1 .\" Copyright (c) 1994, 1996, 1997
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that: (1) source code distributions
6 .\" retain the above copyright notice and this paragraph in its entirety, (2)
7 .\" distributions including binary code include the above copyright notice and
8 .\" this paragraph in its entirety in the documentation or other materials
9 .\" provided with the distribution, and (3) all advertising materials mentioning
10 .\" features or use of this software display the following acknowledgement:
11 .\" ``This product includes software developed by the University of California,
12 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
13 .\" the University nor the names of its contributors may be used to endorse
14 .\" or promote products derived from this software without specific prior
15 .\" written permission.
16 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
17 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
18 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 .TH PCAP 3 "24 June 1998"
22 pcap \- Packet Capture library
30 pcap_t *pcap_open_live(char *device, int snaplen,
32 int promisc, int to_ms, char *ebuf)
33 pcap_t *pcap_open_offline(char *fname, char *ebuf)
34 pcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname)
38 char errbuf[PCAP_ERRBUF_SIZE];
39 char *pcap_lookupdev(char *errbuf)
40 int pcap_lookupnet(char *device, bpf_u_int32 *netp,
42 bpf_u_int32 *maskp, char *errbuf)
46 int pcap_dispatch(pcap_t *p, int cnt,
48 pcap_handler callback, u_char *user)
49 int pcap_loop(pcap_t *p, int cnt,
51 pcap_handler callback, u_char *user)
52 void pcap_dump(u_char *user, struct pcap_pkthdr *h,
58 int pcap_compile(pcap_t *p, struct bpf_program *fp,
60 char *str, int optimize, bpf_u_int32 netmask)
61 int pcap_setfilter(pcap_t *p, struct bpf_program *fp)
65 u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h)
69 int pcap_datalink(pcap_t *p)
70 int pcap_snapshot(pcap_t *p)
71 int pcap_is_swapped(pcap_t *p)
72 int pcap_major_version(pcap_t *p)
73 int pcap_minor_version(pcap_t *p)
74 int pcap_stats(pcap_t *p, struct pcap_stat *ps)
75 FILE *pcap_file(pcap_t *p)
76 int pcap_fileno(pcap_t *p)
77 void pcap_perror(pcap_t *p, char *prefix)
78 char *pcap_geterr(pcap_t *p)
79 char *pcap_strerror(int error)
83 void pcap_close(pcap_t *p)
84 void pcap_dump_close(pcap_dumper_t *p)
88 The Packet Capture library
89 provides a high level interface to packet capture systems. All packets
90 on the network, even those destined for other hosts, are accessible
91 through this mechanism.
95 is used to obtain a packet capture descriptor to look
96 at packets on the network.
98 is a string that specifies the network device to open.
100 specifies the maximum number of bytes to capture.
102 specifies if the interface is to be put into promiscuous mode.
103 (Note that even if this parameter is false, the interface
104 could well be in promiscuous mode for some other reason.)
106 specifies the read timeout in milliseconds.
108 is used to return error text and is only set when
113 .B pcap_open_offline()
114 is called to open a ``savefile'' for reading.
116 specifies the name of the file to open. The file has
117 the same format as those used by
121 The name "-" in a synonym for
124 is used to return error text and is only set when
125 .B pcap_open_offline()
130 is called to open a ``savefile'' for writing. The name "-" in a synonym
134 is returned on failure.
138 struct as returned by
139 .B pcap_open_offline()
141 .BR pcap_open_live() .
143 specifies the name of the file to open.
148 can be used to get the error text.
151 returns a pointer to a network device suitable for use with
154 .BR pcap_lookupnet() .
155 If there is an error,
159 is filled in with with an appropriate error message.
162 is used to determine the network number and mask
163 associated with the network device
172 A return of -1 indicates an error in which case
174 is filled in with with an appropriate error message.
177 is used to collect and process packets.
179 specifies the maximum number of packets to process before returning. A
181 of -1 processes all the packets received in one buffer. A
183 of 0 processes all packets until an error occurs,
185 is reached, or the read times out (when doing live reads and a non-zero
186 read timeout is specified).
188 specifies a routine to be called with three arguments:
191 pointer which is passed in from
192 .BR pcap_dispatch() ,
195 struct (which precede the actual network headers and data),
198 pointer to the packet data. The number of packets read is returned.
199 Zero is returned when
201 is reached in a ``savefile.'' A return of -1 indicates
202 an error in which case
206 may be used to display the error text.
209 outputs a packet to the ``savefile'' opened with
210 .BR pcap_dump_open() .
211 Note that its calling arguments are suitable for use with
212 .BR pcap_dispatch() .
215 is used to compile the string
217 into a filter program.
221 struct and is filled in by
224 controls whether optimization on the resulting code is performed.
226 specifies the netmask of the local net.
228 .B pcap_compile_nopcap()
231 except that instead of passing a pcap structure, one passes the
232 snaplen and linktype explicitly. It is intended to be used for
233 compiling filters for direct bpf usage, without necessarily having
238 is used to specify a filter program.
240 is a pointer to an array of
242 struct, usually the result of a call to
245 is returned on failure;
247 is returned on success.
252 except it keeps reading packets until
254 packets are processed or an error occurs.
257 return when live read timeouts occur.
258 Rather, specifying a non-zero read timeout to
262 allows the reception and processing of any packets that arrive when the
268 to loop forever (or at least until an error occurs).
273 pointer to the next packet.
276 returns the link layer type, e.g.
280 returns the snapshot length specified when
285 returns true if the current ``savefile'' uses a different byte order
286 than the current system.
288 .B pcap_major_version()
289 returns the major number of the version of the pcap used to write the
292 .B pcap_minor_version()
293 returns the minor number of the version of the pcap used to write the
297 returns the name of the ``savefile.''
300 returns 0 and fills in a
302 struct. The values represent packet statistics from the start of the
303 run to the time of the call. If there is an error or the under lying
304 packet capture doesn't support packet statistics, -1 is returned and
305 the error text can be obtained with
311 returns the file descriptor number of the ``savefile.''
314 prints the text of the last pcap library error on
320 returns the error text pertaining to the last pcap library error.
328 closes the files associated with
330 and deallocates resources.
333 closes the ``savefile.''
336 tcpdump(1), tcpslice(1)
340 Steven McCanne, all of the
341 Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
343 The current version is available via anonymous ftp:
346 .I ftp://ftp.ee.lbl.gov/libpcap.tar.Z
349 Please send bug reports to libpcap@ee.lbl.gov.
projects / libpcap / blob