From: guy Date: Sat, 5 Apr 2008 20:19:41 +0000 (+0000) Subject: Split the pcap(3) man page into a bunch of individual man pages for X-Git-Tag: libpcap-1.1.0~342 X-Git-Url: https://git.tcpdump.org/libpcap/commitdiff_plain/baadfaab07e6807d3fd776032707bcd6ee909788?ds=inline Split the pcap(3) man page into a bunch of individual man pages for functions plus an overall man page for libpcap, and put them all into section 3PCAP. That means you can actually do "man pcap_open_live" and get something meaningful, rather than having to do "man pcap" and then scroll through all the other stuff in the man page. --- diff --git a/FILES b/FILES index daa0af12..d84d0b15 100644 --- a/FILES +++ b/FILES @@ -115,10 +115,48 @@ pcap-snoop.c pcap-usb-linux.c pcap-usb-linux.h pcap-win32.c -pcap.3 +pcap.3pcap pcap.c pcap.h +pcap_breakloop.3pcap +pcap_close.3pcap +pcap_compile.3pcap +pcap_datalink.3pcap +pcap_datalink_name_to_val.3pcap +pcap_dump.3pcap +pcap_dump_close.3pcap +pcap_dump_file.3pcap +pcap_dump_flush.3pcap +pcap_dump_ftell.3pcap +pcap_dump_open.3pcap +pcap_file.3pcap +pcap_fileno.3pcap +pcap_findalldevs.3pcap +pcap_freealldevs.3pcap +pcap_freecode.3pcap +pcap_get_selectable_fd.3pcap +pcap_geterr.3pcap +pcap_inject.3pcap +pcap_is_swapped.3pcap +pcap_lib_version.3pcap +pcap_list_datalinks.3pcap +pcap_lookupdev.3pcap +pcap_lookupnet.3pcap +pcap_loop.3pcap +pcap_major_version.3pcap +pcap_next_ex.3pcap +pcap_open_dead.3pcap +pcap_open_live.3pcap +pcap_open_offline.3pcap +pcap_set_datalink.3pcap +pcap_setdirection.3pcap +pcap_setfilter.3pcap +pcap_setnonblock.3pcap +pcap_snapshot.3pcap +pcap_stats.3pcap +pcap_strerror.3pcap pcap-filter.4 +pcap-linktype.4 ppp.h runlex.sh savefile.c diff --git a/INSTALL.txt b/INSTALL.txt index 20b02de7..5e4376b9 100644 --- a/INSTALL.txt +++ b/INSTALL.txt @@ -1,4 +1,4 @@ -@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.25 2008-03-13 18:13:57 guy Exp $ (LBL) +@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.26 2008-04-05 20:19:41 guy Exp $ (LBL) To build libpcap, run "./configure" (a shell script). The configure script will determine your system attributes and generate an @@ -391,10 +391,48 @@ pcap-snoop.c - IRIX Snoop network monitoring support pcap-usb-linux.c - USB capture support for Linux pcap-usb-linux.h - USB capture support for Linux pcap-win32.c - WinPcap capture support -pcap.3 - manual entry for the library +pcap.3pcap - manual entry for the library pcap.c - pcap utility routines pcap.h - header for backwards compatibility +pcap_breakloop.3pcap - manual entry for pcap_breakloop +pcap_close.3pcap - manual entry for pcap_close +pcap_compile.3pcap - manual entry for pcap_compile +pcap_datalink.3pcap - manual entry for pcap_datalink +pcap_datalink_name_to_val.3pcap - manual entry for pcap_datalink_name_to_val +pcap_dump.3pcap - manual entry for pcap_dump +pcap_dump_close.3pcap - manual entry for pcap_dump_close +pcap_dump_file.3pcap - manual entry for pcap_dump_file +pcap_dump_flush.3pcap - manual entry for pcap_dump_flush +pcap_dump_ftell.3pcap - manual entry for pcap_dump_ftell +pcap_dump_open.3pcap - manual entry for pcap_dump_open and pcap_dump_fopen +pcap_file.3pcap - manual entry for pcap_file +pcap_fileno.3pcap - manual entry for pcap_fileno +pcap_findalldevs.3pcap - manual entry for pcap_findalldevs +pcap_freealldevs.3pcap - manual entry for pcap_freealldevs +pcap_freecode.3pcap - manual entry for pcap_freecode +pcap_get_selectable_fd.3pcap - manual entry for pcap_get_selectable_fd +pcap_geterr.3pcap - manual entry for pcap_geterr and pcap_perror +pcap_inject.3pcap - manual entry for pcap_inject and pcap_sendpacket +pcap_is_swapped.3pcap - manual entry for pcap_is_swapped +pcap_lib_version.3pcap - manual entry for pcap_lib_version +pcap_list_datalinks.3pcap - manual entry for pcap_list_datalinks +pcap_lookupdev.3pcap - manual entry for pcap_lookupdev +pcap_lookupnet.3pcap - manual entry for pcap_lookupnet +pcap_loop.3pcap - manual entry for pcap_loop and pcap_dispatch +pcap_major_version.3pcap - manual entry for pcap_major_version and pcap_minor_version +pcap_next_ex.3pcap - manual entry for pcap_next_ex and pcap_next +pcap_open_dead.3pcap - manual entry for pcap_open_dead +pcap_open_live.3pcap - manual entry for pcap_open_live +pcap_open_offline.3pcap - manual entry for pcap_open_offline and pcap_fopen_offline +pcap_set_datalink.3pcap - manual entry for pcap_set_datalink +pcap_setdirection.3pcap - manual entry for pcap_setdirection +pcap_setfilter.3pcap - manual entry for pcap_setfilter +pcap_setnonblock.3pcap - manual entry for pcap_setnonblock and pcap_getnonblock +pcap_snapshot.3pcap - manual entry for pcap_snapshot +pcap_stats.3pcap - manual entry for pcap_stats +pcap_strerror.3pcap - manual entry for pcap_strerror pcap-filter.4 - manual entry for filter syntax +pcap-linktype.4 - manual entry for link-layer header types ppp.h - Point to Point Protocol definitions runlex.sh - wrapper for Lex/Flex savefile.c - offline support diff --git a/Makefile.in b/Makefile.in index 883fe2c8..6d195ef2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -17,7 +17,7 @@ # WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. # -# @(#) $Header: /tcpdump/master/libpcap/Makefile.in,v 1.112 2008-02-04 21:08:05 guy Exp $ (LBL) +# @(#) $Header: /tcpdump/master/libpcap/Makefile.in,v 1.113 2008-04-05 20:19:41 guy Exp $ (LBL) # # Various configurable paths (remember to edit Makefile.in, not Makefile) @@ -100,6 +100,48 @@ TAGFILES = \ CLEANFILES = $(OBJ) libpcap.a $(GENSRC) $(GENHDR) lex.yy.c +MAN3PCAP = pcap.3pcap \ + pcap_breakloop.3pcap \ + pcap_close.3pcap \ + pcap_compile.3pcap \ + pcap_datalink.3pcap \ + pcap_datalink_name_to_val.3pcap \ + pcap_dump.3pcap \ + pcap_dump_close.3pcap \ + pcap_dump_file.3pcap \ + pcap_dump_flush.3pcap \ + pcap_dump_ftell.3pcap \ + pcap_dump_open.3pcap \ + pcap_file.3pcap \ + pcap_fileno.3pcap \ + pcap_findalldevs.3pcap \ + pcap_freealldevs.3pcap \ + pcap_freecode.3pcap \ + pcap_get_selectable_fd.3pcap \ + pcap_geterr.3pcap \ + pcap_inject.3pcap \ + pcap_is_swapped.3pcap \ + pcap_lib_version.3pcap \ + pcap_list_datalinks.3pcap \ + pcap_lookupdev.3pcap \ + pcap_lookupnet.3pcap \ + pcap_loop.3pcap \ + pcap_major_version.3pcap \ + pcap_next_ex.3pcap \ + pcap_open_dead.3pcap \ + pcap_open_live.3pcap \ + pcap_open_offline.3pcap \ + pcap_set_datalink.3pcap \ + pcap_setdirection.3pcap \ + pcap_setfilter.3pcap \ + pcap_setnonblock.3pcap \ + pcap_snapshot.3pcap \ + pcap_stats.3pcap \ + pcap_strerror.3pcap + +MAN4 = pcap-filter.4 \ + pcap-linktype.4 + all: libpcap.a libpcap.a: $(OBJ) @@ -209,10 +251,28 @@ install: libpcap.a $(DESTDIR)$(includedir)/pcap-bpf.h $(INSTALL_DATA) $(srcdir)/pcap-namedb.h \ $(DESTDIR)$(includedir)/pcap-namedb.h - $(INSTALL_DATA) $(srcdir)/pcap.3 \ - $(DESTDIR)$(mandir)/man3/pcap.3 - $(INSTALL_DATA) $(srcdir)/pcap-filter.4 \ - $(DESTDIR)$(mandir)/man4/pcap-filter.4 + for i in $(MAN3PCAP); do \ + $(INSTALL_DATA) $(srcdir)/$$i \ + $(DESTDIR)$(mandir)/man3/$$i; done + ln $(DESTDIR)$(mandir)/man3/pcap_dump_open.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_dump_fopen.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_geterr.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_perror.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_inject.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_sendpacket.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_loop.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_dispatch.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_major_version.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_minor_version.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_next_ex.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_next.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_open_offline.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_fopen_offline.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_setnonblock.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_getnonblock.3pcap + for i in $(MAN4); do \ + $(INSTALL_DATA) $(srcdir)/$$i \ + $(DESTDIR)$(mandir)/man4/$$i; done install-shared: install-shared-$(DYEXT) install-shared-so: libpcap.so @@ -232,7 +292,18 @@ uninstall: rm -f $(DESTDIR)$(includedir)/pcap.h rm -f $(DESTDIR)$(includedir)/pcap-bpf.h rm -f $(DESTDIR)$(includedir)/pcap-namedb.h - rm -f $(DESTDIR)$(mandir)/man3/pcap.3 + for i in $(MAN3PCAP); do \ + rm -f $(DESTDIR)$(mandir)/man3/$$i; done + rm -f $(DESTDIR)$(mandir)/man3/pcap_dump_fopen.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_perror.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_sendpacket.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_dispatch.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_minor_version.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_next.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_fopen_offline.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_getnonblock.3pcap + for i in $(MAN4); do \ + rm -f $(DESTDIR)$(mandir)/man4/$$i; done clean: rm -f $(CLEANFILES) libpcap*.dylib libpcap.so* diff --git a/pcap-linktype.4 b/pcap-linktype.4 new file mode 100644 index 00000000..d36606e8 --- /dev/null +++ b/pcap-linktype.4 @@ -0,0 +1,309 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap-linktype.4,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP-LINKTYPE 4 "4 April 2008" +.SH NAME +pcap-linktype \- link-layer header types supported by libpcap +.SH DESCRIPTION +Libpcap supplies for a live capture or ``savefile'' value that indicates +the type of link-layer header at the beginning of the packets it +provides. This is not necessarily the type of link-layer header that +the packets being captured have on the network from which they're being +captured; for example, packets from an IEEE 802.11 network might be +provided by libpcap with Ethernet headers that the network adapter or +the network adapter driver generates from the 802.11 headers. +.PP +The link-layer header types supported by libpcap are: +.RS 5 +.TP 5 +.B DLT_NULL +BSD loopback encapsulation; the link layer header is a 4-byte field, in +.I host +byte order, containing a PF_ value from +.B socket.h +for the network-layer protocol of the packet. +.IP +Note that ``host byte order'' is the byte order of the machine on which +the packets are captured, and the PF_ values are for the OS of the +machine on which the packets are captured; if a live capture is being +done, ``host byte order'' is the byte order of the machine capturing the +packets, and the PF_ values are those of the OS of the machine capturing +the packets, but if a ``savefile'' is being read, the byte order and PF_ +values are +.I not +necessarily those of the machine reading the capture file. +.TP 5 +.B DLT_EN10MB +Ethernet (10Mb, 100Mb, 1000Mb, and up) +.TP 5 +.B DLT_IEEE802 +IEEE 802.5 Token Ring +.TP 5 +.B DLT_ARCNET +ARCNET +.TP 5 +.B DLT_SLIP +SLIP; the link layer header contains, in order: +.RS 10 +.LP +a 1-byte flag, which is 0 for packets received by the machine and 1 for +packets sent by the machine; +.LP +a 1-byte field, the upper 4 bits of which indicate the type of packet, +as per RFC 1144: +.RS 5 +.TP 5 +0x40 +an unmodified IP datagram (TYPE_IP); +.TP 5 +0x70 +an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being +the first byte of the raw IP header on the wire, containing the +connection number in the protocol field; +.TP 5 +0x80 +a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the +first byte of the compressed TCP/IP datagram header; +.RE +.LP +for UNCOMPRESSED_TCP, the rest of the modified IP header, and for +COMPRESSED_TCP, the compressed TCP/IP datagram header; +.RE +.RS 5 +.LP +for a total of 16 bytes; the uncompressed IP datagram follows the header. +.RE +.TP 5 +.B DLT_PPP +PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like +framing, with the PPP header following those two bytes, otherwise it's +PPP without framing, and the packet begins with the PPP header. +.TP 5 +.B DLT_FDDI +FDDI +.TP 5 +.B DLT_ATM_RFC1483 +RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2 +LLC header. +.TP 5 +.B DLT_RAW +raw IP; the packet begins with an IP header. +.TP 5 +.B DLT_PPP_SERIAL +PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC +framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF +for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP +with HDLC framing. +.TP 5 +.B DLT_PPP_ETHER +PPPoE; the packet begins with a PPPoE header, as per RFC 2516. +.TP 5 +.B DLT_C_HDLC +Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547. +.TP 5 +.B DLT_IEEE802_11 +IEEE 802.11 wireless LAN +.TP 5 +.B DLT_FRELAY +Frame Relay +.TP 5 +.B DLT_LOOP +OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in +.I network +byte order, containing a PF_ value from OpenBSD's +.B socket.h +for the network-layer protocol of the packet. +.IP +Note that, if a ``savefile'' is being read, those PF_ values are +.I not +necessarily those of the machine reading the capture file. +.TP 5 +.B DLT_LINUX_SLL +Linux "cooked" capture encapsulation; the link layer header contains, in +order: +.RS 10 +.LP +a 2-byte "packet type", in network byte order, which is one of: +.RS 5 +.TP 5 +0 +packet was sent to us by somebody else +.TP 5 +1 +packet was broadcast by somebody