nexmon – Blame information for rev 1

Subversion Repositories:
Rev:
Rev Author Line No. Line
1 office 1 .\" Copyright (c) 1994, 1996, 1997
2 .\" The Regents of the University of California. All rights reserved.
3 .\"
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that: (1) source code distributions
6 .\" retain the above copyright notice and this paragraph in its entirety, (2)
7 .\" distributions including binary code include the above copyright notice and
8 .\" this paragraph in its entirety in the documentation or other materials
9 .\" provided with the distribution, and (3) all advertising materials mentioning
10 .\" features or use of this software display the following acknowledgement:
11 .\" ``This product includes software developed by the University of California,
12 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
13 .\" the University nor the names of its contributors may be used to endorse
14 .\" or promote products derived from this software without specific prior
15 .\" written permission.
16 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
17 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
18 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
19 .\"
20 .TH PCAP 3PCAP "16 April 2014"
21 .SH NAME
22 pcap \- Packet Capture library
23 .SH SYNOPSIS
24 .nf
25 .ft B
26 #include <pcap/pcap.h>
27 .LP
28 .ft B
29 .ft
30 .fi
31 .SH DESCRIPTION
32 The Packet Capture library
33 provides a high level interface to packet capture systems. All packets
34 on the network, even those destined for other hosts, are accessible
35 through this mechanism.
36 It also supports saving captured packets to a ``savefile'', and reading
37 packets from a ``savefile''.
38 .SS Opening a capture handle for reading
39 To open a handle for a live capture, given the name of the network or
40 other interface on which the capture should be done, call
41 .BR pcap_create (),
42 set the appropriate options on the handle, and then activate it with
43 .BR pcap_activate ().
44 .PP
45 To obtain a list of devices that can be opened for a live capture, call
46 .BR pcap_findalldevs ();
47 to free the list returned by
48 .BR pcap_findalldevs (),
49 call
50 .BR pcap_freealldevs ().
51 .BR pcap_lookupdev ()
52 will return the first device on that list that is not a ``loopback``
53 network interface.
54 .PP
55 To open a handle for a ``savefile'' from which to read packets, given the
56 pathname of the ``savefile'', call
57 .BR pcap_open_offline ();
58 to set up a handle for a ``savefile'', given a
59 .B "FILE\ *"
60 referring to a file already opened for reading, call
61 .BR pcap_fopen_offline ().
62 .PP
63 In order to get a ``fake''
64 .B pcap_t
65 for use in routines that require a
66 .B pcap_t
67 as an argument, such as routines to open a ``savefile'' for writing and
68 to compile a filter expression, call
69 .BR pcap_open_dead ().
70 .PP
71 .BR pcap_create (),
72 .BR pcap_open_offline (),
73 .BR pcap_fopen_offline (),
74 and
75 .BR pcap_open_dead ()
76 return a pointer to a
77 .BR pcap_t ,
78 which is the handle used for reading packets from the capture stream or
79 the ``savefile'', and for finding out information about the capture
80 stream or ``savefile''.
81 To close a handle, use
82 .BR pcap_close ().
83 .PP
84 The options that can be set on a capture handle include
85 .IP "snapshot length"
86 If, when capturing, you capture the entire contents of the packet, that
87 requires more CPU time to copy the packet to your application, more disk
88 and possibly network bandwidth to write the packet data to a file, and
89 more disk space to save the packet. If you don't need the entire
90 contents of the packet - for example, if you are only interested in the
91 TCP headers of packets - you can set the "snapshot length" for the
92 capture to an appropriate value. If the snapshot length is set to
93 .IR snaplen ,
94 and
95 .I snaplen
96 is less
97 than the size of a packet that is captured, only the first
98 .I snaplen
99 bytes of that packet will be captured and provided as packet data.
100 .IP
101 A snapshot length of 65535 should be sufficient, on most if not all
102 networks, to capture all the data available from the packet.
103 .IP
104 The snapshot length is set with
105 .BR pcap_set_snaplen ().
106 .IP "promiscuous mode"
107 On broadcast LANs such as Ethernet, if the network isn't switched, or if
108 the adapter is connected to a "mirror port" on a switch to which all
109 packets passing through the switch are sent, a network adapter receives
110 all packets on the LAN, including unicast or multicast packets not sent
111 to a network address that the network adapter isn't configured to
112 recognize.
113 .IP
114 Normally, the adapter will discard those packets; however, many network
115 adapters support "promiscuous mode", which is a mode in which all
116 packets, even if they are not sent to an address that the adapter
117 recognizes, are provided to the host. This is useful for passively
118 capturing traffic between two or more other hosts for analysis.
119 .IP
120 Note that even if an application does not set promiscuous mode, the
121 adapter could well be in promiscuous mode for some other reason.
122 .IP
123 For now, this doesn't work on the "any" device; if an argument of "any"
124 or NULL is supplied, the setting of promiscuous mode is ignored.
125 .IP
126 Promiscuous mode is set with
127 .BR pcap_set_promisc ().
128 .IP "monitor mode"
129 On IEEE 802.11 wireless LANs, even if an adapter is in promiscuous mode,
130 it will supply to the host only frames for the network with which it's
131 associated. It might also supply only data frames, not management or
132 control frames, and might not provide the 802.11 header or radio
133 information pseudo-header for those frames.
134 .IP
135 In "monitor mode", sometimes also called "rfmon mode" (for "Radio
136 Frequency MONitor"), the adapter will supply all frames that it
137 receives, with 802.11 headers, and might supply a pseudo-header with
138 radio information about the frame as well.
139 .IP
140 Note that in monitor mode the adapter might disassociate from the
141 network with which it's associated, so that you will not be able to use
142 any wireless networks with that adapter. This could prevent accessing
143 files on a network server, or resolving host names or network addresses,
144 if you are capturing in monitor mode and are not connected to another
145 network with another adapter.
146 .IP
147 Monitor mode is set with
148 .BR pcap_set_rfmon (),
149 and
150 .BR pcap_can_set_rfmon ()
151 can be used to determine whether an adapter can be put into monitor
152 mode.
153 .IP "read timeout"
154 If, when capturing, packets are delivered as soon as they arrive, the
155 application capturing the packets will be woken up for each packet as it
156 arrives, and might have to make one or more calls to the operating
157 system to fetch each packet.
158 .IP
159 If, instead, packets are not delivered as soon as they arrive, but are
160 delivered after a short delay (called a "read timeout"), more than one
161 packet can be accumulated before the packets are delivered, so that a
162 single wakeup would be done for multiple packets, and each set of calls
163 made to the operating system would supply multiple packets, rather than
164 a single packet. This reduces the per-packet CPU overhead if packets
165 are arriving at a high rate, increasing the number of packets per second
166 that can be captured.
167 .IP
168 The read timeout is required so that an application won't wait for the
169 operating system's capture buffer to fill up before packets are
170 delivered; if packets are arriving slowly, that wait could take an
171 arbitrarily long period of time.
172 .IP
173 Not all platforms support a read timeout; on platforms that
174 don't, the read timeout is ignored. A zero value for the timeout,
175 on platforms that support a read timeout,
176 will cause a read to wait forever to allow enough packets to
177 arrive, with no timeout.
178 .IP
179 .BR NOTE :
180 the read timeout cannot be used to cause calls that read
181 packets to return within a limited period of time, because, on some
182 platforms, the read timeout isn't supported, and, on other platforms,
183 the timer doesn't start until at least one packet arrives. This means
184 that the read timeout should
185 .B NOT
186 be used, for example, in an interactive application to allow the packet
187 capture loop to ``poll'' for user input periodically, as there's no
188 guarantee that a call reading packets will return after the timeout
189 expires even if no packets have arrived.
190 .IP
191 The read timeout is set with
192 .BR pcap_set_timeout ().
193 .IP "buffer size"
194 Packets that arrive for a capture are stored in a buffer, so that they
195 do not have to be read by the application as soon as they arrive. On
196 some platforms, the buffer's size can be set; a size that's too small
197 could mean that, if too many packets are being captured and the snapshot
198 length doesn't limit the amount of data that's buffered, packets could
199 be dropped if the buffer fills up before the application can read
200 packets from it, while a size that's too large could use more
201 non-pageable operating system memory than is necessary to prevent
202 packets from being dropped.
