1.\" $OpenBSD: pcap.3,v 1.29 2006/09/09 15:46:22 jmc Exp $ 2.\" 3.\" Copyright (c) 1994, 1996, 1997 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that: (1) source code distributions 8.\" retain the above copyright notice and this paragraph in its entirety, (2) 9.\" distributions including binary code include the above copyright notice and 10.\" this paragraph in its entirety in the documentation or other materials 11.\" provided with the distribution, and (3) all advertising materials mentioning 12.\" features or use of this software display the following acknowledgement: 13.\" ``This product includes software developed by the University of California, 14.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15.\" the University nor the names of its contributors may be used to endorse 16.\" or promote products derived from this software without specific prior 17.\" written permission. 18.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21.\" 22.Dd July 5, 1999 23.Dt PCAP 3 24.Os 25.Sh NAME 26.Nm pcap 27.Nd Packet Capture library 28.Sh SYNOPSIS 29.Fd #include <pcap.h> 30.Ft "pcap_t *" 31.Fn pcap_open_live "char *device" "int snaplen" "int promisc" "int to_ms" "char *errbuf" 32.Ft "pcap_t *" 33.Fn pcap_open_offline "char *fname" "char *errbuf" 34.Ft "pcap_dumper_t *" 35.Fn pcap_dump_open "pcap_t *p" "char *fname" 36.Ft "pcap_dumper_t *" 37.Fn pcap_dump_fopen "pcap_t *p" "FILE *f" 38.Ft "char *" 39.Fn pcap_lookupdev "char *errbuf" 40.Ft uint 41.Fn pcap_lookupnet "const char *device" "bpf_u_int32 *netp" "bpf_u_int32 *maskp" "char *errbuf" 42.Ft int 43.Fn pcap_dispatch "pcap_t *p" "int cnt" "pcap_handler callback" "u_char *user" 44.Ft int 45.Fn pcap_loop "pcap_t *p" "int cnt" "pcap_handler callback" "u_char *user" 46.Ft void 47.Fn pcap_dump "u_char *user" "struct pcap_pkthdr *h" "u_char *sp" 48.Ft int 49.Fn pcap_inject "pcap_t *p" "void *, size_t" 50.Ft int 51.Fn pcap_sendpacket "pcap_t *p" "void *, int" 52.Ft int 53.Fn pcap_compile "pcap_t *p" "struct bpf_program *fp" "char *str" "int optimize" "bpf_u_int32 netmask" 54.Ft int 55.Fn pcap_setfilter "pcap_t *p" "struct bpf_program *fp" 56.Ft void 57.Fn pcap_freecode "struct bpf_program *fp" 58.Ft "u_char *" 59.Fn pcap_next "pcap_t *p" "struct pcap_pkthdr *h" 60.Ft int 61.Fn pcap_next_ex "pcap_t *p" "struct pcap_pkthdr **hp" "const u_char **pktp" 62.Ft int 63.Fn pcap_setdirection "pcap_t *p" "pcap_direction_t dir" 64.Ft int 65.Fn pcap_datalink "pcap_t *p" 66.Ft int 67.Fn pcap_snapshot "pcap_t *p" 68.Ft int 69.Fn pcap_is_swapped "pcap_t *p" 70.Ft int 71.Fn pcap_major_version "pcap_t *p" 72.Ft int 73.Fn pcap_minor_version "pcap_t *p" 74.Ft int 75.Fn pcap_stats "pcap_t *p" "struct pcap_stat *ps" 76.Ft "FILE *" 77.Fn pcap_file "pcap_t *p" 78.Ft int 79.Fn pcap_fileno "pcap_t *p" 80.Ft int 81.Fn pcap_get_selectable_fd "pcap_t *" 82.Ft void 83.Fn pcap_perror "pcap_t *p" "char *prefix" 84.Ft "char *" 85.Fn pcap_geterr "pcap_t *p" 86.Ft "char *" 87.Fn pcap_strerror "int error" 88.Ft void 89.Fn pcap_close "pcap_t *p" 90.Ft "FILE *" 91.Fn pcap_dump_file "pcap_dumper_t *p" 92.Ft long 93.Fn pcap_dump_ftell "pcap_dumper_t *p" 94.Ft int 95.Fn pcap_dump_flush "pcap_dumper_t *p" 96.Ft void 97.Fn pcap_dump_close "pcap_dumper_t *p" 98.Ft int 99.Fn pcap_breakloop "pcap_t *p" 100.Ft int 101.Fn pcap_findalldevs "pcap_if_t **alldevsp" "char *errbuf" 102.Ft void 103.Fn pcap_freealldevs "pcap_if_t *alldevs" 104.Ft int 105.Fn pcap_getnonblock "pcap_t *p" "char *errbuf" 106.Ft int 107.Fn pcap_setnonblock "pcap_t *p" "int nonblock" "char *errbuf" 108.Ft int 109.Fn pcap_set_datalink "pcap_t *" "int dlt" 110.Ft int 111.Fn pcap_list_datalinks "pcap_t *p" "int **dlts" 112.Ft pcap_t 113.Fn pcap_open_dead "int linktype" "int snaplen" 114.Ft pcap_t 115.Fn pcap_fopen_offline "FILE *fp" "char *errbuf" 116.Ft const char * 117.Fn pcap_lib_version "void" 118.Ft const char * 119.Fn pcap_datalink_val_to_name "int" 120.Ft const char * 121.Fn pcap_datalink_val_to_description "int" 122.Ft int 123.Fn pcap_datalink_name_to_val "const char *" 124.Sh DESCRIPTION 125.Nm 126provides a high level interface to packet capture systems. 127All packets 128on the network, even those destined for other hosts, are accessible 129through this mechanism. 130.Sh ROUTINES 131.Sy Note: 132.Fa errbuf 133in 134.Fn pcap_open_live , 135.Fn pcap_open_offline , 136.Fn pcap_findalldevs , 137.Fn pcap_lookupdev , 138and 139.Fn pcap_lookupnet 140is assumed to be able to hold at least 141.Dv PCAP_ERRBUF_SIZE 142chars. 143.Pp 144.Fn pcap_open_live 145is used to obtain a packet capture descriptor to look 146at packets on the network. 147.Fa device 148is a string that specifies the network device to open. 149.Fa snaplen 150specifies the maximum number of bytes to capture. 151.Fa promisc 152specifies if the interface is to be put into promiscuous mode. 153(Note that even if this parameter is false, the interface 154could well be in promiscuous mode for some other reason.) 155.Fa to_ms 156specifies the read timeout in milliseconds. 157.Fa errbuf 158is used to return error text and is only set when 159.Fn pcap_open_live 160fails and returns 161.Dv NULL . 162.Pp 163.Fn pcap_open_offline 164is called to open a 165.Dq savefile 166for reading. 167.Fa fname 168specifies the name of the file to open. 169The file has the same format as those used by 170.Xr tcpdump 8 . 171.\" and 172.\" .BR tcpslice(1) . 173The name 174.Ql - 175is a synonym for 176.Dv stdin . 177.Fa errbuf 178is used to return error text and is only set when 179.Fn pcap_open_offline 180fails and returns 181.Dv NULL . 182.Pp 183.Fn pcap_dump_open 184is called to open a 185.Dq savefile 186for writing. 187The name 188.Ql - 189is a synonym for 190.Dv stdin . 191.Dv NULL 192is returned on failure. 193.Fa p 194is a 195.Fa pcap 196struct as returned by 197.Fn pcap_open_offline 198or 199.Fn pcap_open_live . 200.Fa fname 201specifies the name of the file to open. 202If 203.Dv NULL 204is returned, 205.Fn pcap_geterr 206can be used to get the error text. 207.Pp 208.Fn pcap_dump_fopen 209allows the use of savefile functions on the already-opened stream 210.Dq f . 211.Pp 212.Fn pcap_lookupdev 213returns a pointer to a network device suitable for use with 214.Fn pcap_open_live 215and 216.Fn pcap_lookupnet . 217If there is an error, 218.Dv NULL 219is returned and 220.Fa errbuf 221is filled in with an appropriate error message. 222.Pp 223.Fn pcap_lookupnet 224is used to determine the network number and mask 225associated with the network device 226.Fa device . 227Both 228.Fa netp 229and 230.Fa maskp 231are 232.Fa bpf_u_int32 233pointers. 234A return of \-1 indicates an error in which case 235.Fa errbuf 236is filled in with an appropriate error message. 237.Pp 238.Fn pcap_dispatch 239is used to collect and process packets. 240.Fa cnt 241specifies the maximum number of packets to process before returning. 242A 243.Fa cnt 244of \-1 processes all the packets received in one buffer. 245A 246.Fa cnt 247of 0 processes all packets until an error occurs, 248.Tn EOF 249is reached, or the read times out (when doing live reads and a non-zero 250read timeout is specified). 251.Fa callback 252specifies a routine to be called with three arguments: a 253.Fa u_char 254pointer which is passed in from 255.Fn pcap_dispatch , 256a pointer to the 257.Fa pcap_pkthdr 258struct (which precede the actual network headers and data), 259and a 260.Fa u_char 261pointer to the packet data. 262The number of packets read is returned. 263Zero is returned when 264.Tn EOF 265is reached in a savefile. 266A return of \-1 indicates an error in which case 267.Fn pcap_perror 268or 269.Fn pcap_geterr 270may be used to display the error text. 271.Pp 272.Fn pcap_dump 273outputs a packet to the savefile opened with 274.Fn pcap_dump_open . 275Note that its calling arguments are suitable for use with 276.Fn pcap_dispatch . 277.Pp 278.Fn pcap_inject 279uses 280.Xr write 2 281to inject a raw packet through the network interface. 282It returns the number of bytes written or \-1 on failure. 283.Pp 284.Fn pcap_sendpacket 285is an alternate interface for packet injection (provided for compatibility). 286It returns 0 on success or \-1 on failure. 287.Pp 288.Fn pcap_compile 289is used to compile the string 290.Fa str 291into a filter program. 292.Fa fp 293is a pointer to a 294.Fa bpf_program 295struct and is filled in by 296.Fn pcap_compile . 297.Fa optimize 298controls whether optimization on the resulting code is performed. 299.Fa netmask 300specifies the netmask of the local net. 301.Pp 302.Fn pcap_setfilter 303is used to specify a filter program. 304.Fa fp 305is a pointer to an array of 306.Fa bpf_program 307struct, usually the result of a call to 308.Fn pcap_compile . 309\-1 310is returned on failure; 3110 312is returned on success. 313.Pp 314.Fn pcap_freecode 315is used to free up allocated memory pointed to by a 316.Fa bpf_program 317struct generated by 318.Fn pcap_compile 319when that BPF program is no longer needed, for example after it has 320been made the filter program for a pcap structure by a call to 321.Fn pcap_setfilter . 322.Pp 323.Fn pcap_loop 324is similar to 325.Fn pcap_dispatch 326except it keeps reading packets until 327.Fa cnt 328packets are processed or an error occurs. 329It does 330.Em not 331return when live read timeouts occur. 332Rather, specifying a non-zero read timeout to 333.Fn pcap_open_live 334and then calling 335.Fn pcap_dispatch 336allows the reception and processing of any packets that arrive when the 337timeout occurs. 338A negative 339.Fa cnt 340causes 341.Fn pcap_loop 342to loop forever (or at least until an error occurs). 343.Fn pcap_loop 344may be terminated early through an explicit call to 345.Fn pcap_breakloop . 346In this case, the return value of 347.Fn pcap_loop 348will be \-2. 349.Pp 350.Fn pcap_next 351returns a 352.Fa u_char 353pointer to the next packet. 354.Pp 355.Fn pcap_next_ex 356reads the next packet and returns a success/failure indication: a 357return value of 1 indicates success, 0 means that the timeout was exceeded 358on a live capture, \-1 indicates that an error occurred whilst reading 359the packet and \-2 is returned when there are no more packets to read in a 360savefile. 361.Pp 362.Fn pcap_datalink 363returns the link layer type, e.g., 364.Tn DLT_EN10MB . 365.Pp 366.Fn pcap_snapshot 367returns the snapshot length specified when 368.Fn pcap_open_live 369was called. 370.Pp 371.Fn pcap_is_swapped 372returns true if the current savefile 373uses a different byte order than the current system. 374.Pp 375.Fn pcap_major_version 376returns the major number of the version of the pcap used to write the savefile. 377.Pp 378.Fn pcap_minor_version 379returns the minor number of the version of the pcap used to write the savefile. 380.Pp 381.Fn pcap_file 382returns the stream associated with the savefile. 383.Pp 384.Fn pcap_stats 385returns 0 and fills in a 386.Fa pcap_stat 387struct. 388The values represent packet statistics from the start of the 389run to the time of the call. 390If there is an error or the underlying 391packet capture doesn't support packet statistics, \-1 is returned and 392the error text can be obtained with 393.Fn pcap_perror 394or 395.Fn pcap_geterr . 396.Pp 397.Fn pcap_fileno 398and 399.Fn pcap_get_selectable_fd 400return the file descriptor number of the savefile. 401.Pp 402.Fn pcap_perror 403prints the text of the last pcap library error on 404.Dv stderr , 405prefixed by 406.Fa prefix . 407.Pp 408.Fn pcap_geterr 409returns the error text pertaining to the last pcap library error. 410.Pp 411.Fn pcap_strerror 412is provided in case 413.Xr strerror 3 414isn't available. 415.Pp 416.Fn pcap_close 417closes the files associated with 418.Fa p 419and deallocates resources. 420.Pp 421.Fn pcap_dump_file 422returns the stream associated with a savefile. 423.Pp 424.Fn pcap_dump_ftell 425returns the current file offset within a savefile. 426.Pp 427.Fn pcap_dump_flush 428ensures that any buffered data has been written to a savefile. 429.Pp 430.Fn pcap_dump_close 431closes the savefile. 432.Pp 433.Fn pcap_findalldevs 434constructs a linked list of network devices that are suitable for 435opening with 436.Fn pcap_open_live . 437.Pp 438.Fn pcap_freealldevs 439frees a list of interfaces built by 440.Fn pcap_findalldevs . 441.Pp 442.Fn pcap_getnonblock 443returns 1 if the capture file descriptor is in non-blocking mode, 0 444if it is in blocking mode, or \-1 on error. 445.Pp 446.Fn pcap_setnonblock 447sets or resets non-blocking mode on a capture file descriptor. 448.Pp 449.Fn pcap_set_datalink 450sets the datalink type on a live capture device that supports multiple 451datalink types. 452.Pp 453.Fn pcap_setdirection 454is used to limit the direction that packets must be flowing in order 455to be captured. 456.Pp 457.Fn pcap_list_datalinks 458returns an array of the supported datalink types for an opened live capture 459device as a \-1 terminated array. 460It is the caller's responsibility to free this list. 461.Pp 462.Fn pcap_breakloop 463safely breaks out of a 464.Fn pcap_loop . 465This function sets an internal flag and is safe to be called from inside a 466signal handler. 467.Pp 468.Fn pcap_open_dead 469is used for creating a pcap_t structure to use when calling the 470other functions in libpcap. 471It is typically used when just using libpcap for compiling BPF code. 472.Pp 473.Fn pcap_fopen_offline 474may be used to read dumped data from an existing open stream 475.Dq fp . 476.Pp 477.Fn pcap_lib_version 478returns a string describing the version of libpcap. 479.Fn pcap_datalink_val_to_name 480and 481.Fn pcap_datalink_val_to_description 482look up the name or description of a datalink type by number. 483These functions return 484.Dv NULL 485if the specified datalink type is not known. 486.Fn pcap_datalink_name_to_val 487finds the datalink number for a given datalink name. 488Returns \-1 if the name is not known. 489.Sh SEE ALSO 490.Xr tcpdump 8 491.\" , tcpslice(1) 492.Sh AUTHORS 493Van Jacobson, 494Craig Leres and 495Steven McCanne, all of the 496Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. 497.Sh BUGS 498Please send bug reports to 499.Pa libpcap@ee.lbl.gov . 500