The Tcpdump Group git mirrors - libpcap/blob - pcap_loop.3pcap

   1 .\" Copyright (c) 1994, 1996, 1997
   2 .\"     The Regents of the University of California.  All rights reserved.
   3 .\"
   4 .\" Redistribution and use in source and binary forms, with or without
   5 .\" modification, are permitted provided that: (1) source code distributions
   6 .\" retain the above copyright notice and this paragraph in its entirety, (2)
   7 .\" distributions including binary code include the above copyright notice and
   8 .\" this paragraph in its entirety in the documentation or other materials
   9 .\" provided with the distribution, and (3) all advertising materials mentioning
  10 .\" features or use of this software display the following acknowledgement:
  11 .\" ``This product includes software developed by the University of California,
  12 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
  13 .\" the University nor the names of its contributors may be used to endorse
  14 .\" or promote products derived from this software without specific prior
  15 .\" written permission.
  16 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
  17 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  18 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  19 .\"
  20 .TH PCAP_LOOP 3PCAP "22 August 2020"
  21 .SH NAME
  22 pcap_loop, pcap_dispatch \- process packets from a live capture or savefile
  23 .SH SYNOPSIS
  24 .nf
  25 .ft B
  26 #include <pcap/pcap.h>
  27 .ft
  28 .LP
  29 .ft B
  30 typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h,
  31 .ti +8
  32                              const u_char *bytes);
  33 .ft
  34 .LP
  35 .ft B
  36 int pcap_loop(pcap_t *p, int cnt,
  37 .ti +8
  38 pcap_handler callback, u_char *user);
  39 int pcap_dispatch(pcap_t *p, int cnt,
  40 .ti +8
  41 pcap_handler callback, u_char *user);
  42 .ft
  43 .fi
  44 .SH DESCRIPTION
  45 .BR pcap_loop ()
  46 processes packets from a live capture or ``savefile'' until
  47 .I cnt
  48 packets are processed, the end of the ``savefile'' is
  49 reached when reading from a ``savefile'',
  50 .BR pcap_breakloop (3PCAP)
  51 is called, or an error occurs.
  52 It does
  53 .B not
  54 return when live packet buffer timeouts occur.
  55 A value of
  56 .B \-1
  57 or
  58 .B 0
  59 for
  60 .I cnt
  61 is equivalent to infinity, so that packets are processed until another
  62 ending condition occurs.
  63 .PP
  64 .BR pcap_dispatch ()
  65 processes packets from a live capture or ``savefile'' until
  66 .I cnt
  67 packets are processed, the end of the current bufferful of packets is
  68 reached when doing a live capture, the end of the ``savefile'' is
  69 reached when reading from a ``savefile'',
  70 .BR pcap_breakloop ()
  71 is called, or an error occurs.
  72 Thus, when doing a live capture,
  73 .I cnt
  74 is the maximum number of packets to process before returning, but is not
  75 a minimum number; when reading a live capture, only one
  76 bufferful of packets is read at a time, so fewer than
  77 .I cnt
  78 packets may be processed. A value of
  79 .B \-1
  80 or
  81 .B 0
  82 for
  83 .I cnt
  84 causes all the packets received in one buffer to be processed when
  85 reading a live capture, and causes all the packets in the file to be
  86 processed when reading a ``savefile''.
  87 .PP
  88 Note that, when doing a live capture on some platforms, if the read
  89 timeout expires when there are no packets available,
  90 .BR pcap_dispatch ()
  91 will return 0, even when not in non-blocking mode, as there are no
  92 packets to process.  Applications should be prepared for this to happen,
  93 but must not rely on it happening.
  94 .PP
  95 .I callback
  96 specifies a
  97 .I pcap_handler
  98 routine to be called with three arguments:
  99 a
 100 .I u_char
 101 pointer which is passed in the
 102 .I user
 103 argument to
 104 .BR pcap_loop ()
 105 or
 106 .BR pcap_dispatch (),
 107 a
 108 .I const struct pcap_pkthdr
 109 pointer pointing to the packet time stamp and lengths, and a
 110 .I const u_char
 111 pointer to the first
 112 .B caplen
 113 (as given in the
 114 .I struct pcap_pkthdr
 115 a pointer to which is passed to the callback routine)
 116 bytes of data from the packet.  The
 117 .I struct pcap_pkthdr
 118 and the packet data are not to be freed by the callback routine, and are
 119 not guaranteed to be valid after the callback routine returns; if the
 120 code needs them to be valid after the callback, it must make a copy of
 121 them.
