1 .\" Copyright (c) 1994, 1996, 1997
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that: (1) source code distributions
6 .\" retain the above copyright notice and this paragraph in its entirety, (2)
7 .\" distributions including binary code include the above copyright notice and
8 .\" this paragraph in its entirety in the documentation or other materials
9 .\" provided with the distribution, and (3) all advertising materials mentioning
10 .\" features or use of this software display the following acknowledgement:
11 .\" ``This product includes software developed by the University of California,
12 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
13 .\" the University nor the names of its contributors may be used to endorse
14 .\" or promote products derived from this software without specific prior
15 .\" written permission.
16 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
17 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
18 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 .TH PCAP 3 "24 June 1998"
22 pcap \- Packet Capture library
30 pcap_t *pcap_open_live(char *device, int snaplen,
32 int promisc, int to_ms, char *ebuf)
33 pcap_t *pcap_open_dead(int linktype, int snaplen)
34 pcap_t *pcap_open_offline(char *fname, char *ebuf)
35 pcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname)
39 char errbuf[PCAP_ERRBUF_SIZE];
40 char *pcap_lookupdev(char *errbuf)
41 int pcap_lookupnet(char *device, bpf_u_int32 *netp,
43 bpf_u_int32 *maskp, char *errbuf)
47 int pcap_dispatch(pcap_t *p, int cnt,
49 pcap_handler callback, u_char *user)
50 int pcap_loop(pcap_t *p, int cnt,
52 pcap_handler callback, u_char *user)
53 void pcap_dump(u_char *user, struct pcap_pkthdr *h,
59 int pcap_compile(pcap_t *p, struct bpf_program *fp,
61 char *str, int optimize, bpf_u_int32 netmask)
62 int pcap_setfilter(pcap_t *p, struct bpf_program *fp)
66 u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h)
70 int pcap_datalink(pcap_t *p)
71 int pcap_snapshot(pcap_t *p)
72 int pcap_is_swapped(pcap_t *p)
73 int pcap_major_version(pcap_t *p)
74 int pcap_minor_version(pcap_t *p)
75 int pcap_stats(pcap_t *p, struct pcap_stat *ps)
76 FILE *pcap_file(pcap_t *p)
77 int pcap_fileno(pcap_t *p)
78 void pcap_perror(pcap_t *p, char *prefix)
79 char *pcap_geterr(pcap_t *p)
80 char *pcap_strerror(int error)
84 void pcap_close(pcap_t *p)
85 void pcap_dump_close(pcap_dumper_t *p)
89 The Packet Capture library
90 provides a high level interface to packet capture systems. All packets
91 on the network, even those destined for other hosts, are accessible
92 through this mechanism.
99 .B pcap_open_offline(),
103 is assumed to be able to hold at least
108 is used to obtain a packet capture descriptor to look
109 at packets on the network.
111 is a string that specifies the network device to open.
113 specifies the maximum number of bytes to capture.
115 specifies if the interface is to be put into promiscuous mode.
116 (Note that even if this parameter is false, the interface
117 could well be in promiscuous mode for some other reason.)
119 specifies the read timeout in milliseconds.
121 is used to return error text and is only set when
127 is used for creating a
129 structure to use when calling the other functions in libpcap. It is
130 typically used when just using libpcap for compiling BPF code.
132 .B pcap_open_offline()
133 is called to open a ``savefile'' for reading.
135 specifies the name of the file to open. The file has
136 the same format as those used by
140 The name "-" in a synonym for
143 is used to return error text and is only set when
144 .B pcap_open_offline()
149 is called to open a ``savefile'' for writing. The name "-" in a synonym
153 is returned on failure.
157 struct as returned by
158 .B pcap_open_offline()
160 .BR pcap_open_live() .
162 specifies the name of the file to open.
167 can be used to get the error text.
170 returns a pointer to a network device suitable for use with
173 .BR pcap_lookupnet() .
174 If there is an error,
178 is filled in with with an appropriate error message.
181 is used to determine the network number and mask
182 associated with the network device
191 A return of -1 indicates an error in which case
193 is filled in with with an appropriate error message.
196 is used to collect and process packets.
198 specifies the maximum number of packets to process before returning. A
200 of -1 processes all the packets received in one buffer. A
202 of 0 processes all packets until an error occurs,
204 is reached, or the read times out (when doing live reads and a non-zero
205 read timeout is specified).
207 specifies a routine to be called with three arguments:
210 pointer which is passed in from
211 .BR pcap_dispatch() ,
214 struct (which precede the actual network headers and data),
217 pointer to the packet data. The number of packets read is returned.
218 Zero is returned when
220 is reached in a ``savefile.'' A return of -1 indicates
221 an error in which case
225 may be used to display the error text.
228 outputs a packet to the ``savefile'' opened with
229 .BR pcap_dump_open() .
230 Note that its calling arguments are suitable for use with
231 .BR pcap_dispatch() .
234 is used to compile the string
236 into a filter program.
240 struct and is filled in by
243 controls whether optimization on the resulting code is performed.
245 specifies the netmask of the local net.
247 .B pcap_compile_nopcap()
250 except that instead of passing a pcap structure, one passes the
251 snaplen and linktype explicitly. It is intended to be used for
252 compiling filters for direct bpf usage, without necessarily having
257 is used to specify a filter program.
259 is a pointer to an array of
261 struct, usually the result of a call to
264 is returned on failure;
266 is returned on success.
271 except it keeps reading packets until
273 packets are processed or an error occurs.
276 return when live read timeouts occur.
277 Rather, specifying a non-zero read timeout to
281 allows the reception and processing of any packets that arrive when the
287 to loop forever (or at least until an error occurs).
292 pointer to the next packet.
295 returns the link layer type, e.g.
299 returns the snapshot length specified when
304 returns true if the current ``savefile'' uses a different byte order
305 than the current system.
307 .B pcap_major_version()
308 returns the major number of the version of the pcap used to write the
311 .B pcap_minor_version()
312 returns the minor number of the version of the pcap used to write the
316 returns the name of the ``savefile.''
319 returns 0 and fills in a
321 struct. The values represent packet statistics from the start of the
322 run to the time of the call. If there is an error or the under lying
323 packet capture doesn't support packet statistics, -1 is returned and
324 the error text can be obtained with
330 returns the file descriptor number of the ``savefile.''
333 prints the text of the last pcap library error on
339 returns the error text pertaining to the last pcap library error.
347 closes the files associated with
349 and deallocates resources.
352 closes the ``savefile.''
355 tcpdump(1), tcpslice(1)
357 The original authors are:
361 Steven McCanne, all of the
362 Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
364 The current version is available from "The Tcpdump Group"'s Web site at
367 .I http://www.tcpdump.org/
370 Please send problems, bugs, questions, desirable enhancements, etc. to:
373 tcpdump-workers@tcpdump.org
376 Please send source code contributions, etc. to:
projects / libpcap / blob