203 .IP
204 The buffer size is set with
205 .BR pcap_set_buffer_size ().
206 .IP "timestamp type"
207 On some platforms, the time stamp given to packets on live captures can
208 come from different sources that can have different resolutions or that
209 can have different relationships to the time values for the current time
210 supplied by routines on the native operating system. See
211 .BR pcap-tstamp (@MAN_MISC_INFO@)
212 for a list of time stamp types.
213 .IP
214 The time stamp type is set with
215 .BR pcap_set_tstamp_type ().
216 .PP
217 Reading packets from a network interface may require that you have
218 special privileges:
219 .TP
220 .B Under SunOS 3.x or 4.x with NIT or BPF:
221 You must have read access to
222 .I /dev/nit
223 or
224 .IR /dev/bpf* .
225 .TP
226 .B Under Solaris with DLPI:
227 You must have read/write access to the network pseudo device, e.g.
228 .IR /dev/le .
229 On at least some versions of Solaris, however, this is not sufficient to
230 allow
231 .I tcpdump
232 to capture in promiscuous mode; on those versions of Solaris, you must
233 be root, or the application capturing packets
234 must be installed setuid to root, in order to capture in promiscuous
235 mode. Note that, on many (perhaps all) interfaces, if you don't capture
236 in promiscuous mode, you will not see any outgoing packets, so a capture
237 not done in promiscuous mode may not be very useful.
238 .IP
239 In newer versions of Solaris, you must have been given the
240 .B net_rawaccess
241 privilege; this is both necessary and sufficient to give you access to the
242 network pseudo-device - there is no need to change the privileges on
243 that device. A user can be given that privilege by, for example, adding
244 that privilege to the user's
245 .B defaultpriv
246 key with the
247 .B usermod (1M)
248 command.
249 .TP
250 .B Under HP-UX with DLPI:
251 You must be root or the application capturing packets must be installed
252 setuid to root.
253 .TP
254 .B Under IRIX with snoop:
255 You must be root or the application capturing packets must be installed
256 setuid to root.
257 .TP
258 .B Under Linux:
259 You must be root or the application capturing packets must be installed
260 setuid to root (unless your distribution has a kernel
261 that supports capability bits such as CAP_NET_RAW and code to allow
262 those capability bits to be given to particular accounts and to cause
263 those bits to be set on a user's initial processes when they log in, in
264 which case you must have CAP_NET_RAW in order to capture and
265 CAP_NET_ADMIN to enumerate network devices with, for example, the
266 .B \-D
267 flag).
268 .TP
269 .B Under ULTRIX and Digital UNIX/Tru64 UNIX:
270 Any user may capture network traffic.
271 However, no user (not even the super-user) can capture in promiscuous
272 mode on an interface unless the super-user has enabled promiscuous-mode
273 operation on that interface using
274 .IR pfconfig (8),
275 and no user (not even the super-user) can capture unicast traffic
276 received by or sent by the machine on an interface unless the super-user
277 has enabled copy-all-mode operation on that interface using
278 .IR pfconfig ,
279 so
280 .I useful
281 packet capture on an interface probably requires that either
282 promiscuous-mode or copy-all-mode operation, or both modes of
283 operation, be enabled on that interface.
284 .TP
285 .B Under BSD (this includes Mac OS X):
286 You must have read access to
287 .I /dev/bpf*
288 on systems that don't have a cloning BPF device, or to
289 .I /dev/bpf
290 on systems that do.
291 On BSDs with a devfs (this includes Mac OS X), this might involve more
292 than just having somebody with super-user access setting the ownership
293 or permissions on the BPF devices - it might involve configuring devfs
294 to set the ownership or permissions every time the system is booted,
295 if the system even supports that; if it doesn't support that, you might
296 have to find some other way to make that happen at boot time.
297 .PP
298 Reading a saved packet file doesn't require special privileges.
299 .PP
300 The packets read from the handle may include a ``pseudo-header''
301 containing various forms of packet meta-data, and probably includes a
302 link-layer header whose contents can differ for different network
303 interfaces. To determine the format of the packets supplied by the
304 handle, call
305 .BR pcap_datalink ();
306 .I http://www.tcpdump.org/linktypes.html
307 lists the values it returns and describes the packet formats that
308 correspond to those values.