 122 .PP
 123 The bytes of data from the packet begin with a link-layer header.  The
 124 format of the link-layer header is indicated by the return value of the
 125 .BR pcap_datalink (3PCAP)
 126 routine when handed the
 127 .B pcap_t
 128 value also passed to
 129 .BR pcap_loop ()
 130 or
 131 .BR pcap_dispatch ().
 132 .I https://www.tcpdump.org/linktypes.html
 133 lists the values
 134 .BR pcap_datalink ()
 135 can return and describes the packet formats that
 136 correspond to those values.  The value it returns will be valid for all
 137 packets received unless and until
 138 .BR pcap_set_datalink (3PCAP)
 139 is called; after a successful call to
 140 .BR pcap_set_datalink (),
 141 all subsequent packets will have a link-layer header of the type
 142 specified by the link-layer header type value passed to
 143 .BR pcap_set_datalink ().
 144 .PP
 145 Do
 146 .B NOT
 147 assume that the packets for a given capture or ``savefile`` will have
 148 any given link-layer header type, such as
 149 .B DLT_EN10MB
 150 for Ethernet.  For example, the "any" device on Linux will have a
 151 link-layer header type of
 152 .B DLT_LINUX_SLL
 153 or
 154 .B DLT_LINUX_SLL2
 155 even if all devices on the system at the time the "any" device is opened
 156 have some other data link type, such as
 157 .B DLT_EN10MB
 158 for Ethernet.
 159 .SH RETURN VALUE
 160 .BR pcap_loop ()
 161 returns
 162 .B 0
 163 if
 164 .I cnt
 165 is exhausted or if, when reading from a ``savefile'', no more packets
 166 are available.  It returns
 167 .B PCAP_ERROR
 168 if an error occurs or
 169 .B PCAP_ERROR_BREAK
 170 if the loop terminated due to a call to
 171 .BR pcap_breakloop ()
 172 before any packets were processed.
 173 It does
 174 .B not
 175 return when live packet buffer timeouts occur; instead, it attempts to
 176 read more packets.
 177 .PP
 178 .BR pcap_dispatch ()
 179 returns the number of packets processed on success; this can be 0 if no
 180 packets were read from a live capture (if, for example, they were
 181 discarded because they didn't pass the packet filter, or if, on
 182 platforms that support a packet buffer timeout that starts before any
 183 packets arrive, the timeout expires before any packets arrive, or if the
 184 file descriptor for the capture device is in non-blocking mode and no
 185 packets were available to be read) or if no more packets are available
 186 in a ``savefile.'' It returns
 187 .B PCAP_ERROR
 188 if an error occurs or
 189 .B PCAP_ERROR_BREAK
 190 if the loop terminated due to a call to
 191 .BR pcap_breakloop ()
 192 before any packets were processed.
 193 .ft B
 194 If your application uses pcap_breakloop(),
 195 make sure that you explicitly check for PCAP_ERROR and PCAP_ERROR_BREAK,
 196 rather than just checking for a return value < 0.
 197 .ft R
 198 .PP
 199 If
 200 .B PCAP_ERROR
 201 is returned,
 202 .BR pcap_geterr (3PCAP)
 203 or
 204 .BR pcap_perror (3PCAP)
 205 may be called with
 206 .I p
 207 as an argument to fetch or display the error text.
 208 .SH BACKWARD COMPATIBILITY
 209 .PP
 210 In libpcap versions before 1.5.0, the behavior when
 211 .I cnt
 212 was
 213 .B 0
 214 was undefined; different platforms and devices behaved differently,
 215 so code that must work with these versions of libpcap should use
 216 .BR \-1 ,
 217 not
 218 .BR 0 ,
 219 as the value of
 220 .IR cnt .
 221 .SH SEE ALSO
 222 .BR pcap (3PCAP)