``This product includes software developed by the University of California,
12 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
13 .\" the University nor the names of its contributors may be used to endorse
14 .\" or promote products derived from this software without specific prior
15 .\" written permission.
16 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
17 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
18 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
19 .\"
20 .TH PCAP_LOOP 3PCAP "5 March 2022"
21 .SH NAME
22 pcap_loop, pcap_dispatch \- process packets from a live capture or savefile
23 .SH SYNOPSIS
24 .nf
25 .ft B
26 #include <pcap/pcap.h>
27 .ft
28 .LP
29 .ft B
30 typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h,
31 const u_char *bytes);
32 int pcap_loop(pcap_t *p, int cnt,
33 pcap_handler callback, u_char *user);
34 int pcap_dispatch(pcap_t *p, int cnt,
35 pcap_handler callback, u_char *user);
36 .ft
37 .fi
38 .SH DESCRIPTION
39 .BR pcap_loop ()
40 processes packets from a live capture or ``savefile'' until
41 .I cnt
42 packets are processed, the end of the ``savefile'' is
43 reached when reading from a ``savefile'',
44 .BR pcap_breakloop (3PCAP)
45 is called, or an error occurs.
46 It does
47 .B not
48 return when live packet buffer timeouts occur.
49 A value of
50 .B \-1
51 or
52 .B 0
53 for
54 .I cnt
55 is equivalent to infinity, so that packets are processed until another
56 ending condition occurs.
57 .PP
58 .BR pcap_dispatch ()
59 processes packets from a live capture or ``savefile'' until
60 .I cnt
61 packets are processed, the end of the current bufferful of packets is
62 reached when doing a live capture, the end of the ``savefile'' is
63 reached when reading from a ``savefile'',
64 .BR pcap_breakloop ()
65 is called, or an error occurs.
66 Thus, when doing a live capture,
67 .I cnt
68 is the maximum number of packets to process before returning, but is not
69 a minimum number; when reading a live capture, only one
70 bufferful of packets is read at a time, so fewer than
71 .I cnt
72 packets may be processed. A value of
73 .B \-1
74 or
75 .B 0
76 for
77 .I cnt
78 causes all the packets received in one buffer to be processed when
79 reading a live capture, and causes all the packets in the file to be
80 processed when reading a ``savefile''.
81 .PP
82 Note that, when doing a live capture on some platforms, if the read
83 timeout expires when there are no packets available,
84 .BR pcap_dispatch ()
85 will return 0, even when not in non-blocking mode, as there are no
86 packets to process. Applications should be prepared for this to happen,
87 but must not rely on it happening.
88 .PP
89 .I callback
90 specifies a
91 .B pcap_handler
92 routine to be called with three arguments:
93 a
94 .B u_char
95 pointer which is passed in the
96 .I user
97 argument to
98 .BR pcap_loop ()
99 or
100 .BR pcap_dispatch (),
101 a
102 .B const struct pcap_pkthdr
103 pointer pointing to the packet time stamp and lengths, and a
104 .B const u_char
105 pointer to the first
106 .B caplen
107 (as given in the
108 .BR "struct pcap_pkthdr" ,
109 a pointer to which is passed to the callback routine)
110 bytes of data from the packet. The
111 .B struct pcap_pkthdr
112 and the packet data are not to be freed by the callback routine, and are
113 not guaranteed to be valid after the callback routine returns; if the
114 code needs them to be valid after the callback, it must make a copy of
115 them.
116 .PP
117 The bytes of data from the packet begin with a link-layer header. The
118 format of the link-layer header is indicated by the return value of the
119 .BR pcap_datalink (3PCAP)
120 routine when handed the
121 .B pcap_t
122 value also passed to
123 .BR pcap_loop ()
124 or
125 .BR pcap_dispatch ().
126 .I https://www.tcpdump.org/linktypes.html
127 lists the values
128 .BR pcap_datalink ()
129 can return and describes the packet formats that
130 correspond to those values. The value it returns will be valid for all
131 packets received unless and until
132 .BR pcap_set_datalink (3PCAP)
133 is called; after a successful call to
134 .BR pcap_set_datalink (),
135 all subsequent packets will have a link-layer header of the type
136 specified by the link-layer header type value passed to
137 .BR pcap_set_datalink ().
138 .PP
139 Do
140 .B NOT
141 assume that the packets for a given capture or ``savefile`` will have
142 any given link-layer header type, such as
143 .B DLT_EN10MB
144 for Ethernet. For example, the "any" device on Linux will have a
145 link-layer header type of
146 .B DLT_LINUX_SLL
147 or
148 .B DLT_LINUX_SLL2
149 even if all devices on the system at the time the "any" device is opened
150 have some other data link type, such as
151 .B DLT_EN10MB
152 for Ethernet.
153 .SH RETURN VALUE
154 .BR pcap_loop ()
155 returns
156 .B 0
157 if
158 .I cnt
159 is exhausted or if, when reading from a ``savefile'', no more packets
160 are available. It returns
161 .B PCAP_ERROR_BREAK
162 if the loop terminated due to a call to
163 .BR pcap_breakloop ()
164 before any packets were processed,
165 .B PCAP_ERROR_NOT_ACTIVATED
166 if called on a capture handle that has been created but not activated,
167 or
168 .B PCAP_ERROR
169 if another error occurs.
170 It does
171 .B not
172 return when live packet buffer timeouts occur; instead, it attempts to
173 read more packets.
174 .PP
175 .BR pcap_dispatch ()
176 returns the number of packets processed on success; this can be 0 if no
177 packets were read from a live capture (if, for example, they were
178 discarded because they didn't pass the packet filter, or if, on
179 platforms that support a packet buffer timeout that starts before any
180 packets arrive, the timeout expires before any packets arrive, or if the
181 file descriptor for the capture device is in non-blocking mode and no
182 packets were available to be read) or if no more packets are available
183 in a ``savefile''. It returns
184 .B PCAP_ERROR_BREAK
185 if the loop terminated due to a call to
186 .BR pcap_breakloop ()
187 before any packets were processed,
188 .B PCAP_ERROR_NOT_ACTIVATED
189 if called on a capture handle that has been created but not activated,
190 or
191 .B PCAP_ERROR
192 if another error occurs.
193 .ft B
194 If your application uses pcap_breakloop(),
195 make sure that you explicitly check for PCAP_ERROR and PCAP_ERROR_BREAK,
196 rather than just checking for a return value < 0.
197 .ft R
198 .PP
199 If
200 .B PCAP_ERROR
201 is returned,
202 .BR pcap_geterr (3PCAP)
203 or
204 .BR pcap_perror (3PCAP)
205 may be called with
206 .I p
207 as an argument to fetch or display the error text.
208 .SH BACKWARD COMPATIBILITY
209 .PP
210 In libpcap versions before 1.5.0, the behavior when
211 .I cnt
212 was
213 .B 0
214 was undefined; different platforms and devices behaved differently,
215 so code that must work with these versions of libpcap should use
216 .BR \-1 ,
217 not
218 .BR 0 ,
219 as the value of
220 .IR cnt .
221 .SH SEE ALSO
222 .BR pcap (3PCAP)
[mirror] the LIBpcap interface to various kernel packet capture mechanism