309 .PP
310 Do
311 .B NOT
312 assume that the packets for a given capture or ``savefile`` will have
313 any given link-layer header type, such as
314 .B DLT_EN10MB
315 for Ethernet. For example, the "any" device on Linux will have a
316 link-layer header type of
317 .B DLT_LINUX_SLL
318 even if all devices on the system at the time the "any" device is opened
319 have some other data link type, such as
320 .B DLT_EN10MB
321 for Ethernet.
322 .PP
323 To obtain the
324 .B "FILE\ *"
325 corresponding to a
326 .B pcap_t
327 opened for a ``savefile'', call
328 .BR pcap_file ().
329 .TP
330 .B Routines
331 .RS
332 .TP
333 .BR pcap_create (3PCAP)
334 get a
335 .B pcap_t
336 for live capture
337 .TP
338 .BR pcap_activate (3PCAP)
339 activate a
340 .B pcap_t
341 for live capture
342 .TP
343 .BR pcap_findalldevs (3PCAP)
344 get a list of devices that can be opened for a live capture
345 .TP
346 .BR pcap_freealldevs (3PCAP)
347 free list of devices
348 .TP
349 .BR pcap_lookupdev (3PCAP)
350 get first non-loopback device on that list
351 .TP
352 .BR pcap_open_offline (3PCAP)
353 open a
354 .B pcap_t
355 for a ``savefile'', given a pathname
356 .TP
357 .BR pcap_open_offline_with_tstamp_precision (3PCAP)
358 open a
359 .B pcap_t
360 for a ``savefile'', given a pathname, and specify the precision to
361 provide for packet time stamps
362 .TP
363 .BR pcap_fopen_offline (3PCAP)
364 open a
365 .B pcap_t
366 for a ``savefile'', given a
367 .B "FILE\ *"
368 .TP
369 .BR pcap_fopen_offline_with_tstamp_precision (3PCAP)
370 open a
371 .B pcap_t
372 for a ``savefile'', given a
373 .BR "FILE\ *" ,
374 and specify the precision to provide for packet time stamps
375 .TP
376 .BR pcap_open_dead (3PCAP)
377 create a ``fake''
378 .B pcap_t
379 .TP
380 .BR pcap_close (3PCAP)
381 close a
382 .B pcap_t
383 .TP
384 .BR pcap_set_snaplen (3PCAP)
385 set the snapshot length for a not-yet-activated
386 .B pcap_t
387 for live capture
388 .TP
389 .BR pcap_snapshot (3PCAP)
390 get the snapshot length for a
391 .B pcap_t
392 .TP
393 .BR pcap_set_promisc (3PCAP)
394 set promiscuous mode for a not-yet-activated
395 .B pcap_t
396 for live capture
397 .TP
398 .BR pcap_set_rfmon (3PCAP)
399 set monitor mode for a not-yet-activated
400 .B pcap_t
401 for live capture
402 .TP
403 .BR pcap_can_set_rfmon (3PCAP)
404 determine whether monitor mode can be set for a
405 .B pcap_t
406 for live capture
407 .TP
408 .BR pcap_set_timeout (3PCAP)
409 set read timeout for a not-yet-activated
410 .B pcap_t
411 for live capture
412 .TP
413 .BR pcap_set_buffer_size (3PCAP)
414 set buffer size for a not-yet-activated
415 .B pcap_t
416 for live capture
417 .TP
418 .BR pcap_set_tstamp_type (3PCAP)
419 set time stamp type for a not-yet-activated
420 .B pcap_t
421 for live capture
422 .TP
423 .BR pcap_list_tstamp_types (3PCAP)
424 get list of available time stamp types for a not-yet-activated
425 .B pcap_t
426 for live capture
427 .TP
428 .BR pcap_free_tstamp_types (3PCAP)
429 free list of available time stamp types
430 .TP
431 .BR pcap_tstamp_type_val_to_name (3PCAP)
432 get name for a time stamp type
433 .TP
434 .BR pcap_tstamp_type_val_to_description (3PCAP)
435 get description for a time stamp type
436 .TP
437 .BR pcap_tstamp_type_name_to_val (3PCAP)
438 get time stamp type corresponding to a name
439 .TP
440 .BR pcap_set_tstamp_precision (3PCAP)
441 set time stamp precision for a not-yet-activated
442 .B pcap_t
443 for live capture
444 .TP
445 .BR pcap_get_tstamp_precision (3PCAP)
