Libpcap provides a portable framework for low-level network
monitoring. Libpcap can provide network statistics collection,
security monitoring and network debugging. Since almost every system
vendor provides a different interface for packet capture, the libpcap
authors created this system-independent API to ease in porting and to
alleviate the need for several system-dependent packet capture modules
in each application.
This package provides the libraries, include files, and other
resources needed for developing libpcap applications.
pcap-config When run with the --cflags option, pcap-config writes to the standard output the -I compiler flags required to include libpcap's header files. When run with the... pcap.3pcap The Packet Capture library provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are... pcap_activate.3pcap pcap_activate() is used to activate a packet capture handle to look at packets on the network, with the options that were set on the handle being in effect. pcap_breakloop.3pcap pcap_breakloop() sets a flag that will force pcap_dispatch() or pcap_loop() to return rather than looping; they will return the number of packets that have been... pcap_can_set_rfmon.3pcap pcap_can_set_rfmon() checks whether monitor mode could be set on a capture handle when the handle is activated. pcap_close.3pcap pcap_close() closes the files associated with p and deallocates resources. pcap_compile.3pcap pcap_compile() is used to compile the string str into a filter program. See pcap-filter(7) for the syntax of that string. program is a pointer to a bpf_program... pcap_create.3pcap pcap_create() is used to create a packet capture handle to look at packets on the network. source is a string that specifies the network device to open; on... pcap_datalink.3pcap pcap_datalink() returns the link-layer header type for the live capture or “savefile” specified by p. It must not be called on a pcap descriptor created by... pcap_datalink_name_to_val.3pcap pcap_datalink_name_to_val() translates a link-layer header type name, which is a DLT_ name with the DLT_ removed, to the corresponding link-layer header type... pcap_datalink_val_to_name.3pcap pcap_datalink_val_to_name() translates a link-layer header type value to the corresponding link-layer header type name. NULL is returned on failure... pcap_dump.3pcap pcap_dump() outputs a packet to the “savefile” opened with pcap_dump_open(). Note that its calling arguments are suitable for use with pcap_dispatch() or... pcap_dump_file.3pcap pcap_dump_file() returns the standard I/O stream of the “savefile” opened by pcap_dump_open(). pcap_dump_flush.3pcap pcap_dump_flush() flushes the output buffer to the “savefile,” so that any packets written with pcap_dump() but not yet written to the “savefile” will be... pcap_dump_ftell.3pcap pcap_dump_ftell() returns the current file position for the “savefile”, representing the number of bytes written by pcap_dump_open() and pcap_dump(). -1 is... pcap_dump_open.3pcap pcap_dump_open() is called to open a “savefile” for writing. fname specifies the name of the file to open. The file will have the same format as those used by... pcap_file.3pcap pcap_file() returns the standard I/O stream of the “savefile,” if a “savefile” was opened with pcap_open_offline(), or NULL, if a network device was opened with... pcap_fileno.3pcap If p refers to a network device that was opened for a live capture using a combination of pcap_create() and pcap_activate(), or using pcap_open_live()... pcap_findalldevs.3pcap pcap_findalldevs() constructs a list of network devices that can be opened with pcap_create() and pcap_activate() or with pcap_open_live(). (Note that there may... pcap_freecode.3pcap pcap_freecode() is used to free up allocated memory pointed to by a bpf_program struct generated by pcap_compile() when that BPF program is no longer needed... pcap_geterr.3pcap pcap_geterr() returns the error text pertaining to the last pcap library error. NOTE: the pointer it returns will no longer point to a valid error message... pcap_get_selectable_fd.3pcap pcap_get_selectable_fd() returns, on UNIX, a file descriptor number for a file descriptor on which one can do a select(), poll(), or other such call to wait for... pcap_inject.3pcap pcap_inject() sends a raw packet through the network interface; buf points to the data of the packet, including the link-layer header, and size is the number of... pcap_is_swapped.3pcap pcap_is_swapped() returns true (1) if p refers to a “savefile” that uses a different byte order than the current system. For a live capture, it always returns... pcap_lib_version.3pcap pcap_lib_version() returns a pointer to a string giving information about the version of the libpcap library being used; note that it contains more information... pcap_list_datalinks.3pcap pcap_list_datalinks() is used to get a list of the supported link-layer header types of the interface associated with the pcap descriptor. pcap_list_datalinks()... pcap_list_tstamp_types.3pcap pcap_list_tstamp_types() is used to get a list of the supported time stamp types of the interface associated with the pcap descriptor. pcap_list_tstamp_types()... pcap_lookupdev.3pcap pcap_lookupdev() returns a pointer to a string giving the name of a network device suitable for use with pcap_create() and pcap_activate(), or with... pcap_lookupnet.3pcap pcap_lookupnet() is used to determine the IPv4 network number and mask associated with the network device device. Both netp and maskp are bpf_u_int32 pointers. pcap_loop.3pcap pcap_loop() processes packets from a live capture or “savefile” until cnt packets are processed, the end of the “savefile” is reached when reading from a... pcap_major_version.3pcap If p refers to a “savefile”, pcap_major_version() returns the major number of the file format of the “savefile” and pcap_minor_version() returns the minor... pcap_next_ex.3pcap pcap_next_ex() reads the next packet and returns a success/failure indication. If the packet was read without problems, the pointer pointed to by the pkt_header... pcap_offline_filter.3pcap pcap_offline_filter() checks whether a filter matches a packet. fp is a pointer to a bpf_program struct, usually the result of a call to pcap_compile(). h... pcap_open_dead.3pcap pcap_open_dead() and pcap_open_dead_with_tstamp_precision() are used for creating a pcap_t structure to use when calling the other functions in libpcap. It is... pcap_open_live.3pcap pcap_open_live() is used to obtain a packet capture handle to look at packets on the network. device is a string that specifies the network device to open; on... pcap_open_offline.3pcap pcap_open_offline() and pcap_open_offline_with_tstamp_precision() are called to open a “savefile” for reading. fname specifies the name of the file to open. The... pcap_set_buffer_size.3pcap pcap_set_buffer_size() sets the buffer size that will be used on a capture handle when the handle is activated to buffer_size, which is in units of bytes. pcap_set_datalink.3pcap pcap_set_datalink() is used to set the current link-layer header type of the pcap descriptor to the type specified by dlt. pcap_setdirection.3pcap pcap_setdirection() is used to specify a direction that packets will be captured. d is one of the constants PCAP_D_IN, PCAP_D_OUT or PCAP_D_INOUT. PCAP_D_IN... pcap_setfilter.3pcap pcap_setfilter() is used to specify a filter program. fp is a pointer to a bpf_program struct, usually the result of a call to pcap_compile(). pcap_set_immediate_mode.3pcap pcap_set_immediate_mode() sets whether immediate mode should be set on a capture handle when the handle is activated. If immediate_mode is non-zero, immediate... pcap_setnonblock.3pcap pcap_setnonblock() puts a capture handle into “non-blocking” mode, or takes it out of “non-blocking” mode, depending on whether the nonblock argument is... pcap_set_promisc.3pcap pcap_set_promisc() sets whether promiscuous mode should be set on a capture handle when the handle is activated. If promisc is non-zero, promiscuous mode will... pcap_set_rfmon.3pcap pcap_set_rfmon() sets whether monitor mode should be set on a capture handle when the handle is activated. If rfmon is non-zero, monitor mode will be set... pcap_set_snaplen.3pcap pcap_set_snaplen() sets the snapshot length to be used on a capture handle when the handle is activated to snaplen. pcap_set_timeout.3pcap pcap_set_timeout() sets the read timeout that will be used on a capture handle when the handle is activated to to_ms, which is in units of milliseconds. The... pcap_set_tstamp_precision.3pcap pcap_set_tstamp_precision() sets the precision of the time stamp desired for packets captured on the pcap descriptor to the type specified by tstamp_precision... pcap_set_tstamp_type.3pcap pcap_set_tstamp_type() sets the the type of time stamp desired for packets captured on the pcap descriptor to the type specified by tstamp_type. It must be... pcap_snapshot.3pcap pcap_snapshot() returns the snapshot length specified when pcap_set_snapshot() or pcap_open_live() was called, for a live capture, or the snapshot length from... pcap_stats.3pcap pcap_stats() fills in the struct pcap_stat pointed to by its second argument. The values represent packet statistics from the start of the run to the time of... pcap_statustostr.3pcap pcap_statustostr() converts a PCAP_ERROR_ or PCAP_WARNING_ value returned by a libpcap routine to an error string. pcap_tstamp_type_name_to_val.3pcap pcap_tstamp_type_name_to_val() translates a time stamp type name to the corresponding time stamp type value. The translation is case-insensitive. pcap_tstamp_type_val_to_name.3pcap pcap_tstamp_type_val_to_name() translates a time stamp type value to the corresponding time stamp type name. NULL is returned on failure... pcap-savefile NOTE: applications and libraries should, if possible, use libpcap to read savefiles, rather than having their own code to read savefiles. If, in the future, a...