else +.TP 5 +2 +packet was multicast, but not broadcast, by somebody else +.TP 5 +3 +packet was sent by somebody else to somebody else +.TP 5 +4 +packet was sent by us +.RE +.LP +a 2-byte field, in network byte order, containing a Linux ARPHRD_ value +for the link layer device type; +.LP +a 2-byte field, in network byte order, containing the length of the +link layer address of the sender of the packet (which could be 0); +.LP +an 8-byte field containing that number of bytes of the link layer header +(if there are more than 8 bytes, only the first 8 are present); +.LP +a 2-byte field containing an Ethernet protocol type, in network byte +order, or containing 1 for Novell 802.3 frames without an 802.2 LLC +header or 4 for frames beginning with an 802.2 LLC header. +.RE +.TP 5 +.B DLT_LTALK +Apple LocalTalk; the packet begins with an AppleTalk LLAP header. +.TP 5 +.B DLT_PFLOG +OpenBSD pflog; the link layer header contains, in order: +.RS 10 +.LP +a 1-byte header length, in host byte order; +.LP +a 4-byte PF_ value, in host byte order; +.LP +a 2-byte action code, in network byte order, which is one of: +.RS 5 +.TP 5 +0 +passed +.TP 5 +1 +dropped +.TP 5 +2 +scrubbed +.RE +.LP +a 2-byte reason code, in network byte order, which is one of: +.RS 5 +.TP 5 +0 +match +.TP 5 +1 +bad offset +.TP 5 +2 +fragment +.TP 5 +3 +short +.TP 5 +4 +normalize +.TP 5 +5 +memory +.RE +.LP +a 16-character interface name; +.LP +a 16-character ruleset name (only meaningful if subrule is set); +.LP +a 4-byte rule number, in network byte order; +.LP +a 4-byte subrule number, in network byte order; +.LP +a 1-byte direction, in network byte order, which is one of: +.RS 5 +.TP 5 +0 +incoming or outgoing +.TP 5 +1 +incoming +.TP 5 +2 +outgoing +.RE +.RE +.TP 5 +.B DLT_PRISM_HEADER +Prism monitor mode information followed by an 802.11 header. +.TP 5 +.B DLT_IP_OVER_FC +RFC 2625 IP-over-Fibre Channel, with the link-layer header being the +Network_Header as described in that RFC. +.TP 5 +.B DLT_SUNATM +SunATM devices; the link layer header contains, in order: +.RS 10 +.LP +a 1-byte flag field, containing a direction flag in the uppermost bit, +which is set for packets transmitted by the machine and clear for +packets received by the machine, and a 4-byte traffic type in the +low-order 4 bits, which is one of: +.RS 5 +.TP 5 +0 +raw traffic +.TP 5 +1 +LANE traffic +.TP 5 +2 +LLC-encapsulated traffic +.TP 5 +3 +MARS traffic +.TP 5 +4 +IFMP traffic +.TP 5 +5 +ILMI traffic +.TP 5 +6 +Q.2931 traffic +.RE +.LP +a 1-byte VPI value; +.LP +a 2-byte VCI field, in network byte order. +.RE +.TP 5 +.B DLT_IEEE802_11_RADIO +link-layer information followed by an 802.11 header - see +http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description +of the link-layer information. +.TP 5 +.B DLT_ARCNET_LINUX +ARCNET, with no exception frames, reassembled packets rather than raw +frames, and an extra 16-bit offset field between the destination host +and type bytes. +.TP 5 +.B DLT_LINUX_IRDA +Linux-IrDA packets, with a +.B DLT_LINUX_SLL +header followed by the IrLAP header. +.TP 5 +.B DLT_LINUX_LAPD +LAPD (Q.921) frames, with a +.B DLT_LINUX_SLL +header captured via vISDN. +.RE diff --git a/pcap.3 b/pcap.3 deleted file mode 100644 index d6b1a0c6..00000000 --- a/pcap.3 +++ /dev/null @@ -1,1333 +0,0 @@ -.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap.3,v 1.80 2008-02-02 21:19:40 guy Exp $ -.\" -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP 3 "6 January 2008" -.SH NAME -pcap \- Packet Capture library -.SH SYNOPSIS -.nf -.ft B -#include -.ft -.LP -.nf -.ft B -char errbuf[PCAP_ERRBUF_SIZE]; -.ft -.LP -.ft B -pcap_t *pcap_open_live(const char *device, int snaplen, -.ti +8 -int promisc, int to_ms, char *errbuf) -pcap_t *pcap_open_dead(int linktype, int snaplen) -pcap_t *pcap_open_offline(const char *fname, char *errbuf) -pcap_t *pcap_fopen_offline(FILE *fp, char *errbuf) -pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname) -pcap_dumper_t *pcap_dump_fopen(pcap_t *p, FILE *fp) -.ft -.LP -.ft B -int pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf); -int pcap_getnonblock(pcap_t *p, char *errbuf); -.ft -.LP -.ft B -int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf) -void pcap_freealldevs(pcap_if_t *alldevs) -char *pcap_lookupdev(char *errbuf) -int pcap_lookupnet(const char *device, bpf_u_int32 *netp, -.ti +8 -bpf_u_int32 *maskp, char *errbuf) -.ft -.LP -.ft B -typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h, -.ti +8 - const u_char *bytes); -.ft B -int pcap_dispatch(pcap_t *p, int cnt, -.ti +8 -pcap_handler callback, u_char *user) -int pcap_loop(pcap_t *p, int cnt, -.ti +8 -pcap_handler callback, u_char *user) -void pcap_dump(u_char *user, struct pcap_pkthdr *h, -.ti +8 -u_char *sp) -.ft -.LP -.ft B -int pcap_compile(pcap_t *p, struct bpf_program *fp, -.ti +8 -const char *str, int optimize, bpf_u_int32 netmask) -int pcap_setfilter(pcap_t *p, struct bpf_program *fp) -void pcap_freecode(struct bpf_program *) -int pcap_setdirection(pcap_t *p, pcap_direction_t d) -.ft -.LP -.ft B -const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) -int pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header, -.ti +8 -const u_char **pkt_data) -.ft -.LP -.ft B -void pcap_breakloop(pcap_t *) -.ft -.LP -.ft B -int pcap_inject(pcap_t *p, const void *buf, size_t size) -int pcap_sendpacket(pcap_t *p, const u_char *buf, int size) -.ft -.LP -.ft B -int pcap_datalink(pcap_t *p) -int pcap_list_datalinks(pcap_t *p, int **dlt_buf); -int pcap_set_datalink(pcap_t *p, int dlt); -int pcap_datalink_name_to_val(const char *name); -const char *pcap_datalink_val_to_name(int dlt); -const char *pcap_datalink_val_to_description(int dlt); -int pcap_snapshot(pcap_t *p) -int pcap_is_swapped(pcap_t *p) -int pcap_major_version(pcap_t *p) -int pcap_minor_version(pcap_t *p) -int pcap_stats(pcap_t *p, struct pcap_stat *ps) -FILE *pcap_file(pcap_t *p) -int pcap_fileno(pcap_t *p) -int pcap_get_selectable_fd(pcap_t *p); -void pcap_perror(pcap_t *p, char *prefix) -char *pcap_geterr(pcap_t *p) -const char *pcap_strerror(int error) -const char *pcap_lib_version(void) -.ft -.LP -.ft B -void pcap_close(pcap_t *p) -int pcap_dump_flush(pcap_dumper_t *p) -long pcap_dump_ftell(pcap_dumper_t *p) -FILE *pcap_dump_file(pcap_dumper_t *p) -void pcap_dump_close(pcap_dumper_t *p) -.ft -.fi -.SH DESCRIPTION -The Packet Capture library -provides a high level interface to packet capture systems. All packets -on the network, even those destined for other hosts, are accessible -through this mechanism. -.PP -.SH ROUTINES -NOTE: -.I errbuf -in -.BR pcap_open_live() , -.BR pcap_open_offline() , -.BR pcap_fopen_offline() , -.BR pcap_setnonblock() , -.BR pcap_getnonblock() , -.BR pcap_findalldevs() , -.BR pcap_lookupdev() , -and -.B pcap_lookupnet() -is assumed to be able to hold at least -.B PCAP_ERRBUF_SIZE -chars. -.PP -.B pcap_open_live() -is used to obtain a packet capture descriptor to look -at packets on the network. -.I device -is a string that specifies the network device to open; on Linux systems -with 2.2 or later kernels, a -.I device -argument of "any" or -.B NULL -can be used to capture packets from all interfaces. -.I snaplen -specifies the maximum number of bytes to capture. If this value is less -than the size of a packet that is captured, only the first -.I snaplen -bytes of that packet will be captured and provided as packet data. A -value of 65535 should be sufficient, on most if not all networks, to -capture all the data available from the packet. -.I promisc -specifies if the interface is to be put into promiscuous mode. -(Note that even if this parameter is false, the interface -could well be in promiscuous mode for some other reason.) For now, this -doesn't work on the "any" device; if an argument of "any" or NULL is -supplied, the -.I promisc -flag is ignored. -.I to_ms -specifies the read timeout in milliseconds. The read timeout is used to -arrange that the read not necessarily return immediately when a packet -is seen, but that it wait for some amount of time to allow more packets -to arrive and to read multiple packets from the OS kernel in one -operation. Not all platforms support a read timeout; on platforms that -don't, the read timeout is ignored. A zero value for -.IR to_ms , -on platforms that support a read timeout, -will cause a read to wait forever to allow enough packets to -arrive, with no timeout. -.I errbuf -is used to return error or warning text. It will be set to error text when -.B pcap_open_live() -fails and returns -.BR NULL . -.I errbuf -may also be set to warning text when -.B pcap_open_live() -succeds; to detect this case the caller should store a zero-length string in -.I errbuf -before calling -.B pcap_open_live() -and display the warning to the user if -.I errbuf -is no longer a zero-length string. -.PP -.B pcap_open_dead() -is used for creating a -.B pcap_t -structure to use when calling the other functions in libpcap. It is -typically used when just using libpcap for compiling BPF code. -.PP -.B pcap_open_offline() -is called to open a ``savefile'' for reading. -.I fname -specifies the name of the file to open. The file has -the same format as those used by -.B tcpdump(1) -and -.BR tcpslice(1) . -The name "-" in a synonym for -.BR stdin . -Alternatively, you may call -.B pcap_fopen_offline() -to read dumped data from an existing open stream -.IR fp . -Note that on Windows, that stream should be opened in binary mode. -.I errbuf -is used to return error text and is only set when -.B pcap_open_offline() -or -.B pcap_fopen_offline() -fails and returns -.BR NULL . -.PP -.B pcap_dump_open() -is called to open a ``savefile'' for writing. The name "-" in a synonym -for -.BR stdout . -.B NULL -is returned on failure. -.I p -is a -.I pcap -struct as returned by -.B pcap_open_offline() -or -.BR pcap_open_live() . -.I fname -specifies the name of the file to open. Alternatively, you may call -.B pcap_dump_fopen() -to write data to an existing open stream -.IR fp . -Note that on Windows, that stream should be opened in binary mode. -If -.B NULL -is returned, -.B pcap_geterr() -can be used to get the error text. -.PP -.B pcap_setnonblock() -puts a capture descriptor, opened with -.BR pcap_open_live() , -into ``non-blocking'' mode, or takes it out of ``non-blocking'' mode, -depending on whether the -.I nonblock -argument is non-zero or zero. It has no effect on ``savefiles''. -If there is an error, \-1 is returned and -.I errbuf -is filled in with an appropriate error message; otherwise, 0 is -returned. -In -``non-blocking'' mode, an attempt to read from the capture descriptor -with -.B pcap_dispatch() -will, if no packets are currently available to be read, return 0 -immediately rather than blocking waiting for packets to arrive. -.B pcap_loop() -and -.B pcap_next() -will not work in ``non-blocking'' mode. -.PP -.B pcap_getnonblock() -returns the current ``non-blocking'' state of the capture descriptor; it -always returns 0 on ``savefiles''. -If there is an error, \-1 is returned and -.I errbuf -is filled in with an appropriate error message. -.PP -.B pcap_findalldevs() -constructs a list of network devices that can be opened with -.BR pcap_open_live() . -(Note that there may be network devices that cannot be opened with -.BR pcap_open_live() -by the -process calling -.BR pcap_findalldevs() , -because, for example, that process might not have sufficient privileges -to open them for capturing; if so, those devices will not appear on the -list.) -.I alldevsp -is set to point to the first element of the list; each element of the -list is of type -.BR pcap_if_t , -and has the following members: -.RS -.TP -.B next -if not -.BR NULL , -a pointer to the next element in the list; -.B NULL -for the last element of the list -.TP -.B name -a pointer to a string giving a name for the device to pass to -.B pcap_open_live() -.TP -.B description -if not -.BR NULL , -a pointer to a string giving a human-readable description of the device -.TP -.B addresses -a pointer to the first element of a list of addresses for the interface -.TP -.B flags -interface flags: -.RS -.TP -.B PCAP_IF_LOOPBACK -set if the interface is a loopback interface -.RE -.RE -.PP -Each element of the list of addresses is of type -.BR pcap_addr_t , -and has the following members: -.RS -.TP -.B next -if not -.BR NULL , -a pointer to the next element in the list; -.B NULL -for the last element of the list -.TP -.B addr -a pointer to a -.B "struct sockaddr" -containing an address -.TP -.B netmask -if not -.BR NULL , -a pointer to a -.B "struct sockaddr" -that contains the netmask corresponding to the address pointed to by -.B addr -.TP -.B broadaddr -if not -.BR NULL , -a pointer to a -.B "struct sockaddr" -that contains the broadcast address corresponding to the address pointed -to by -.BR addr ; -may be null if the interface doesn't support broadcasts -.TP -.B dstaddr -if not -.BR NULL , -a pointer to a -.B "struct sockaddr" -that contains the destination address corresponding to the address pointed -to by -.BR addr ; -may be null if the interface isn't a point-to-point interface -.RE -.PP -Note that not all the addresses in the list of addresses are -necessarily IPv4 or IPv6 addresses - you must check the -.B sa_family -member of the -.B "struct sockaddr" -before interpreting the contents of the address. -.PP -.B \-1 -is returned on failure, in which case -.B errbuf -is filled in with an appropriate error message; -.B 0 -is returned on success. -.PP -.B pcap_freealldevs() -is used to free a list allocated by -.BR pcap_findalldevs() . -.PP -.B pcap_lookupdev() -returns a pointer to a network device suitable for use with -.B pcap_open_live() -and -.BR pcap_lookupnet() . -If there is an error, -.B NULL -is returned and -.I errbuf -is filled in with an appropriate error message. -.PP -.B pcap_lookupnet() -is used to determine the network number and mask -associated with the network device -.BR device . -Both -.I netp -and -.I maskp -are -.I bpf_u_int32 -pointers. -A return of \-1 indicates an error in which case -.I errbuf -is filled in with an appropriate error message. -.PP -.B pcap_dispatch() -is used to collect and process packets. -.I cnt -specifies the maximum number of packets to process before returning. -This is not a minimum number; when reading a live capture, only one -bufferful of packets is read at a time, so fewer than -.I cnt -packets may be processed. A value of \-1 or 0 for -.I cnt -causes all the packets received in one buffer to be processed when -reading a live capture, and causes all the packets in the file to be -processed when reading a ``savefile''. -.ft B -(In older versions of libpcap, the behavior when -\fIcnt\fP -was 0 was undefined; different platforms and devices behaved -differently, so code that must work with older versions of libpcap -should use \-1, not 0, as the value of -\fIcnt\fP.) -.ft R -.I callback -specifies a routine to be called with three arguments: -a -.I u_char -pointer which is passed in from -.BR pcap_dispatch() , -a -.I const struct pcap_pkthdr -pointer to a structure with the following members: -.RS -.TP -.B ts -a -.I struct timeval -containing the time when the packet was captured -.TP -.B caplen -a -.I bpf_u_int32 -giving the number of bytes of the packet that are available from the -capture -.TP -.B len -a -.I bpf_u_int32 -giving the length of the packet, in bytes (which might be more than the -number of bytes available from the capture, if the length of the packet -is larger than the maximum number of bytes to capture) -.RE -.PP -and a -.I const u_char -pointer to the first -.B caplen -(as given in the -.I struct pcap_pkthdr -a pointer to which is passed to the callback routine) -bytes of data from the packet (which won't necessarily be the entire -packet; to capture the entire packet, you will have to provide a value -for -.I snaplen -in your call to -.B pcap_open_live() -that is sufficiently large to get all of the packet's data - a value of -65535 should be sufficient on most if not all networks). -.PP -The number of packets read is returned. -0 is returned if no packets were read from a live capture (if, for -example, they were discarded because they didn't pass the packet filter, -or if, on platforms that support a read timeout that starts before any -packets arrive, the timeout expires before any packets arrive, or if the -file descriptor for the capture device is in non-blocking mode and no -packets were available to be read) or if no more packets are available -in a ``savefile.'' A return of \-1 indicates -an error in which case -.B pcap_perror() -or -.B pcap_geterr() -may be used to display the error text. -A return of \-2 indicates that the loop terminated due to a call to -.B pcap_breakloop() -before any packets were processed. -.ft B -If your application uses pcap_breakloop(), -make sure that you explicitly check for \-1 and \-2, rather than just -checking for a return value < 0. -.ft R -.PP -.BR NOTE : -when reading a live capture, -.B pcap_dispatch() -will not necessarily return when the read times out; on some platforms, -the read timeout isn't supported, and, on other platforms, the timer -doesn't start until at least one packet arrives. This means that the -read timeout should -.B NOT -be used in, for example, an interactive application, to allow the packet -capture loop to ``poll'' for user input periodically, as there's no -guarantee that -.B pcap_dispatch() -will return after the timeout expires. -.PP -.B pcap_loop() -is similar to -.B pcap_dispatch() -except it keeps reading packets until -.I cnt -packets are processed or an error occurs. -It does -.B not -return when live read timeouts occur. -Rather, specifying a non-zero read timeout to -.B pcap_open_live() -and then calling -.B pcap_dispatch() -allows the reception and processing of any packets that arrive when the -timeout occurs. -A value of \-1 or 0 for -.I cnt -causes -.B pcap_loop() -to loop forever (or at least until an error occurs). -.ft B -(In older versions of libpcap, the behavior when -\fIcnt\fP -was 0 was undefined; different platforms and devices behaved -differently, so code that must work with older versions of libpcap -should use \-1, nor 0, as the value of -\fIcnt\fP.) -.ft R -\-1 is returned on an error; 0 is returned if -.I cnt -is exhausted; \-2 is returned if the loop terminated due to a call to -.B pcap_breakloop() -before any packets were processed. -.ft B -If your application uses pcap_breakloop(), -make sure that you explicitly check for \-1 and \-2, rather than just -checking for a return value < 0. -.ft R -.PP -.B pcap_next() -reads the next packet (by calling -.B pcap_dispatch() -with a -.I cnt -of 1) and returns a -.I u_char -pointer to the data in that packet. (The -.I pcap_pkthdr -struct for that packet is not supplied.) -.B NULL -is returned if an error occured, or if no packets were read from a live -capture (if, for example, they were discarded because they didn't pass -the packet filter, or if, on platforms that support a read timeout that -starts before any packets arrive, the timeout expires before any packets -arrive, or if the file descriptor for the capture device is in -non-blocking mode and no packets were available to be read), or if no -more packets are available in a ``savefile.'' Unfortunately, there is -no way to determine whether an error occured or not. -.PP -.B pcap_next_ex() -reads the next packet and returns a success/failure indication: -.RS -.TP -1 -the packet was read without problems -.TP -0 -packets are being read from a live capture, and the timeout expired -.TP -\-1 -an error occurred while reading the packet -.TP -\-2 -packets are being read from a ``savefile'', and there are no more -packets to read from the savefile. -.RE -.PP -If the packet was read without problems, the pointer pointed to by the -.I pkt_header -argument is set to point to the -.I pcap_pkthdr -struct for the packet, and the -pointer pointed to by the -.I pkt_data -argument is set to point to the data in the packet. -.PP -.B pcap_breakloop() -sets a flag that will force -.B pcap_dispatch() -or -.B pcap_loop() -to return rather than looping; they will return the number of packets -that have been processed so far, or \-2 if no packets have been -processed so far. -.PP -This routine is safe to use inside a signal handler on UNIX or a console -control handler on Windows, as it merely sets a flag that is checked -within the loop. -.PP -The flag is checked in loops reading packets from the OS - a signal by -itself will not necessarily terminate those loops - as well as in loops -processing a set of packets returned by the OS. -.ft B -Note that if you are catching signals on UNIX systems that support -restarting system calls after a signal, and calling pcap_breakloop() -in the signal handler, you must specify, when catching those signals, -that system calls should NOT be restarted by that signal. Otherwise, -if the signal interrupted a call reading packets in a live capture, -when your signal handler returns after calling pcap_breakloop(), the -call will be restarted, and the loop will not terminate until more -packets arrive and the call completes. -.PP -Note also that, in a multi-threaded application, if one thread is -blocked in -.BR pcap_dispatch() , -.BR pcap_loop() , -.BR pcap_next() , -or -.BR pcap_next_ex() , -a call to -.B pcap_breakloop() -in a different thread will not unblock that thread; you will need to use -whatever mechanism the OS provides for breaking a thread out of blocking -calls in order to unblock the thread, such as thread cancellation in -systems that support POSIX threads. -.ft R -.PP -Note that -.B pcap_next() -will, on some platforms, loop reading packets from the OS; that loop -will not necessarily be terminated by a signal, so -.B pcap_breakloop() -should be used to terminate packet processing even if -.B pcap_next() -is being used. -.PP -.B pcap_breakloop() -does not guarantee that no further packets will be processed by -.B pcap_dispatch() -or -.B pcap_loop() -after it is called; at most one more packet might be processed. -.PP -If \-2 is returned from -.B pcap_dispatch() -or -.BR pcap_loop() , -the flag is cleared, so a subsequent call will resume reading packets. -If a positive number is returned, the flag is not cleared, so a -subsequent call will return \-2 and clear the flag. -.PP -.B pcap_inject() -sends a raw packet through the network interface; -.I buf -points to the data of the packet, including the link-layer header, and -.I size -is the number of bytes in the packet. -It returns the number of bytes written on success. A return of \-1 -indicates an error in which case -.B pcap_perror() -or -.B pcap_geterr() -may be used to display the error text. -Note that, even if you successfully open the network interface, you -might not have permission to send packets on it, or it might not support -sending packets; as -.I pcap_open_live() -doesn't have a flag to indicate whether to open for capturing, sending, -or capturing and sending, you cannot request an open that supports -sending and be notified at open time whether sending will be possible. -Note also that some devices might not support sending packets. -.PP -Note that, on some platforms, the link-layer header of the packet that's -sent might not be the same as the link-layer header of the packet -supplied to -.BR pcap_inject() , -as the source link-layer address, if the header contains such an -address, might be changed to be the address assigned to the interface on -which the packet it sent, if the platform doesn't support sending -completely raw and unchanged packets. Even worse, some drivers on some -platforms might change the link-layer type field to whatever value -libpcap used when attaching to the device, even on platforms that -.I do -nominally support sending completely raw and unchanged packets. -.PP -.B pcap_sendpacket() -is like -.BR pcap_inject() , -but it returns 0 on success and \-1 on failure. -.RB ( pcap_inject() -comes from OpenBSD; -.B pcap_sendpacket() -comes from WinPcap. Both are provided for compatibility.) -.PP -.B pcap_dump() -outputs a packet to the ``savefile'' opened with -.BR pcap_dump_open() . -Note that its calling arguments are suitable for use with -.B pcap_dispatch() -or -.BR pcap_loop() . -If called directly, the -.I user -parameter is of type -.I pcap_dumper_t -as returned by -.BR pcap_dump_open() . -.PP -.B pcap_compile() -is used to compile the string -.I str -into a filter program. See -.BR pcap-filter (4) -for the syntax of that string. -.I program -is a pointer to a -.I bpf_program -struct and is filled in by -.BR pcap_compile() . -.I optimize -controls whether optimization on the resulting code is performed. -.I netmask -specifies the IPv4 netmask of the network on which packets are being -captured; it is used only when checking for IPv4 broadcast addresses in -the filter program. If the netmask of the network on which packets are -being captured isn't known to the program, or if packets are being -captured on the Linux "any" pseudo-interface that can capture on more -than one network, a value of 0 can be supplied; tests for IPv4 broadcast -addreses won't be done correctly, but all other tests in the filter -program will be OK. A return of \-1 indicates an error in which case -.BR pcap_geterr() -may be used to display the error text. -.PP -.B pcap_compile_nopcap() -is similar to -.B pcap_compile() -except that instead of passing a pcap structure, one passes the -snaplen and linktype explicitly. It is intended to be used for -compiling filters for direct BPF usage, without necessarily having -called -.BR pcap_open() . -A return of \-1 indicates an error; the error text is unavailable. -.RB ( pcap_compile_nopcap() -is a wrapper around -.BR pcap_open_dead() , -.BR pcap_compile() , -and -.BR pcap_close() ; -the latter three routines can be used directly in order to get the error -text for a compilation error.) -.B -.PP -.B pcap_setfilter() -is used to specify a filter program. -.I fp -is a pointer to a -.I bpf_program -struct, usually the result of a call to -.BR pcap_compile() . -.B \-1 -is returned on failure, in which case -.BR pcap_geterr() -may be used to display the error text; -.B 0 -is returned on success. -.PP -.B pcap_freecode() -is used to free up allocated memory pointed to by a -.I bpf_program -struct generated