446 get the time stamp precision of a
447 .B pcap_t
448 for live capture
449 .TP
450 .BR pcap_datalink (3PCAP)
451 get link-layer header type for a
452 .B pcap_t
453 .TP
454 .BR pcap_file (3PCAP)
455 get the
456 .B "FILE\ *"
457 for a
458 .B pcap_t
459 opened for a ``savefile''
460 .TP
461 .BR pcap_is_swapped (3PCAP)
462 determine whether a ``savefile'' being read came from a machine with the
463 opposite byte order
464 .TP
465 .BR pcap_major_version (3PCAP)
466 .PD 0
467 .TP
468 .BR pcap_minor_version (3PCAP)
469 get the major and minor version of the file format version for a
470 ``savefile''
471 .PD
472 .RE
473 .SS Selecting a link-layer header type for a live capture
474 Some devices may provide more than one link-layer header type. To
475 obtain a list of all link-layer header types provided by a device, call
476 .BR pcap_list_datalinks ()
477 on an activated
478 .B pcap_t
479 for the device.
480 To free a list of link-layer header types, call
481 .BR pcap_free_datalinks ().
482 To set the link-layer header type for a device, call
483 .BR pcap_set_datalink ().
484 This should be done after the device has been activated but before any
485 packets are read and before any filters are compiled or installed.
486 .TP
487 .B Routines
488 .RS
489 .TP
490 .BR pcap_list_datalinks (3PCAP)
491 get a list of link-layer header types for a device
492 .TP
493 .BR pcap_free_datalinks (3PCAP)
494 free list of link-layer header types
495 .TP
496 .BR pcap_set_datalink (3PCAP)
497 set link-layer header type for a device
498 .TP
499 .BR pcap_datalink_val_to_name (3PCAP)
500 get name for a link-layer header type
501 .TP
502 .BR pcap_datalink_val_to_description (3PCAP)
503 get description for a link-layer header type
504 .TP
505 .BR pcap_datalink_name_to_val (3PCAP)
506 get link-layer header type corresponding to a name
507 .RE
508 .SS Reading packets
509 Packets are read with
510 .BR pcap_dispatch ()
511 or
512 .BR pcap_loop (),
513 which process one or more packets, calling a callback routine for each
514 packet, or with
515 .BR pcap_next ()
516 or
517 .BR pcap_next_ex (),
518 which return the next packet.
519 The callback for
520 .BR pcap_dispatch ()
521 and
522 .BR pcap_loop ()
523 is supplied a pointer to a
524 .IR "struct pcap_pkthdr" ,
525 which includes the following members:
526 .RS
527 .TP
528 .B ts
529 a
530 .I struct timeval
531 containing the time when the packet was captured
532 .TP
533 .B caplen
534 a
535 .I bpf_u_int32
536 giving the number of bytes of the packet that are available from the
537 capture
538 .TP
539 .B len
540 a
541 .I bpf_u_int32
542 giving the length of the packet, in bytes (which might be more than the
543 number of bytes available from the capture, if the length of the packet
544 is larger than the maximum number of bytes to capture).
545 .RE
546 .PP
547 The callback is also supplied a
548 .I const u_char
549 pointer to the first
550 .B caplen
551 (as given in the
552 .I struct pcap_pkthdr
553 mentioned above)
554 bytes of data from the packet. This won't necessarily be the entire
555 packet; to capture the entire packet, you will have to provide a value
556 for
557 .I snaplen
558 in your call to
559 .BR pcap_set_snaplen ()
560 that is sufficiently large to get all of the packet's data - a value of
561 65535 should be sufficient on most if not all networks). When reading
562 from a ``savefile'', the snapshot length specified when the capture was
563 performed will limit the amount of packet data available.
564 .PP
565 .BR pcap_next ()
566 is passed an argument that points to a
567 .I struct pcap_pkthdr
568 structure, and fills it in with the time stamp and length values for the
569 packet. It returns a
570 .I const u_char
571 to the first
572 .B caplen
573 bytes of the packet on success, and NULL on error.
574 .PP
575 .BR pcap_next_ex ()
576 is passed two pointer arguments, one of which points to a
577 .IR struct pcap_pkthdr *
578 and one of which points to a
579 .IR "const u_char" *.
580 It sets the first pointer to point to a
581 .I struct pcap_pkthdr
582 structure with the time stamp and length values for the packet, and sets
583 the second pointer to point to the first
584 .B caplen
585 bytes of the packet.
586 .PP
587 To force the loop in
588 .BR pcap_dispatch ()
589 or
590 .BR pcap_loop ()
591 to terminate, call
592 .BR pcap_breakloop ().
593 .PP
594 By default, when reading packets from an interface opened for a live
595 capture,
596 .BR pcap_dispatch (),
597 .BR pcap_next (),
598 and
599 .BR pcap_next_ex ()
600 will, if no packets are currently available to be read, block waiting
601 for packets to become available. On some, but
602 .I not
603 all, platforms, if a read timeout was specified, the wait will terminate
604 after the read timeout expires; applications should be prepared for
605 this, as it happens on some platforms, but should not rely on it, as it
606 does not happen on other platforms. Note that the wait might, or might
607 not, terminate even if no packets are available; applications should be
608 prepared for this to happen, but must not rely on it happening.
609 .PP
610 A handle can be put into ``non-blocking mode'', so that those routines
611 will, rather than blocking, return an indication that no packets are
612 available to read. Call
613 .BR pcap_setnonblock ()
614 to put a handle into non-blocking mode or to take it out of non-blocking
615 mode; call
616 .BR pcap_getnonblock ()
617 to determine whether a handle is in non-blocking mode. Note that
618 non-blocking mode does not work correctly in Mac OS X 10.6.
619 .PP
620 Non-blocking mode is often combined with routines such as
621 .BR select (2)
622 or
623 .BR poll (2)
624 or other routines a platform offers to wait for any of a set of
625 descriptors to be ready to read. To obtain, for a handle, a descriptor
626 that can be used in those routines, call
627 .BR pcap_get_selectable_fd ().
628 Not all handles have such a descriptor available;
629 .BR pcap_get_selectable_fd ()
630 will return \-1 if no such descriptor exists. In addition, for various
631 reasons, one or more of those routines will not work properly with the
632 descriptor; the documentation for
633 .BR pcap_get_selectable_fd ()
634 gives details. Note that, just as an attempt to read packets from a
635 .B pcap_t
636 may not return any packets if the read timeout expires, a
637 .BR select (),
638 .BR poll (),
639 or other such call may, if the read timeout expires, indicate that a
640 descriptor is ready to read even if there are no packets available to
641 read.
642 .TP
643 .B Routines
644 .RS
645 .TP
646 .BR pcap_dispatch (3PCAP)
647 read a bufferful of packets from a
648 .B pcap_t
649 open for a live capture or the full set of packets from a
650 .B pcap_t
651 open for a ``savefile''
652 .TP
653 .BR pcap_loop (3PCAP)
654 read packets from a
655 .B pcap_t
656 until an interrupt or error occurs
657 .TP
658 .BR pcap_next (3PCAP)
659 read the next packet from a
660 .B pcap_t
661 without an indication whether an error occurred
662 .TP
663 .BR pcap_next_ex (3PCAP)
664 read the next packet from a
665 .B pcap_t
666 with an error indication on an error
667 .TP
668 .BR pcap_breakloop (3PCAP)
669 prematurely terminate the loop in
670 .BR pcap_dispatch ()
671 or
672 .BR pcap_loop ()
673 .TP
674 .BR pcap_setnonblock (3PCAP)
675 set or clear non-blocking mode on a
676 .B pcap_t
677 .TP
678 .BR pcap_getnonblock (3PCAP)
679 get the state of non-blocking mode for a
680 .B pcap_t
681 .TP
682 .BR pcap_get_selectable_fd (3PCAP)
683 attempt to get a descriptor for a
684 .B pcap_t
685 that can be used in calls such as
686 .BR select (2)
687 and
688 .BR poll (2)
689 .RE
690 .SS Filters
691 In order to cause only certain packets to be returned when reading
692 packets, a filter can be set on a handle. For a live capture, the
693 filtering will be performed in kernel mode, if possible, to avoid
694 copying ``uninteresting'' packets from the kernel to user mode.
695 .PP
696 A filter can be specified as a text string; the syntax and semantics of
697 the string are as described by
698 .BR pcap-filter (@MAN_MISC_INFO@).
699 A filter string is compiled into a program in a pseudo-machine-language
700 by
701 .BR pcap_compile ()
702 and the resulting program can be made a filter for a handle with
703 .BR pcap_setfilter ().
704 The result of
705 .BR pcap_compile ()
706 can be freed with a call to
707 .BR pcap_freecode ().
708 .BR pcap_compile ()
709 may require a network mask for certain expressions in the filter string;
710 .BR pcap_lookupnet ()
711 can be used to find the network address and network mask for a given
712 capture device.
713 .PP
714 A compiled filter can also be applied directly to a packet that has been
715 read using
716 .BR pcap_offline_filter ().
717 .TP
718 .B Routines
719 .RS
720 .TP
721 .BR pcap_compile (3PCAP)
722 compile filter expression to a pseudo-machine-language code program
723 .TP
724 .BR pcap_freecode (3PCAP)
725 free a filter program
726 .TP
727 .BR pcap_setfilter (3PCAP)
728 set filter for a
729 .B pcap_t
730 .TP
731 .BR pcap_lookupnet (3PCAP)
732 get network address and network mask for a capture device
733 .TP
734 .BR pcap_offline_filter (3PCAP)
735 apply a filter program to a packet
736 .RE
737 .SS Incoming and outgoing packets
738 By default, libpcap will attempt to capture both packets sent by the
739 machine and packets received by the machine. To limit it to capturing
740 only packets received by the machine or, if possible, only packets sent
741 by the machine, call
742 .BR pcap_setdirection ().
743 .TP
744 .BR Routines
745 .RS
746 .TP
747 .BR pcap_setdirection (3PCAP)
748 specify whether to capture incoming packets, outgoing packets, or both
749 .RE
750 .SS Capture statistics
751 To get statistics about packets received and dropped in a live capture,
752 call
753 .BR pcap_stats ().
754 .TP
755 .B Routines
756 .RS
757 .TP
758 .BR pcap_stats (3PCAP)
759 get capture statistics
760 .RE
761 .SS Opening a handle for writing captured packets
762 To open a ``savefile`` to which to write packets, given the pathname the
763 ``savefile'' should have, call
764 .BR pcap_dump_open ().
765 To open a ``savefile`` to which to write packets, given the pathname the
766 ``savefile'' should have, call
767 .BR pcap_dump_open ();
768 to set up a handle for a ``savefile'', given a
769 .B "FILE\ *"
770 referring to a file already opened for writing, call
771 .BR pcap_dump_fopen ().
772 They each return pointers to a
773 .BR pcap_dumper_t ,
774 which is the handle used for writing packets to the ``savefile''. If it
775 succeeds, it will have created the file if it doesn't exist and
776 truncated the file if it does exist.
777 To close a
778 .BR pcap_dumper_t ,
779 call
780 .BR pcap_dump_close ().
781 .TP
782 .B Routines
783 .RS
784 .TP
785 .BR pcap_dump_open (3PCAP)
786 open a
787 .B pcap_dumper_t
788 for a ``savefile``, given a pathname
789 .TP
790 .BR pcap_dump_fopen (3PCAP)
791 open a
792 .B pcap_dumper_t
793 for a ``savefile``, given a
794 .B "FILE\ *"
795 .TP
796 .BR pcap_dump_close (3PCAP)
797 close a
798 .B pcap_dumper_t
799 .TP
800 .BR pcap_dump_file (3PCAP)
801 get the
802 .B "FILE\ *"
803 for a
804 .B pcap_dumper_t
805 opened for a ``savefile''
806 .RE
807 .SS Writing packets
808 To write a packet to a
809 .BR pcap_dumper_t ,
810 call
811 .BR pcap_dump ().
812 Packets written with
813 .BR pcap_dump ()
814 may be buffered, rather than being immediately written to the
815 ``savefile''. Closing the
816 .B pcap_dumper_t
817 will cause all buffered-but-not-yet-written packets to be written to the
818 ``savefile''.
819 To force all packets written to the
820 .BR pcap_dumper_t ,
821 and not yet written to the ``savefile'' because they're buffered by the
822 .BR pcap_dumper_t ,
823 to be written to the ``savefile'', without closing the
824 .BR pcap_dumper_t ,
825 call
826 .BR pcap_dump_flush ().
827 .TP
828 .B Routines
829 .RS
830 .TP
831 .BR pcap_dump (3PCAP)
832 write packet to a
833 .B pcap_dumper_t
834 .TP
835 .BR pcap_dump_flush (3PCAP)
836 flush buffered packets written to a
837 .B pcap_dumper_t
838 to the ``savefile''
839 .TP
840 .BR pcap_dump_ftell (3PCAP)
841 get current file position for a
842 .B pcap_dumper_t
843 .RE
844 .SS Injecting packets
845 If you have the required privileges, you can inject packets onto a
846 network with a
847 .B pcap_t
848 for a live capture, using
849 .BR pcap_inject ()
850 or
851 .BR pcap_sendpacket ().
852 (The two routines exist for compatibility with both OpenBSD and WinPcap;
853 they perform the same function, but have different return values.)
854 .TP
855 .B Routines
856 .RS
857 .TP
858 .BR pcap_inject (3PCAP)
859 .PD 0
860 .TP
861 .BR pcap_sendpacket (3PCAP)
862 transmit a packet
863 .PD
864 .RE
865 .SS Reporting errors
866 Some routines return error or warning status codes; to convert them to a
867 string, use
868 .BR pcap_statustostr ().
869 .TP
870 .B Routines
871 .RS
872 .TP
873 .BR pcap_statustostr (3PCAP)
874 get a string for an error or warning status code
875 .RE
876 .SS Getting library version information
877 To get a string giving version information about libpcap, call
878 .BR pcap_lib_version ().
879 .TP
880 .B Routines
881 .RS
882 .TP
883 .BR pcap_lib_version (3PCAP)
884 get library version string
885 .RE
886 .SH BACKWARDS COMPATIBILITY
887 .PP
888 In versions of libpcap prior to 1.0, the
889 .B pcap.h
890 header file was not in a
891 .B pcap
892 directory on most platforms; if you are writing an application that must
893 work on versions of libpcap prior to 1.0, include
894 .BR <pcap.h> ,
895 which will include
896 .B <pcap/pcap.h>
897 for you, rather than including
898 .BR <pcap/pcap.h> .
899 .PP
900 .BR pcap_create ()
901 and
902 .BR pcap_activate ()
903 were not available in versions of libpcap prior to 1.0; if you are
904 writing an application that must work on versions of libpcap prior to
905 1.0, either use
906 .BR pcap_open_live ()
907 to get a handle for a live capture or, if you want to be able to use the
908 additional capabilities offered by using
909 .BR pcap_create ()
910 and
911 .BR pcap_activate (),
912 use an
913 .BR autoconf (1)
914 script or some other configuration script to check whether the libpcap
915 1.0 APIs are available and use them only if they are.
916 .SH SEE ALSO
917 autoconf(1), tcpdump(1), tcpslice(1), pcap-filter(@MAN_MISC_INFO@), pfconfig(8),
918 usermod(1M)
919 .SH AUTHORS
920 The original authors of libpcap are:
921 .LP
922 Van Jacobson,
923 Craig Leres and
924 Steven McCanne, all of the
925 Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
926 .LP
927 The current version is available from "The Tcpdump Group"'s Web site at
928 .LP
929 .RS
930 .I http://www.tcpdump.org/
931 .RE
932 .SH BUGS
933 Please send problems, bugs, questions, desirable enhancements, etc. to:
934 .LP
935 .RS
936 tcpdump-workers@lists.tcpdump.org
937 .RE