📄 pcap.h
字号:
pcap_dump() outputs a packet to the "savefile" opened
with pcap_dump_open(). Note that its calling arguments
are suitable for use with pcap_dispatch() or pcap_loop().
If called directly, the user parameter is of type
pcap_dumper_t as returned by pcap_dump_open().
\sa pcap_dump_open(), pcap_dump_close(), pcap_dispatch(), pcap_loop()
*/
void pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp);
/*! \brief Compiles a packet filter. Converts an high level filtering expression
(see \ref language) in a program that can be interpreted by the kernel-level
filtering engine.
pcap_compile() is used to compile the string str into a
filter program. program is a pointer to a bpf_program
struct and is filled in by pcap_compile(). optimize controls
whether optimization on the resulting code is performed.
netmask specifies the netmask of the local net.
A return of -1 indicates an error in which case
pcap_geterr() may be used to display the error text.
\sa pcap_open_live(), pcap_setfilter(), pcap_freecode(), pcap_snapshot()
*/
int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask);
/*!\brief Compiles a packet filter without the need of opening an adapter. Converts an high level filtering expression
(see \ref language) in a program that can be interpreted by the kernel-level filtering engine.
pcap_compile_nopcap() is similar to pcap_compile() except
that instead of passing a pcap structure, one passes the
snaplen and linktype explicitly. It is intended to be
used for compiling filters for direct BPF usage, without
necessarily having called pcap_open(). A return of -1
indicates an error; the error text is unavailable.
(pcap_compile_nopcap() is a wrapper around
pcap_open_dead(), pcap_compile(), and pcap_close(); the
latter three routines can be used directly in order to get
the error text for a compilation error.)
Look at the \ref language section for details on the
str parameter.
\sa pcap_open_live(), pcap_setfilter(), pcap_freecode(), pcap_snapshot()
*/
int pcap_compile_nopcap(int snaplen_arg, int linktype_arg, struct bpf_program *program, char *buf, int optimize, bpf_u_int32 mask);
/*! \brief Associates a filter to a capture.
pcap_setfilter() is used to specify a filter program. fp
is a pointer to a bpf_program struct, usually the result
of a call to pcap_compile(). -1 is returned on failure,
in which case pcap_geterr() may be used to display the
error text; 0 is returned on success.
\sa pcap_compile(), pcap_compile_nopcap()
*/
int pcap_setfilter(pcap_t *p, struct bpf_program *fp);
/*! \brief Frees a filter.
pcap_freecode() is used to free up allocated memory
pointed to by a bpf_program struct generated by pcap_compile()
when that BPF program is no longer needed, for
example after it has been made the filter program for a
pcap structure by a call to pcap_setfilter().
\sa pcap_compile(), pcap_compile_nopcap()
*/
void pcap_freecode(struct bpf_program *fp);
/*! \brief <b>Discouraged, use pcap_next_ex() instead</b>.\n Returns the next available packet.
pcap_next() reads the next packet (by calling pcap_dispatch()
with a cnt of 1) and returns a u_char pointer to
the data in that packet. (The pcap_pkthdr struct for that
packet is not supplied.)
\sa pcap_dispatch(), pcap_loop()
*/
u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h);
/*! \brief Returns the link layer of an adapter.
pcap_datalink() returns the link layer type; link layer
types it can return include:
- DLT_NULL
BSD loopback encapsulation; the link layer
header is a 4-byte field, in host byte order,
containing a PF_ value from socket.h for the
network-layer protocol of the packet
Note that "host byte order" is the byte order
of the machine on which the packets are captured,
and the PF_ values are for the OS of the
machine on which the packets are captured; if a
live capture is being done, "host byte order"
is the byte order of the machine capturing the
packets, and the PF_ values are those of the OS
of the machine capturing the packets, but if a
"savefile" is being read, the byte order and
PF_ values are not necessarily those of the
machine reading the capture file.