by -.B pcap_compile() -when that BPF program is no longer needed, for example after it -has been made the filter program for a pcap structure by a call to -.BR pcap_setfilter() . -.PP -.B pcap_setdirection() -is used to specify a direction that packets will be captured. -.I pcap_direction_t -is one of the constants -.BR PCAP_D_IN , -.B PCAP_D_OUT -or -.BR PCAP_D_INOUT . -.B PCAP_D_IN -will only capture packets received by the device, -.B PCAP_D_OUT -will only capture packets sent by the device and -.B PCAP_D_INOUT -will capture packets received by or sent by the device. -.B PCAP_D_INOUT -is the default setting if this function is not called. This isn't -necessarily supported on all platforms; some platforms might return an -error, and some other platforms might not support -.BR PCAP_D_OUT . -This operation is not supported if a ``savefile'' is being read. -.B \-1 -is returned on failure, -.B 0 -is returned on success. -.PP -.B pcap_datalink() -returns the link layer type; link layer types it can return include: -.PP -.RS 5 -.TP 5 -.B DLT_NULL -BSD loopback encapsulation; the link layer header is a 4-byte field, in -.I host -byte order, containing a PF_ value from -.B socket.h -for the network-layer protocol of the packet. -.IP -Note that ``host byte order'' is the byte order of the machine on which -the packets are captured, and the PF_ values are for the OS of the -machine on which the packets are captured; if a live capture is being -done, ``host byte order'' is the byte order of the machine capturing the -packets, and the PF_ values are those of the OS of the machine capturing -the packets, but if a ``savefile'' is being read, the byte order and PF_ -values are -.I not -necessarily those of the machine reading the capture file. -.TP 5 -.B DLT_EN10MB -Ethernet (10Mb, 100Mb, 1000Mb, and up) -.TP 5 -.B DLT_IEEE802 -IEEE 802.5 Token Ring -.TP 5 -.B DLT_ARCNET -ARCNET -.TP 5 -.B DLT_SLIP -SLIP; the link layer header contains, in order: -.RS 10 -.LP -a 1-byte flag, which is 0 for packets received by the machine and 1 for -packets sent by the machine; -.LP -a 1-byte field, the upper 4 bits of which indicate the type of packet, -as per RFC 1144: -.RS 5 -.TP 5 -0x40 -an unmodified IP datagram (TYPE_IP); -.TP 5 -0x70 -an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being -the first byte of the raw IP header on the wire, containing the -connection number in the protocol field; -.TP 5 -0x80 -a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the -first byte of the compressed TCP/IP datagram header; -.RE -.LP -for UNCOMPRESSED_TCP, the rest of the modified IP header, and for -COMPRESSED_TCP, the compressed TCP/IP datagram header; -.RE -.RS 5 -.LP -for a total of 16 bytes; the uncompressed IP datagram follows the header. -.RE -.TP 5 -.B DLT_PPP -PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like -framing, with the PPP header following those two bytes, otherwise it's -PPP without framing, and the packet begins with the PPP header. -.TP 5 -.B DLT_FDDI -FDDI -.TP 5 -.B DLT_ATM_RFC1483 -RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2 -LLC header. -.TP 5 -.B DLT_RAW -raw IP; the packet begins with an IP header. -.TP 5 -.B DLT_PPP_SERIAL -PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC -framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF -for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP -with HDLC framing. -.TP 5 -.B DLT_PPP_ETHER -PPPoE; the packet begins with a PPPoE header, as per RFC 2516. -.TP 5 -.B DLT_C_HDLC -Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547. -.TP 5 -.B DLT_IEEE802_11 -IEEE 802.11 wireless LAN -.TP 5 -.B DLT_FRELAY -Frame Relay -.TP 5 -.B DLT_LOOP -OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in -.I network -byte order, containing a PF_ value from OpenBSD's -.B socket.h -for the network-layer protocol of the packet. -.IP -Note that, if a ``savefile'' is being read, those PF_ values are -.I not -necessarily those of the machine reading the capture file. -.TP 5 -.B DLT_LINUX_SLL -Linux "cooked" capture encapsulation; the link layer header contains, in -order: -.RS 10 -.LP -a 2-byte "packet type", in network byte order, which is one of: -.RS 5 -.TP 5 -0 -packet was sent to us by somebody else -.TP 5 -1 -packet was broadcast by somebody else -.TP 5 -2 -packet was multicast, but not broadcast, by somebody else -.TP 5 -3 -packet was sent by somebody else to somebody else -.TP 5 -4 -packet was sent by us -.RE -.LP -a 2-byte field, in network byte order, containing a Linux ARPHRD_ value -for the link layer device type; -.LP -a 2-byte field, in network byte order, containing the length of the -link layer address of the sender of the packet (which could be 0); -.LP -an 8-byte field containing that number of bytes of the link layer header -(if there are more than 8 bytes, only the first 8 are present); -.LP -a 2-byte field containing an Ethernet protocol type, in network byte -order, or containing 1 for Novell 802.3 frames without an 802.2 LLC -header or 4 for frames beginning with an 802.2 LLC header. -.RE -.TP 5 -.B DLT_LTALK -Apple LocalTalk; the packet begins with an AppleTalk LLAP header. -.TP 5 -.B DLT_PFLOG -OpenBSD pflog; the link layer header contains, in order: -.RS 10 -.LP -a 1-byte header length, in host byte order; -.LP -a 4-byte PF_ value, in host byte order; -.LP -a 2-byte action code, in network byte order, which is one of: -.RS 5 -.TP 5 -0 -passed -.TP 5 -1 -dropped -.TP 5 -2 -scrubbed -.RE -.LP -a 2-byte reason code, in network byte order, which is one of: -.RS 5 -.TP 5 -0 -match -.TP 5 -1 -bad offset -.TP 5 -2 -fragment -.TP 5 -3 -short -.TP 5 -4 -normalize -.TP 5 -5 -memory -.RE -.LP -a 16-character interface name; -.LP -a 16-character ruleset name (only meaningful if subrule is set); -.LP -a 4-byte rule number, in network byte order; -.LP -a 4-byte subrule number, in network byte order; -.LP -a 1-byte direction, in network byte order, which is one of: -.RS 5 -.TP 5 -0 -incoming or outgoing -.TP 5 -1 -incoming -.TP 5 -2 -outgoing -.RE -.RE -.TP 5 -.B DLT_PRISM_HEADER -Prism monitor mode information followed by an 802.11 header. -.TP 5 -.B DLT_IP_OVER_FC -RFC 2625 IP-over-Fibre Channel, with the link-layer header being the -Network_Header as described in that RFC. -.TP 5 -.B DLT_SUNATM -SunATM devices; the link layer header contains, in order: -.RS 10 -.LP -a 1-byte flag field, containing a direction flag in the uppermost bit, -which is set for packets transmitted by the machine and clear for -packets received by the machine, and a 4-byte traffic type in the -low-order 4 bits, which is one of: -.RS 5 -.TP 5 -0 -raw traffic -.TP 5 -1 -LANE traffic -.TP 5 -2 -LLC-encapsulated traffic -.TP 5 -3 -MARS traffic -.TP 5 -4 -IFMP traffic -.TP 5 -5 -ILMI traffic -.TP 5 -6 -Q.2931 traffic -.RE -.LP -a 1-byte VPI value; -.LP -a 2-byte VCI field, in network byte order. -.RE -.TP 5 -.B DLT_IEEE802_11_RADIO -link-layer information followed by an 802.11 header - see -http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description -of the link-layer information. -.TP 5 -.B DLT_ARCNET_LINUX -ARCNET, with no exception frames, reassembled packets rather than raw -frames, and an extra 16-bit offset field between the destination host -and type bytes. -.TP 5 -.B DLT_LINUX_IRDA -Linux-IrDA packets, with a -.B DLT_LINUX_SLL -header followed by the IrLAP header. -.TP 5 -.B DLT_LINUX_LAPD -LAPD (Q.921) frames, with a -.B DLT_LINUX_SLL -header captured via vISDN. -.RE -.PP -.B pcap_list_datalinks() -is used to get a list of the supported data link types of the interface -associated with the pcap descriptor. -.B pcap_list_datalinks() -allocates an array to hold the list and sets -.IR *dlt_buf . -The caller is responsible for freeing the array. -.B \-1 -is returned on failure; -otherwise, the number of data link types in the array is returned. -.PP -.B pcap_set_datalink() -is used to set the current data link type of the pcap descriptor -to the type specified by -.IR dlt . -.B \-1 -is returned on failure. -.PP -.B pcap_datalink_name_to_val() -translates a data link type name, which is a -.B DLT_ -name with the -.B DLT_ -removed, to the corresponding data link type value. The translation -is case-insensitive. -.B \-1 -is returned on failure. -.PP -.B pcap_datalink_val_to_name() -translates a data link type value to the corresponding data link type -name. NULL is returned on failure. -.PP -.B pcap_datalink_val_to_description() -translates a data link type value to a short description of that data -link type. NULL is returned on failure. -.PP -.B pcap_snapshot() -returns the snapshot length specified when -.B pcap_open_live() -was called. -.PP -.B pcap_is_swapped() -returns true if the current ``savefile'' uses a different byte order -than the current system. -.PP -.B pcap_major_version() -returns the major number of the file format of the savefile; -.B pcap_minor_version() -returns the minor number of the file format of the savefile. The -version number is stored in the header of the savefile. -.PP -.B pcap_file() -returns the standard I/O stream of the ``savefile,'' if a ``savefile'' -was opened with -.BR pcap_open_offline() , -or NULL, if a network device was opened with -.BR pcap_open_live() . -Note that the Packet Capture library is usually built with large file -support, so the standard I/O stream of the ``savefile'' might refer to -a file larger than 2 gigabytes; applications that use -.B pcap_file() -should, if possible, use calls that support large files on the return -value of -.B pcap_file() -or the value returned by -.B fileno() -when passed the return value of -.BR pcap_file() . -.PP -.B pcap_stats() -returns 0 and fills in the -.B pcap_stat -structure pointed to by its second argument. The values represent -packet statistics from the start of the run to the time of the call. If -there is an error or the underlying packet capture doesn't support -packet statistics, \-1 is returned and the error text can be obtained -with -.B pcap_perror() -or -.BR pcap_geterr() . -.B pcap_stats() -is supported only on live captures, not on ``savefiles''; no statistics -are stored in ``savefiles'', so no statistics are available when reading -from a ``savefile''. -.PP -.B pcap_fileno() -returns the file descriptor number from which captured packets are read, -if a network device was opened with -.BR pcap_open_live() , -or \-1, if a ``savefile'' was opened with -.BR pcap_open_offline() . -.PP -.B pcap_get_selectable_fd() -returns, on UNIX, a file descriptor number for a file descriptor on -which one can -do a -.B select() -or -.B poll() -to wait for it to be possible to read packets without blocking, if such -a descriptor exists, or \-1, if no such descriptor exists. Some network -devices opened with -.B pcap_open_live() -do not support -.B select() -or -.B poll() -(for example, regular network devices on FreeBSD 4.3 and 4.4, and Endace -DAG devices), so \-1 is returned for those devices. -.PP -Note that on most versions of most BSDs (including Mac OS X) -.B select() -and -.B poll() -do not work correctly on BPF devices; -.B pcap_get_selectable_fd() -will return a file descriptor on most of those versions (the exceptions -being FreeBSD 4.3 and 4.4), a simple -.B select() -or -.B poll() -will not return even after a timeout specified in -.B pcap_open_live() -expires. To work around this, an application that uses -.B select() -or -.B poll() -to wait for packets to arrive must put the -.B pcap_t -in non-blocking mode, and must arrange that the -.B select() -or -.B poll() -have a timeout less than or equal to the timeout specified in -.BR pcap_open_live() , -and must try to read packets after that timeout expires, regardless of -whether -.B select() -or -.B poll() -indicated that the file descriptor for the -.B pcap_t -is ready to be read or not. (That workaround will not work in FreeBSD -4.3 and later; however, in FreeBSD 4.6 and later, -.B select() -and -.B poll() -work correctly on BPF devices, so the workaround isn't necessary, -although it does no harm.) -.PP -.B pcap_get_selectable_fd() -is not available on Windows. -.PP -.B pcap_perror() -prints the text of the last pcap library error on -.BR stderr , -prefixed by -.IR prefix . -.PP -.B pcap_geterr() -returns the error text pertaining to the last pcap library error. -.BR NOTE : -the pointer it returns will no longer point to a valid error message -string after the -.B pcap_t -passed to it is closed; you must use or copy the string before closing -the -.BR pcap_t . -.PP -.B pcap_strerror() -is provided in case -.BR strerror (1) -isn't available. -.PP -.B pcap_lib_version() -returns a pointer to a string giving information about the version of -the libpcap library being used; note that it contains more information -than just a version number. -.PP -.B pcap_close() -closes the files associated with -.I p -and deallocates resources. -.PP -.B pcap_dump_file() -returns the standard I/O stream of the ``savefile'' opened by -.BR pcap_dump_open(). -.PP -.B pcap_dump_flush() -flushes the output buffer to the ``savefile,'' so that any packets -written with -.B pcap_dump() -but not yet written to the ``savefile'' will be written. -.B \-1 -is returned on error, 0 on success. -.PP -.B pcap_dump_ftell() -returns the current file position for the ``savefile'', representing the -number of bytes written by -.B pcap_dump_open() -and -.BR pcap_dump() . -.B \-1 -is returned on error. -.PP -.B pcap_dump_close() -closes the ``savefile.'' -.PP -.SH SEE ALSO -tcpdump(1), tcpslice(1), pcap-filter(4) -.SH AUTHORS -The original authors are: -.LP -Van Jacobson, -Craig Leres and -Steven McCanne, all of the -Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. -.LP -The current version is available from "The Tcpdump Group"'s Web site at -.LP -.RS -.I http://www.tcpdump.org/ -.RE -.SH BUGS -Please send problems, bugs, questions, desirable enhancements, etc. to: -.LP -.RS -tcpdump-workers@tcpdump.org -.RE diff --git a/pcap.3pcap b/pcap.3pcap new file mode 100644 index 00000000..bbfad91b --- /dev/null +++ b/pcap.3pcap @@ -0,0 +1,144 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP 3PCAP "4 April 2008" +.SH NAME +pcap \- Packet Capture library +.SH SYNOPSIS +.nf +.ft B +#include +.LP +.ft B +.ft +.fi +.SH DESCRIPTION +The Packet Capture library +provides a high level interface to packet capture systems. All packets +on the network, even those destined for other hosts, are accessible +through this mechanism. +It also supports saving captured packets to a ``savefile'', and reading +packets from a ``savefile''. +.PP +To open a live capture stream, call +.BR pcap_open_live() , +and to open a ``savefile'' to read the packets in that file, call +.BR pcap_open_offline() . +Both routines return a pointer to a +.BR pcap_t , +which is the handle used for reading packets from the capture stream or +the ``savefile'', and for finding out information about the capture +stream or ``savefile''. +.PP +To open a ``savefile`` to which to write packets, call +.BR pcap_dump_open() . +It returns a pointer to a +.BR pcap_dumper_t , +which is the handle used for writing packets to the ``savefile''. +.PP +Packets are read with +.B pcap_dispatch() +or +.BR pcap_loop() , +which process one or more packets, calling a callback routine for each +packet, or with +.B pcap_next() +or +.BR pcap_next_ex() , +which return the next packet. +The callback for +.B pcap_dispatch() +and +.BR pcap_loop() +is supplied a pointer to a +.IR struct pcap_pkthdr , +which includes the following members: +.RS +.TP +.B ts +a +.I struct timeval +containing the time when the packet was captured +.TP +.B caplen +a +.I bpf_u_int32 +giving the number of bytes of the packet that are available from the +capture +.TP +.B len +a +.I bpf_u_int32 +giving the length of the packet, in bytes (which might be more than the +number of bytes available from the capture, if the length of the packet +is larger than the maximum number of bytes to capture). +.RE +.PP +.B pcap_next_ex() +supplies that pointer through a pointer argument. +.B pcap_next() +is passed an argument that points to a +.I struct pcap_pkthdr +structure, and fills it in. +.PP +The callback is also supplied a +.I const u_char +pointer to the first +.B caplen +(as given in the +.I struct pcap_pkthdr +a pointer to which is passed to the callback routine) +bytes of data from the packet. This won't necessarily be the entire +packet; to capture the entire packet, you will have to provide a value +for +.I snaplen +in your call to +.B pcap_open_live() +that is sufficiently large to get all of the packet's data - a value of +65535 should be sufficient on most if not all networks). When reading +from a ``savefile'', the snapshot length specified when the capture was +performed will limit the amount of packet data available. +.B pcap_next() +returns that pointer; +.B pcap_next_ex() +supplies that pointer through a pointer argument. +.SH ROUTINES +.SH SEE ALSO +tcpdump(1), tcpslice(1), pcap-filter(4) +.SH AUTHORS +The original authors of libpcap are: +.LP +Van Jacobson, +Craig Leres and +Steven McCanne, all of the +Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. +.LP +The current version is available from "The Tcpdump Group"'s Web site at +.LP +.RS +.I http://www.tcpdump.org/ +.RE +.SH BUGS +Please send problems, bugs, questions, desirable enhancements, etc. to: +.LP +.RS +tcpdump-workers@tcpdump.org +.RE diff --git a/pcap_breakloop.3pcap b/pcap_breakloop.3pcap new file mode 100644 index 00000000..f5a07a56 --- /dev/null +++ b/pcap_breakloop.3pcap @@ -0,0 +1,105 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_breakloop.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_BREAKLOOP 3PCAP "4 April 2008" +.SH NAME +pcap_breakloop \- force a pcap_dispatch() or pcap_loop() call to return +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +void pcap_breakloop(pcap_t *); +.ft +.fi +.SH DESCRIPTION +.B pcap_breakloop() +sets a flag that will force +.B pcap_dispatch() +or +.B pcap_loop() +to return rather than looping; they will return the number of packets +that have been processed so far, or \-2 if no packets have been +processed so far. +.PP +This routine is safe to use inside a signal handler on UNIX or a console +control handler on Windows, as it merely sets a flag that is checked +within the loop. +.PP +The flag is checked in loops reading packets from the OS - a signal by +itself will not necessarily terminate those loops - as well as in loops +processing a set of packets returned by the OS. +.ft B +Note that if you are catching signals on UNIX systems that support +restarting system calls after a signal, and calling pcap_breakloop() +in the signal handler, you must specify, when catching those signals, +that system calls should NOT be restarted by that signal. Otherwise, +if the signal interrupted a call reading packets in a live capture, +when your signal handler returns after calling pcap_breakloop(), the +call will be restarted, and the loop will not terminate until more +packets arrive and the call completes. +.PP +Note also that, in a multi-threaded application, if one thread is +blocked in +.BR pcap_dispatch() , +.BR pcap_loop() , +.BR pcap_next() , +or +.BR pcap_next_ex() , +a call to +.B pcap_breakloop() +in a different thread will not unblock that thread; you will need to use +whatever mechanism the OS provides for breaking a thread out of blocking +calls in order to unblock the thread, such as thread cancellation in +systems that support POSIX threads. +.ft R +.PP +Note that +.B pcap_next() +and +.B pcap_next_ex() +will, on some platforms, loop reading packets from the OS; that loop +will not necessarily be terminated by a signal, so +.B pcap_breakloop() +should be used to terminate packet processing even if +.B pcap_next() +or +.B pcap_next_ex() +is being used. +.PP +.B pcap_breakloop() +does not guarantee that no further packets will be processed by +.B pcap_dispatch() +or +.B pcap_loop() +after it is called; at most one more packet might be processed. +.PP +If \-2 is returned from +.B pcap_dispatch() +or +.BR pcap_loop() , +the flag is cleared, so a subsequent call will resume reading packets. +If a positive number is returned, the flag is not cleared, so a +subsequent call will return \-2 and clear the flag. +.SH SEE ALSO +pcap_loop(3PCAP), pcap_next_ex(3PCAP) diff --git a/pcap_close.3pcap b/pcap_close.3pcap new file mode 100644 index 00000000..b41af5f0 --- /dev/null +++ b/pcap_close.3pcap @@ -0,0 +1,39 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_close.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_CLOSE 3PCAP "4 April 2008" +.SH NAME +pcap_close \- close a capture device or savefile +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +void pcap_close(pcap_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_close() +closes the files associated with +.I p +and deallocates resources. diff --git a/pcap_compile.3pcap b/pcap_compile.3pcap new file mode 100644 index 00000000..0eb06d80 --- /dev/null +++ b/pcap_compile.3pcap @@ -0,0 +1,72 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_compile.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_COMPILE 3PCAP "4 April 2008" +.SH NAME +pcap_compile \- compile a filter expression +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_compile(pcap_t *p, struct bpf_program *fp, +.ti +8 +const char *str, int optimize, bpf_u_int32 netmask); +.ft +.fi +.SH DESCRIPTION +.B pcap_compile() +is used to compile the string +.I str +into a filter program. See +.BR pcap-filter (4) +for the syntax of that string. +.I program +is a pointer to a +.I bpf_program +struct and is filled in by +.BR pcap_compile() . +.I optimize +controls whether optimization on the resulting code is performed. +.I netmask +specifies the IPv4 netmask of the network on which packets are being +captured; it is used only when checking for IPv4 broadcast addresses in +the filter program. If the netmask of the network on which packets are +being captured isn't known to the program, or if packets are being +captured on the Linux "any" pseudo-interface that can capture on more +than one network, a value of 0 can be supplied; tests for IPv4 broadcast +addreses won't be done correctly, but all other tests in the filter +program will be OK. +.SH RETURN VALUE +.B pcap_compile() +returns 0 on success and \-1 on failure. +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap_setfilter(3PCAP), pcap_freecode(3PCAP), pcap_geterr(3PCAP), +pcap-filter(4) diff --git a/pcap_datalink.3pcap b/pcap_datalink.3pcap new file mode 100644 index 00000000..1c9c4e06 --- /dev/null +++ b/pcap_datalink.3pcap @@ -0,0 +1,39 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_datalink.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DATALINK 3PCAP "4 April 2008" +.SH NAME +pcap_datalink \- get the link-layer header type +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_datalink(pcap_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_datalink() +returns the link layer type for the live capture or ``savefile'' +specified by +.IR p . diff --git a/pcap_datalink_name_to_val.3pcap b/pcap_datalink_name_to_val.3pcap new file mode 100644 index 00000000..461fc083 --- /dev/null +++ b/pcap_datalink_name_to_val.3pcap @@ -0,0 +1,46 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_datalink_name_to_val.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DATALINK_NAME_TO_VAL 3PCAP "4 April 2008" +.SH NAME +pcap_datalink_name_to_val \- get the link-layer header type value +corresponding to a header type name +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_datalink_name_to_val(const char *name); +.ft +.fi +.SH DESCRIPTION +.B pcap_datalink_name_to_val() +translates a data link type name, which is a +.B DLT_ +name with the +.B DLT_ +removed, to the corresponding data link type value. The translation +is case-insensitive. +.SH RETURN VALUE +.B pcap_datalink_name_to_val() +returns 0 on success and \-1 on failure. diff --git a/pcap_dump.3pcap b/pcap_dump.3pcap new file mode 100644 index 00000000..c6dd97c5 --- /dev/null +++ b/pcap_dump.3pcap @@ -0,0 +1,52 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DUMP 3PCAP "4 April 2008" +.SH NAME +pcap_dump \- write a packet to a capture file +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +void pcap_dump(u_char *user, struct pcap_pkthdr *h, +.ti +8 +u_char *sp); +.ft +.fi +.SH DESCRIPTION +.B pcap_dump() +outputs a packet to the ``savefile'' opened with +.BR pcap_dump_open() . +Note that its calling arguments are suitable for use with +.B pcap_dispatch() +or +.BR pcap_loop() . +If called directly, the +.I user +parameter is of type +.B pcap_dumper_t +as returned by +.BR pcap_dump_open() . +.SH SEE ALSO +pcap_dump_open(3PCAP), pcap_dispatch(3PCAP), pcap_loop(3PCAP) diff --git a/pcap_dump_close.3pcap b/pcap_dump_close.3pcap new file mode 100644 index 00000000..500fdc8c --- /dev/null +++ b/pcap_dump_close.3pcap @@ -0,0 +1,39 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump_close.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DUMP_CLOSE 3PCAP "4 April 2008" +.SH NAME +pcap_dump_close \- close a savefile being written to +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +void pcap_dump_close(pcap_dumper_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_dump_close() +closes the ``savefile.'' +.SH SEE ALSO +pcap_dump_open(3PCAP), pcap_dump(3PCAP) diff --git a/pcap_dump_file.3pcap b/pcap_dump_file.3pcap new file mode 100644 index 00000000..c2b3ff35 --- /dev/null +++ b/pcap_dump_file.3pcap @@ -0,0 +1,38 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump_file.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DUMP_FILE 3PCAP "4 April 2008" +.SH NAME +pcap_dump_file \- get the standard I/O stream for a savefile being written +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +FILE *pcap_dump_file(pcap_dumper_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_dump_file() +returns the standard I/O stream of the ``savefile'' opened by +.BR pcap_dump_open() . diff --git a/pcap_dump_flush.3pcap b/pcap_dump_flush.3pcap new file mode 100644 index 00000000..f8692b74 --- /dev/null +++ b/pcap_dump_flush.3pcap @@ -0,0 +1,45 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump_flush.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DUMP_FLUSH 3PCAP "4 April 2008" +.SH NAME +pcap_dump_flush \- flush to a savefile packets dumped +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_dump_flush(pcap_dumper_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_dump_flush() +flushes the output buffer to the ``savefile,'' so that any packets +written with +.B pcap_dump() +but not yet written to the ``savefile'' will be written. +.SH RETURN VALUE +.B pcap_dump_flush() +returns 0 on success and \-1 on failure. +.SH SEE ALSO +pcap_dump_open(3PCAP), pcap_dump(3PCAP) diff --git a/pcap_dump_ftell.3pcap b/pcap_dump_ftell.3pcap new file mode 100644 index 00000000..577f3a76 --- /dev/null +++ b/pcap_dump_ftell.3pcap @@ -0,0 +1,44 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump_ftell.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DUMP_FTELL 3PCAP "4 April 2008" +.SH NAME +pcap_dump_ftell \- get the current file offset for a savefile being written +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +long pcap_dump_ftell(pcap_dumper_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_dump_ftell() +returns the current file position for the ``savefile'', representing the +number of bytes written by +.B pcap_dump_open() +and +.BR pcap_dump() . +\-1 is returned on error. +.SH SEE ALSO +pcap_dump_open(3PCAP), pcap_dump(3PCAP) diff --git a/pcap_dump_open.3pcap b/pcap_dump_open.3pcap new file mode 100644 index 00000000..d10ace7a --- /dev/null +++ b/pcap_dump_open.3pcap @@ -0,0 +1,83 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_dump_open.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DUMP_OPEN 3PCAP "4 April 2008" +.SH NAME +pcap_dump_open, pcap_dump_fopen \- open a file to which to write packets +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.nf +.LP +.ft B +pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname); +pcap_dumper_t *pcap_dump_fopen(pcap_t *p, FILE *fp); +.ft +.fi +.SH DESCRIPTION +.B pcap_dump_open() +is called to open a ``savefile'' for writing. +.I fname +specifies the name of the file to open. The file will have +the same format as those used by +.BR tcpdump (1) +and +.BR tcpslice (1). +The name "-" in a synonym +for +.BR stdout . +.PP +.B pcap_dump_fopen() +is called to write data to an existing open stream +.IR fp . +Note that on Windows, that stream should be opened in binary mode. +.PP +.I p +is a +.B pcap_t +struct returned by an earlier call to +.BR pcap_open_offline() , +.BR pcap_open_live() , +or +.BR pcap_open_dead() . +The link-layer type and snapshot length from +.I p +are used as the link-layer type and snapshot length of the output file. +.SH RETURN VALUES +A pointer to a +.B pcap_dumper_t +structure to use in subsequent +.B pcap_dump() +and +.B pcap_dump_close() +calls is returned on success. +.B NULL +is returned on failure. +If +.B NULL +is returned, +.B pcap_geterr(\fIp\fB) +can be used to get the error text. +.SH SEE ALSO +pcap_open_offline(3PCAP), pcap_open_live(3PCAP), pcap_open_dead(3PCAP), +pcap_dump(3PCAP), pcap_dump_close(3PCAP), pcap_geterr(3PCAP) diff --git a/pcap_file.3pcap b/pcap_file.3pcap new file mode 100644 index 00000000..e4a027b0 --- /dev/null +++ b/pcap_file.3pcap @@ -0,0 +1,53 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_file.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_FILE 3PCAP "4 April 2008" +.SH NAME +pcap_file \- get the standard I/O stream for a savefile being read +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +FILE *pcap_file(pcap_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_file() +returns the standard I/O stream of the ``savefile,'' if a ``savefile'' +was opened with +.BR pcap_open_offline() , +or NULL, if a network device was opened with +.BR pcap_open_live() . +.PP +Note that the Packet Capture library is usually built with large file +support, so the standard I/O stream of the ``savefile'' might refer to +a file larger than 2 gigabytes; applications that use +.B pcap_file() +should, if possible, use calls that support large files on the return +value of +.B pcap_file() +or the value returned by +.B fileno() +when passed the return value of +.BR pcap_file() . diff --git a/pcap_fileno.3pcap b/pcap_fileno.3pcap new file mode 100644 index 00000000..71196905 --- /dev/null +++ b/pcap_fileno.3pcap @@ -0,0 +1,41 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_fileno.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_FILENO 3PCAP "4 April 2008" +.SH NAME +pcap_fileno \- get the file descriptor for a live capture +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_fileno(pcap_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_fileno() +returns the file descriptor number from which captured packets are read, +if a network device was opened with +.BR pcap_open_live() , +or \-1, if a ``savefile'' was opened with +.BR pcap_open_offline() . diff --git a/pcap_findalldevs.3pcap b/pcap_findalldevs.3pcap new file mode 100644 index 00000000..510fe87b --- /dev/null +++ b/pcap_findalldevs.3pcap @@ -0,0 +1,153 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_findalldevs.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_FINDALLDEVS 3PCAP "4 April 2008" +.SH NAME +pcap_findalldevs \- get a list of capture devices +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.nf +.ft B +char errbuf[PCAP_ERRBUF_SIZE]; +.ft +.LP +.ft B +int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf); +.ft +.fi +.SH DESCRIPTION +.B pcap_findalldevs() +constructs a list of network devices that can be opened with +.BR pcap_open_live() . +(Note that there may be network devices that cannot be opened with +.BR pcap_open_live() +by the +process calling +.BR pcap_findalldevs() , +because, for example, that process might not have sufficient privileges +to open them for capturing; if so, those devices will not appear on the +list.) +.I alldevsp +is set to point to the first element of the list; each element of the +list is of type +.BR pcap_if_t , +and has the following members: +.RS +.TP +.B next +if not +.BR NULL , +a pointer to the next element in the list; +.B NULL +for the last element of the list +.TP +.B name +a pointer to a string giving a name for the device to pass to +.B pcap_open_live() +.TP +.B description +if not +.BR NULL , +a pointer to a string giving a human-readable description of the device +.TP +.B addresses +a pointer to the first element of a list of addresses for the interface +.TP +.B flags +interface flags: +.RS +.TP +.B PCAP_IF_LOOPBACK +set if the interface is a loopback interface +.RE +.RE +.PP +Each element of the list of addresses is of type +.BR pcap_addr_t , +and has the following members: +.RS +.TP +.B next +if not +.BR NULL , +a pointer to the next element in the list; +.B NULL +for the last element of the list +.TP +.B addr +a pointer to a +.B "struct sockaddr" +containing an address +.TP +.B netmask +if not +.BR NULL , +a pointer to a +.B "struct sockaddr" +that contains the netmask corresponding to the address pointed to by +.B addr +.TP +.B broadaddr +if not +.BR NULL , +a pointer to a +.B "struct sockaddr" +that contains the broadcast address corresponding to the address pointed +to by +.BR addr ; +may be null if the interface doesn't support broadcasts +.TP +.B dstaddr +if not +.BR NULL , +a pointer to a +.B "struct sockaddr" +that contains the destination address corresponding to the address pointed +to by +.BR addr ; +may be null if the interface isn't a point-to-point interface +.RE +.PP +Note that not all the addresses in the list of addresses are +necessarily IPv4 or IPv6 addresses - you must check the +.B sa_family +member of the +.B "struct sockaddr" +before interpreting the contents of the address. +.PP +The list of devices must be freed with +.BR pcap_freealldevs() . +.SH RETURN VALUE +.B pcap_findalldevs() +returns 0 on success and \-1 on failure. +If \-1 is returned, +.I errbuf +is filled in with an appropriate error message. +.I errbuf +is assumed to be able to hold at least +.B PCAP_ERRBUF_SIZE +chars. +.SH SEE ALSO +pcap_open_live(3PCAP), pcap_freealldevs(3PCAP) diff --git a/pcap_freealldevs.3pcap b/pcap_freealldevs.3pcap new file mode 100644 index 00000000..0ba23192 --- /dev/null +++ b/pcap_freealldevs.3pcap @@ -0,0 +1,40 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_freealldevs.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_FREEALLDEVS 3PCAP "4 April 2008" +.SH NAME +pcap_freealldevs \- free a list of capture devices +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +void pcap_freealldevs(pcap_if_t *alldevs); +.ft +.fi +.SH DESCRIPTION +.B pcap_freealldevs() +is used to free a list allocated by +.BR pcap_findalldevs() . +.SH SEE ALSO +pcap_findalldevs(3PCAP) diff --git a/pcap_freecode.3pcap b/pcap_freecode.3pcap new file mode 100644 index 00000000..0c0eacd3 --- /dev/null +++ b/pcap_freecode.3pcap @@ -0,0 +1,45 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_freecode.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_FREECODE 3PCAP "4 April 2008" +.SH NAME +pcap_freecode \- free a BPF program +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +void pcap_freecode(struct bpf_program *); +.ft +.fi +.SH DESCRIPTION +.B pcap_freecode() +is used to free up allocated memory pointed to by a +.I bpf_program +struct generated by +.B pcap_compile() +when that BPF program is no longer needed, for example after it +has been made the filter program for a pcap structure by a call to +.BR pcap_setfilter() . +.SH SEE ALSO +pcap_compile(3PCAP), pcap_setfilter(3PCAP) diff --git a/pcap_get_selectable_fd.3pcap b/pcap_get_selectable_fd.3pcap new file mode 100644 index 00000000..4e286b9c --- /dev/null +++ b/pcap_get_selectable_fd.3pcap @@ -0,0 +1,112 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_get_selectable_fd.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_GET_SELECTABLE_FD 3PCAP "4 April 2008" +.SH NAME +pcap_get_selectable_fd \- get a file descriptor on which a select() can +be done for a live capture +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_get_selectable_fd(pcap_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_get_selectable_fd() +returns, on UNIX, a file descriptor number for a file descriptor on +which one can +do a +.B select() +or +.B poll() +to wait for it to be possible to read packets without blocking, if such +a descriptor exists, or \-1, if no such descriptor exists. Some network +devices opened with +.B pcap_open_live() +do not support +.B select() +or +.B poll() +(for example, regular network devices on FreeBSD 4.3 and 4.4, and Endace +DAG devices), so \-1 is returned for those devices. +.PP +Note that on most versions of most BSDs (including Mac OS X) +.B select() +and +.B poll() +do not work correctly on BPF devices; +.B pcap_get_selectable_fd() +will return a file descriptor on most of those versions (the exceptions +being FreeBSD 4.3 and 4.4), a simple +.B select() +or +.B poll() +will not return even after a timeout specified in +.B pcap_open_live() +expires. To work around this, an application that uses +.B select() +or +.B poll() +to wait for packets to arrive must put the +.B pcap_t +in non-blocking mode, and must arrange that the +.B select() +or +.B poll() +have a timeout less than or equal to the timeout specified in +.BR pcap_open_live() , +and must try to read packets after that timeout expires, regardless of +whether +.B select() +or +.B poll() +indicated that the file descriptor for the +.B pcap_t +is ready to be read or not. (That workaround will not work in FreeBSD +4.3 and later; however, in FreeBSD 4.6 and later, +.B select() +and +.B poll() +work correctly on BPF devices, so the workaround isn't necessary, +although it does no harm.) +.PP +Note also that +.B poll() +doesn't work on character special files, including BPF devices, in Mac +OS X 10.4 and 10.5, so, while +.B select() +can be used on the descriptor returned by +.BR pcap_get_selectable_fd() , +.B poll() +cannot be used on it those versions of Mac OS X. Kqueues also don't +work on that descriptor. +.PP +.B pcap_get_selectable_fd() +is not available on Windows. +.SH RETURN VALUE +A selectable file descriptor is returned if one exists; otherwise, \-1 +is returned. +.SH SEE ALSO +select(2), poll(2) diff --git a/pcap_geterr.3pcap b/pcap_geterr.3pcap new file mode 100644 index 00000000..9c17fd67 --- /dev/null +++ b/pcap_geterr.3pcap @@ -0,0 +1,51 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_geterr.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_GETERR 3PCAP "4 April 2008" +.SH NAME +pcap_geterr, pcap_perror \- get or print libpcap error message text +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +char *pcap_geterr(pcap_t *p); +void pcap_perror(pcap_t *p, char *prefix); +.ft +.fi +.SH DESCRIPTION +.B pcap_geterr() +returns the error text pertaining to the last pcap library error. +.BR NOTE : +the pointer it returns will no longer point to a valid error message +string after the +.B pcap_t +passed to it is closed; you must use or copy the string before closing +the +.BR pcap_t . +.PP +.B pcap_perror() +prints the text of the last pcap library error on +.BR stderr , +prefixed by +.IR prefix . diff --git a/pcap_inject.3pcap b/pcap_inject.3pcap new file mode 100644 index 00000000..fab6b0ff --- /dev/null +++ b/pcap_inject.3pcap @@ -0,0 +1,90 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_inject.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_INJECT 3PCAP "4 April 2008" +.SH NAME +pcap_inject, pcap_sendpacket \- transmit a packet +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_inject(pcap_t *p, const void *buf, size_t size); +int pcap_sendpacket(pcap_t *p, const u_char *buf, int size); +.ft +.fi +.SH DESCRIPTION +.B pcap_inject() +sends a raw packet through the network interface; +.I buf +points to the data of the packet, including the link-layer header, and +.I size +is the number of bytes in the packet. +.PP +Note that, even if you successfully open the network interface, you +might not have permission to send packets on it, or it might not support +sending packets; as +.I pcap_open_live() +doesn't have a flag to indicate whether to open for capturing, sending, +or capturing and sending, you cannot request an open that supports +sending and be notified at open time whether sending will be possible. +Note also that some devices might not support sending packets. +.PP +Note that, on some platforms, the link-layer header of the packet that's +sent might not be the same as the link-layer header of the packet +supplied to +.BR pcap_inject() , +as the source link-layer address, if the header contains such an +address, might be changed to be the address assigned to the interface on +which the packet it sent, if the platform doesn't support sending +completely raw and unchanged packets. Even worse, some drivers on some +platforms might change the link-layer type field to whatever value +libpcap used when attaching to the device, even on platforms that +.I do +nominally support sending completely raw and unchanged packets. +.PP +.B pcap_sendpacket() +is like +.BR pcap_inject() , +but it returns 0 on success, rather than returning the number of bytes +written. +.RB ( pcap_inject() +comes from OpenBSD; +.B pcap_sendpacket() +comes from WinPcap. Both are provided for compatibility.) +.SH RETURN VALUE +.B pcap_inject() +returns the number of bytes written on success and \-1 on failure. +.PP +.B pcap_sendpacket() +returns 0 on success and \-1 on failure. +.PP +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap_geterr(3PCAP) diff --git a/pcap_is_swapped.3pcap b/pcap_is_swapped.3pcap new file mode 100644 index 00000000..f18da4d6 --- /dev/null +++ b/pcap_is_swapped.3pcap @@ -0,0 +1,40 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_is_swapped.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_IS_SWAPPED 3PCAP "4 April 2008" +.SH NAME +pcap_is_swapped \- find out whether a savefile has the native byte order +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_is_swapped(pcap_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_is_swapped() +returns true if +.I p +refers to a ``savefile'' that uses a different byte order +than the current system. For a live capture, it always returns false. diff --git a/pcap_lib_version.3pcap b/pcap_lib_version.3pcap new file mode 100644 index 00000000..a2ec2e82 --- /dev/null +++ b/pcap_lib_version.3pcap @@ -0,0 +1,39 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_lib_version.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_LIB_VERSION 3PCAP "4 April 2008" +.SH NAME +pcap_lib_version \- get the version information for libpcap +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +const char *pcap_lib_version(void); +.ft +.fi +.SH DESCRIPTION +.B pcap_lib_version() +returns a pointer to a string giving information about the version of +the libpcap library being used; note that it contains more information +than just a version number. diff --git a/pcap_list_datalinks.3pcap b/pcap_list_datalinks.3pcap new file mode 100644 index 00000000..cde6f1df --- /dev/null +++ b/pcap_list_datalinks.3pcap @@ -0,0 +1,57 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_list_datalinks.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_LIST_DATALINKS 3PCAP "4 April 2008" +.SH NAME +pcap_list_datalinks \- get a list of link-layer header types supported +by a capture device +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_list_datalinks(pcap_t *p, int **dlt_buf); +.ft +.fi +.SH DESCRIPTION +.B pcap_list_datalinks() +is used to get a list of the supported data link types of the interface +associated with the pcap descriptor. +.B pcap_list_datalinks() +allocates an array to hold the list and sets +.IR *dlt_buf . +The caller is responsible for freeing the array with +.BR free (3). +.SH RETURN VALUE +.B pcap_list_datalinks() +returns the number of data link types in the array on success and \-1 +on failure. +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap_geterr(3PCAP) diff --git a/pcap_lookupdev.3pcap b/pcap_lookupdev.3pcap new file mode 100644 index 00000000..376de33d --- /dev/null +++ b/pcap_lookupdev.3pcap @@ -0,0 +1,57 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_lookupdev.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_LOOKUPDEV 3PCAP "4 April 2008" +.SH NAME +pcap_lookupdev \- find the default device on which to capture +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.nf +.ft B +char errbuf[PCAP_ERRBUF_SIZE]; +.ft +.LP +.ft B +char *pcap_lookupdev(char *errbuf); +.ft +.fi +.SH DESCRIPTION +.B pcap_lookupdev() +returns a pointer to a string giving the name of a network device +suitable for use with +.B pcap_open_live() +and +.BR pcap_lookupnet() . +If there is an error, +.B NULL +is returned and +.I errbuf +is filled in with an appropriate error message. +.I errbuf +is assumed to be able to hold at least +.B PCAP_ERRBUF_SIZE +chars. +.SH SEE ALSO +pcap_open_live(3PCAP), pcap_lookupnet(3PCAP) diff --git a/pcap_lookupnet.3pcap b/pcap_lookupnet.3pcap new file mode 100644 index 00000000..8bcd7701 --- /dev/null +++ b/pcap_lookupnet.3pcap @@ -0,0 +1,63 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_lookupnet.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_LOOKUPNET 3PCAP "4 April 2008" +.SH NAME +pcap_lookupnet \- find the IPv4 network number and netmask for a device +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.nf +.ft B +char errbuf[PCAP_ERRBUF_SIZE]; +.ft +.LP +.ft B +int pcap_lookupnet(const char *device, bpf_u_int32 *netp, +.ti +8 +bpf_u_int32 *maskp, char *errbuf); +.ft +.fi +.SH DESCRIPTION +.B pcap_lookupnet() +is used to determine the IPv4 network number and mask +associated with the network device +.IR device . +Both +.I netp +and +.I maskp +are +.I bpf_u_int32 +pointers. +.SH RETURN VALUE +.B pcap_lookupnet() +returns 0 on success and \-1 on failure. +If \-1 is returned, +.I errbuf +is filled in with an appropriate error message. +.I errbuf +is assumed to be able to hold at least +.B PCAP_ERRBUF_SIZE +chars. diff --git a/pcap_loop.3pcap b/pcap_loop.3pcap new file mode 100644 index 00000000..0a4ed3de --- /dev/null +++ b/pcap_loop.3pcap @@ -0,0 +1,164 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_loop.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_LOOP 3PCAP "4 April 2008" +.SH NAME +pcap_loop, pcap_dispatch \- process packets from a live capture or savefile +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h, +.ti +8 + const u_char *bytes); +.ft +.LP +.ft B +int pcap_loop(pcap_t *p, int cnt, +.ti +8 +pcap_handler callback, u_char *user); +int pcap_dispatch(pcap_t *p, int cnt, +.ti +8 +pcap_handler callback, u_char *user); +.ft +.fi +.SH DESCRIPTION +.B pcap_loop() +processes packets from a live capture or ``savefile'' until +.I cnt +packets are processed, the end of the ``savefile'' is +reached when reading from a ``savefile'', +.B pcap_breakloop() +is called, or an error occurs. +It does +.B not +return when live read timeouts occur. +A value of \-1 or 0 for +.I cnt +is equivalent to infinity, so that packets are processed until another +ending condition occurs. +.PP +.B pcap_dispatch() +processes packets from a live capture or ``savefile'' until +.I cnt +packets are processed, the end of the current bufferful of packets is +reached when doing a live capture, the end of the ``savefile'' is +reached when reading from a ``savefile'', +.B pcap_breakloop() +is called, or an error occurs. +Thus, when doing a live capture, +.I cnt +is the maximum number of packets to process before returning, but is not +a minimum number; when reading a live capture, only one +bufferful of packets is read at a time, so fewer than +.I cnt +packets may be processed. A value of \-1 or 0 for +.I cnt +causes all the packets received in one buffer to be processed when +reading a live capture, and causes all the packets in the file to be +processed when reading a ``savefile''. +.PP +.ft B +(In older versions of libpcap, the behavior when +\fIcnt\fP +was 0 was undefined; different platforms and devices behaved +differently, so code that must work with older versions of libpcap +should use \-1, nor 0, as the value of +\fIcnt\fP.) +.ft R +.PP +.I callback +specifies a routine to be called with three arguments: +a +.I u_char +pointer which is passed in the +.I user +argument to +.B pcap_loop() +or +.BR pcap_dispatch() , +a +.I const struct pcap_pkthdr +pointer pointing to the packet time stamp and lengths, and a +.I const u_char +pointer to the first +.B caplen +(as given in the +.I struct pcap_pkthdr +a pointer to which is passed to the callback routine) +bytes of data from the packet. +.PP +.BR NOTE : +when reading a live capture, +.B pcap_dispatch() +will not necessarily return when the read times out; on some platforms, +the read timeout isn't supported, and, on other platforms, the timer +doesn't start until at least one packet arrives. This means that the +read timeout should +.B NOT +be used in, for example, an interactive application, to allow the packet +capture loop to ``poll'' for user input periodically, as there's no +guarantee that +.B pcap_dispatch() +will return after the timeout expires. +.SH RETURN VALUE +.B pcap_loop() +returns 0 if +.I cnt +is exhausted, \-1 if an error occurs, or \-2 if the loop terminated due +to a call to +.B pcap_breakloop() +before any packets were processed. +It does +.B not +return when live read timeouts occur; instead, it attempts to read more +packets. +.PP +.B pcap_dispatch() +returns the number of packets processed on success; this can be 0 if no +packets were read from a live capture (if, for example, they were +discarded because they didn't pass the packet filter, or if, on +platforms that support a read timeout that starts before any packets +arrive, the timeout expires before any packets arrive, or if the file +descriptor for the capture device is in non-blocking mode and no packets +were available to be read) or if no more packets are available in a +``savefile.'' It returns \-1 if an error occurs or \-2 if the loop +terminated due to a call to +.B pcap_breakloop() +before any packets were processed. +.ft B +If your application uses pcap_breakloop(), +make sure that you explicitly check for \-1 and \-2, rather than just +checking for a return value < 0. +.ft R +.PP +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap_geterr(3PCAP), pcap_breakloop(3PCAP) diff --git a/pcap_major_version.3pcap b/pcap_major_version.3pcap new file mode 100644 index 00000000..685592f0 --- /dev/null +++ b/pcap_major_version.3pcap @@ -0,0 +1,52 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_major_version.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_MAJOR_VERSION 3PCAP "4 April 2008" +.SH NAME +pcap_major_version, pcap_minor_version \- get the version number of a savefile +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_major_version(pcap_t *p); +int pcap_minor_version(pcap_t *p); +.ft +.fi +.SH DESCRIPTION +If +.I p +refers to a savefile, +.B pcap_major_version() +returns the major number of the file format of the savefile and +.B pcap_minor_version() +returns the minor number of the file format of the savefile. The +version number is stored in the header of the savefile. +.PP +If +.I p +refers to a live capture, the values returned by +.B pcap_major_version() +and +.B pcap_minor_version() +are not meaningful. diff --git a/pcap_next_ex.3pcap b/pcap_next_ex.3pcap new file mode 100644 index 00000000..ba1ae21a --- /dev/null +++ b/pcap_next_ex.3pcap @@ -0,0 +1,90 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_next_ex.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_NEXT_EX 3PCAP "4 April 2008" +.SH NAME +pcap_next_ex, pcap_next \- read the next packet from a pcap_t +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header, +.ti +8 +const u_char **pkt_data); +const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h); +.ft +.fi +.SH DESCRIPTION +.B pcap_next_ex() +reads the next packet and returns a success/failure indication. +If the packet was read without problems, the pointer pointed to by the +.I pkt_header +argument is set to point to the +.I pcap_pkthdr +struct for the packet, and the +pointer pointed to by the +.I pkt_data +argument is set to point to the data in the packet. +.PP +.B pcap_next() +reads the next packet (by calling +.B pcap_dispatch() +with a +.I cnt +of 1) and returns a +.I u_char +pointer to the data in that packet. +The +.I pcap_pkthdr +structure pointed to by +.I h +is filled in with the appropriate values for the packet. +.SH RETURN VALUE +.B pcap_next_ex() +returns 1 if the packet was read without problems, 0 +if packets are being read from a live capture, and the timeout expired, +\-1 if an error occurred while reading the packet, and \-2 if +packets are being read from a ``savefile'', and there are no more +packets to read from the savefile. +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.PP +.B pcap_next() +returns a pointer to the packet data on success, and returns +.B NULL +if an error occured, or if no packets were read from a live +capture (if, for example, they were discarded because they didn't pass +the packet filter, or if, on platforms that support a read timeout that +starts before any packets arrive, the timeout expires before any packets +arrive, or if the file descriptor for the capture device is in +non-blocking mode and no packets were available to be read), or if no +more packets are available in a ``savefile.'' Unfortunately, there is +no way to determine whether an error occured or not. +.SH SEE ALSO +pcap_geterr(3PCAP), pcap_dispatch(3PCAP) diff --git a/pcap_open_dead.3pcap b/pcap_open_dead.3pcap new file mode 100644 index 00000000..b50cd87c --- /dev/null +++ b/pcap_open_dead.3pcap @@ -0,0 +1,50 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_open_dead.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_OPEN_DEAD 3PCAP "4 April 2008" +.SH NAME +pcap_open_dead \- open a fake pcap_t for compiling filters or opening a +capture for output +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +pcap_t *pcap_open_dead(int linktype, int snaplen); +.ft +.fi +.SH DESCRIPTION +.PP +.B pcap_open_dead() +is used for creating a +.B pcap_t +structure to use when calling the other functions in libpcap. It is +typically used when just using libpcap for compiling BPF code. +.PP +.I linktype +specifies the link-layer type for the +.BR pcap_t . +.PP +.I snaplen +specifies the snapshot length for the +.BR pcap_t . diff --git a/pcap_open_live.3pcap b/pcap_open_live.3pcap new file mode 100644 index 00000000..4f1685d5 --- /dev/null +++ b/pcap_open_live.3pcap @@ -0,0 +1,107 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_open_live.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_OPEN_LIVE 3PCAP "4 April 2008" +.SH NAME +pcap_open_live \- open a device for capturing +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.nf +.ft B +char errbuf[PCAP_ERRBUF_SIZE]; +.ft +.LP +.ft B +pcap_t *pcap_open_live(const char *device, int snaplen, +.ti +8 +int promisc, int to_ms, char *errbuf); +.ft +.fi +.SH DESCRIPTION +.B pcap_open_live() +is used to obtain a packet capture descriptor to look +at packets on the network. +.I device +is a string that specifies the network device to open; on Linux systems +with 2.2 or later kernels, a +.I device +argument of "any" or +.B NULL +can be used to capture packets from all interfaces. +.PP +.I snaplen +specifies the maximum number of bytes to capture. If this value is less +than the size of a packet that is captured, only the first +.I snaplen +bytes of that packet will be captured and provided as packet data. A +value of 65535 should be sufficient, on most if not all networks, to +capture all the data available from the packet. +.PP +.I promisc +specifies if the interface is to be put into promiscuous mode. +(Note that even if this parameter is false, the interface +could well be in promiscuous mode for some other reason.) For now, this +doesn't work on the "any" device; if an argument of "any" or NULL is +supplied, the +.I promisc +flag is ignored. +.PP +.I to_ms +specifies the read timeout in milliseconds. The read timeout is used to +arrange that the read not necessarily return immediately when a packet +is seen, but that it wait for some amount of time to allow more packets +to arrive and to read multiple packets from the OS kernel in one +operation. Not all platforms support a read timeout; on platforms that +don't, the read timeout is ignored. A zero value for +.IR to_ms , +on platforms that support a read timeout, +will cause a read to wait forever to allow enough packets to +arrive, with no timeout. +.SH RETURN VALUE +.B pcap_open_live() +returns a +.I pcap_t * +on success and +.B NULL +on failure. +If +.B NULL +is returned, +.I errbuf +is filled in with an appropriate error message. +.I errbuf +may also be set to warning text when +.B pcap_open_live() +succeds; to detect this case the caller should store a zero-length string in +.I errbuf +before calling +.B pcap_open_live() +and display the warning to the user if +.I errbuf +is no longer a zero-length string. +.I errbuf +is assumed to be able to hold at least +.B PCAP_ERRBUF_SIZE +chars. diff --git a/pcap_open_offline.3pcap b/pcap_open_offline.3pcap new file mode 100644 index 00000000..77260d26 --- /dev/null +++ b/pcap_open_offline.3pcap @@ -0,0 +1,76 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_open_offline.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_OPEN_OFFLINE 3PCAP "4 April 2008" +.SH NAME +pcap_open_offline, pcap_fopen_offline \- open a saved capture file for reading +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.nf +.ft B +char errbuf[PCAP_ERRBUF_SIZE]; +.ft +.LP +.ft B +pcap_t *pcap_open_offline(const char *fname, char *errbuf); +pcap_t *pcap_fopen_offline(FILE *fp, char *errbuf); +.ft +.fi +.SH DESCRIPTION +.B pcap_open_offline() +is called to open a ``savefile'' for reading. +.PP +.I fname +specifies the name of the file to open. The file has +the same format as those used by +.BR tcpdump (1) +and +.BR tcpslice (1). +The name "-" in a synonym for +.BR stdin . +.PP +Alternatively, you may call +.B pcap_fopen_offline() +to read dumped data from an existing open stream +.IR fp . +Note that on Windows, that stream should be opened in binary mode. +.SH RETURN VALUE +.B pcap_open_offline() +and +.B pcap_fopen_offline() +return a +.I pcap_t * +on success and +.B NULL +on failure. +If +.B NULL +is returned, +.I errbuf +is filled in with an appropriate error message. +.I errbuf +is assumed to be able to hold at least +.B PCAP_ERRBUF_SIZE +chars. diff --git a/pcap_set_datalink.3pcap b/pcap_set_datalink.3pcap new file mode 100644 index 00000000..f728734a --- /dev/null +++ b/pcap_set_datalink.3pcap @@ -0,0 +1,52 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_set_datalink.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_SET_DATALINK 3PCAP "4 April 2008" +.SH NAME +pcap_set_datalink \- set the link-layer header type to be used by a +capture device +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_set_datalink(pcap_t *p, int dlt); +.ft +.fi +.SH DESCRIPTION +.B pcap_set_datalink() +is used to set the current data link type of the pcap descriptor +to the type specified by +.IR dlt . +.SH RETURN VALUE +.B pcap_set_datalink() +returns 0 on success and \-1 on failure. +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap_geterr(3PCAP) diff --git a/pcap_setdirection.3pcap b/pcap_setdirection.3pcap new file mode 100644 index 00000000..f7e0fdf2 --- /dev/null +++ b/pcap_setdirection.3pcap @@ -0,0 +1,71 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_setdirection.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_SETDIRECTION 3PCAP "4 April 2008" +.SH NAME +pcap_setdirection \- set the direction for which packets will be captured +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_setdirection(pcap_t *p, pcap_direction_t d); +.ft +.fi +.SH DESCRIPTION +.B pcap_setdirection() +is used to specify a direction that packets will be captured. +.I d +is one of the constants +.BR PCAP_D_IN , +.B PCAP_D_OUT +or +.BR PCAP_D_INOUT . +.B PCAP_D_IN +will only capture packets received by the device, +.B PCAP_D_OUT +will only capture packets sent by the device and +.B PCAP_D_INOUT +will capture packets received by or sent by the device. +.B PCAP_D_INOUT +is the default setting if this function is not called. +.PP +.B pcap_setdirection() +isn't necessarily fully supported on all platforms; some platforms might +return an error for all values, and some other platforms might not +support +.BR PCAP_D_OUT . +.PP +This operation is not supported if a ``savefile'' is being read. +.SH RETURN VALUE +.B pcap_setdirection() +returns 0 on success and \-1 on failure. +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap_geterr(3PCAP) diff --git a/pcap_setfilter.3pcap b/pcap_setfilter.3pcap new file mode 100644 index 00000000..31df80ce --- /dev/null +++ b/pcap_setfilter.3pcap @@ -0,0 +1,54 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_setfilter.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_SETFILTER 3PCAP "4 April 2008" +.SH NAME +pcap_setfilter \- set the filter +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_setfilter(pcap_t *p, struct bpf_program *fp); +.ft +.fi +.SH DESCRIPTION +.B pcap_setfilter() +is used to specify a filter program. +.I fp +is a pointer to a +.I bpf_program +struct, usually the result of a call to +.BR pcap_compile() . +.SH RETURN VALUE +.B pcap_setfilter() +returns 0 on success and \-1 on failure. +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap_geterr(3PCAP) diff --git a/pcap_setnonblock.3pcap b/pcap_setnonblock.3pcap new file mode 100644 index 00000000..752277e4 --- /dev/null +++ b/pcap_setnonblock.3pcap @@ -0,0 +1,77 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_setnonblock.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_SETNONBLOCK 3PCAP "4 April 2008" +.SH NAME +pcap_setnonblock, pcap_getnonblock \- set or get the state of +non-blocking mode on a capture device +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.nf +.ft B +char errbuf[PCAP_ERRBUF_SIZE]; +.ft +.LP +.ft B +int pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf); +int pcap_getnonblock(pcap_t *p, char *errbuf); +.ft +.fi +.SH DESCRIPTION +.B pcap_setnonblock() +puts a capture descriptor, opened with +.BR pcap_open_live() , +into ``non-blocking'' mode, or takes it out of ``non-blocking'' mode, +depending on whether the +.I nonblock +argument is non-zero or zero. It has no effect on ``savefiles''. +If there is an error, \-1 is returned and +.I errbuf +is filled in with an appropriate error message; otherwise, 0 is +returned. +In +``non-blocking'' mode, an attempt to read from the capture descriptor +with +.B pcap_dispatch() +will, if no packets are currently available to be read, return 0 +immediately rather than blocking waiting for packets to arrive. +.B pcap_loop() +and +.B pcap_next() +will not work in ``non-blocking'' mode. +.SH RETURN VALUE +.B pcap_getnonblock() +returns the current ``non-blocking'' state of the capture descriptor; it +always returns 0 on ``savefiles''. +If there is an error, \-1 is returned and +.I errbuf +is filled in with an appropriate error message. +.PP +.I errbuf +is assumed to be able to hold at least +.B PCAP_ERRBUF_SIZE +chars. +.SH SEE ALSO +pcap_loop(3PCAP), pcap_next_ex(3PCAP), pcap_geterr(3PCAP) diff --git a/pcap_snapshot.3pcap b/pcap_snapshot.3pcap new file mode 100644 index 00000000..c319240a --- /dev/null +++ b/pcap_snapshot.3pcap @@ -0,0 +1,40 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_snapshot.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_SNAPSHOT 3PCAP "4 April 2008" +.SH NAME +pcap_snapshot \- get the snapshot length +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_snapshot(pcap_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_snapshot() +returns the snapshot length specified when +.B pcap_open_live() +was called, for a live capture, or the snapshot length from the capture +file, for a ``savefile''. diff --git a/pcap_stats.3pcap b/pcap_stats.3pcap new file mode 100644 index 00000000..5aa198db --- /dev/null +++ b/pcap_stats.3pcap @@ -0,0 +1,59 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_stats.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_SNAPSHOT 3PCAP "4 April 2008" +.SH NAME +pcap_stats \- get capture statistics +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_stats(pcap_t *p, struct pcap_stat *ps); +.ft +.fi +.SH DESCRIPTION +.B pcap_stats() +fills in the +.I pcap_stat +structure pointed to by its second argument. The values represent +packet statistics from the start of the run to the time of the call. +.PP +.B pcap_stats() +is supported only on live captures, not on ``savefiles''; no statistics +are stored in ``savefiles'', so no statistics are available when reading +from a ``savefile''. +.SH RETURN VALUE +.B pcap_stats() +returns 0 on success and returns \-1 if there is an error or the +.I p +doesn't support packet statistics. +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap_geterr(3PCAP) diff --git a/pcap_strerror.3pcap b/pcap_strerror.3pcap new file mode 100644 index 00000000..84811454 --- /dev/null +++ b/pcap_strerror.3pcap @@ -0,0 +1,42 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_strerror.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_STRERROR 3PCAP "4 April 2008" +.SH NAME +pcap_strerror \- convert an errno value to a string +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +const char *pcap_strerror(int error); +.ft +.fi +.SH DESCRIPTION +.B pcap_strerror() +is provided in case +.BR strerror (3) +isn't available. It returns an error message string corresponding to +.IR error . +.SH SEE ALSO +strerror(3)