- DLT_EN10MB
Ethernet (10Mb, 100Mb, 1000Mb, and up)
- DLT_IEEE802
IEEE 802.5 Token Ring
- DLT_ARCNET
ARCNET
SLIP; the link layer header contains, in order:
a 1-byte flag, which is 0 for packets
received by the machine and 1 for packets
sent by the machine;
a 1-byte field, the upper 4 bits of which
indicate the type of packet, as per RFC
1144:
- 0x40 an unmodified IP datagram
(TYPE_IP);
- 0x70 an uncompressed-TCP IP datagram
(UNCOMPRESSED_TCP), with that
byte being the first byte of the
raw IP header on the wire, containing
the connection number in
the protocol field;
- 0x80 a compressed-TCP IP datagram
(COMPRESSED_TCP), with that byte
being the first byte of the compressed
TCP/IP datagram header;
for UNCOMPRESSED_TCP, the rest of the modified
IP header, and for COMPRESSED_TCP, the
compressed TCP/IP datagram header;
for a total of 16 bytes; the uncompressed IP
datagram follows the header
- DLT_PPP
PPP; if the first 2 bytes are 0xff and 0x03,
it's PPP in HDLC-like framing, with the PPP
header following those two bytes, otherwise it's
PPP without framing, and the packet begins with
the PPP header
- DLT_FDDI
FDDI
- DLT_ATM_RFC1483
RFC 1483 LLC/SNAP-encapsulated ATM; the packet
begins with an IEEE 802.2 LLC header
- DLT_RAW
raw IP; the packet begins with an IP header
- DLT_PPP_SERIAL
PPP in HDLC-like framing, as per RFC 1662, or
Cisco PPP with HDLC framing, as per section
or 0x8F for Cisco PPP with HDLC framing
- DLT_PPP_ETHER
PPPoE; the packet begins with a PPPoE header, as
per RFC 2516
- DLT_C_HDLC
Cisco PPP with HDLC framing, as per section
4.3.1 of RFC 1547
- DLT_IEEE802_11
IEEE 802.11 wireless LAN
- DLT_LOOP
OpenBSD loopback encapsulation; the link layer
header is a 4-byte field, in network byte order,
containing a PF_ value from OpenBSD's socket.h
for the network-layer protocol of the packet
Note that, if a "savefile" is being read,
those PF_ values are not necessarily those of
the machine reading the capture file.
- DLT_LINUX_SLL
Linux "cooked" capture encapsulation; the link
layer header contains, in order:
a 2-byte "packet type", in network byte
order, which is one of:
- 0 packet was sent to us by somebody
else
- 1 packet was broadcast by somebody
else
- 2 packet was multicast, but not
broadcast, by somebody else
- 3 packet was sent by somebody else
to somebody else
- 4 packet was sent by us
a 2-byte field, in network byte order, containing
a Linux ARPHRD_ value for the link
layer device type;
a 2-byte field, in network byte order, containing
the length of the link layer
address of the sender of the packet (which
could be 0);
bytes of the link layer header (if there
are more than 8 bytes, only the first 8 are
present);
a 2-byte field containing an Ethernet protocol
type, in network byte order, or containing
1 for Novell 802.3 frames without
an 802.2 LLC header or 4 for frames beginning
with an 802.2 LLC header.
- DLT_LTALK
Apple LocalTalk; the packet begins with an
AppleTalk LLAP header
*/
int pcap_datalink(pcap_t *p);
/*! \brief Returns the dimension of the packet portion (in bytes) that is delivered to the application.
pcap_snapshot() returns the snapshot length specified when
pcap_open_live was called.
\sa pcap_open_live(), pcap_compile(), pcap_compile_nopcap()
*/
int pcap_snapshot(pcap_t *p);
/*! \brief
returns true if the current savefile
uses a different byte order than the current system.
*/
int pcap_is_swapped(pcap_t *p);
/*! \brief
returns the major version number of the pcap library used to write the savefile.
\sa pcap_minor_version()
*/
int pcap_major_version(pcap_t *p);
/*! \brief
returns the minor version number of the pcap library used to write the savefile.
\sa pcap_major_version()
*/
int pcap_minor_version(pcap_t *p);
/*! \brief <b> Discouraged, Use pcap_stats_ex() instead</b>.\n Returns statistics on current capture.
pcap_stats() returns 0 and fills in a pcap_stat struct.
The values represent packet statistics from the start of
the run to the time of the call. If there is an error or
the underlying packet capture doesn't support packet
statistics, -1 is returned and the error text can be
obtained with pcap_perror() or pcap_geterr().
pcap_stats() is supported only on live captures, not on
"savefiles"; no statistics are stored in "savefiles",
so no statistics are available when reading from a "savefile".
\sa pcap_stats_ex(), pcap_open_live()
*/
int pcap_stats(pcap_t *p, struct pcap_stat *ps);
/*! \brief <b> Discouraged, use pcap_dump() instead</b>.\n Returns the stdio stream of an offile capture.
pcap_file() returns the standard I/O stream of the "savefile",
if a "savefile" was opened with
pcap_open_offline(), or NULL, if a network device was
opened with pcap_open_live().
\sa pcap_open_offline(), pcap_open_live()
*/
FILE *pcap_file(pcap_t *p);
/*! \brief <b>Discouraged</b>: it returns the file descriptor of a capture device.
pcap_fileno() returns the file descriptor number from
which captured packets are read, if a network device was
opened with pcap_open_live(), or -1, if a "savefile" was
opened with pcap_open_offline().
\sa pcap_open_offline(), pcap_open_live()
*/
int pcap_fileno(pcap_t *p);
/*! \brief
prints the text of the last pcap library
error on stderr, prefixed by prefix.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -