📄 pcap.h
字号:
supplied.) NULL is returned if an error occured, or if no packets were read from a live
capture (if, for example, they were discarded because they didn't pass the packet filter,
or if, on platforms that support a read timeout that starts before any packets arrive, the
timeout expires before any packets arrive, or if the file descriptor for the capture device
is in non-blocking mode and no packets were available to be read), or if no more packets are
available in a ``savefile.'' Unfortunately, there is no way to determine whether an error
occured or not.
\sa pcap_dispatch(), pcap_loop()
*/
u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h);
/*! \brief Read a packet from an interface or from an offline capture.
This function is used to retrieve the next available packet, bypassing the callback method traditionally
provided by libpcap.
pcap_next_ex fills the pkt_header and pkt_data parameters (see pcap_handler()) with the pointers to the
header and to the data of the next captured packet.
The return value can be:
- 1 if the packet has been read without problems
- 0 if the timeout set with pcap_open_live() has elapsed. In this case pkt_header and pkt_data don't point to a valid packet
- -1 if an error occurred
- -2 if EOF was reached reading from an offline capture
\sa pcap_open_live(), pcap_loop(), pcap_dispatch(), pcap_handler()
*/
int pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header, const u_char **pkt_data);
/*! \brief set a flag that will force pcap_dispatch() or pcap_loop() to return rather than looping.
They will return the number of packets that have been processed so far, or -2 if no packets have been processed so far.
This routine is safe to use inside a signal handler on UNIX or a console control handler on Windows, as it merely sets
a flag that is checked within the loop.
The flag is checked in loops reading packets from the OS - a signal by itself will not necessarily terminate those
loops - as well as in loops processing a set of packets returned by the OS. Note that if you are catching signals on
UNIX systems that support restarting system calls after a signal, and calling pcap_breakloop() in the signal handler,
you must specify, when catching those signals, that system calls should NOT be restarted by that signal. Otherwise,
if the signal interrupted a call reading packets in a live capture, when your signal handler returns after calling
pcap_breakloop(), the call will be restarted, and the loop will not terminate until more packets arrive and the call
completes.
\note pcap_next() will, on some platforms, loop reading packets from the OS; that loop will not necessarily be
terminated by a signal, so pcap_breakloop() should be used to terminate packet processing even if pcap_next() is
being used.
pcap_breakloop() does not guarantee that no further packets will be processed by pcap_dispatch() or pcap_loop() after
it is called; at most one more packet might be processed.
If -2 is returned from pcap_dispatch() or pcap_loop(), the flag is cleared, so a subsequent call will resume reading
packets. If a positive number is returned, the flag is not cleared, so a subsequent call will return -2 and clear
the flag.
*/
void pcap_breakloop(pcap_t *);
/*! \brief Send a raw packet.
This function allows to send a raw packet to the network. p is the interface that
will be used to send the packet, buf contains the data of the packet to send (including the various
protocol headers), size is the dimension of the buffer pointed by buf, i.e. the size of the packet to send.
The MAC CRC doesn't need to be included, because it is transparently calculated and added by the network
interface driver.
The return value is 0 if the packet is succesfully sent, -1 otherwise.
\sa pcap_open_live()
*/
int pcap_sendpacket(pcap_t *p, u_char *buf, int size);
/*! \brief Save a packet to disk.
pcap_dump() outputs a packet to the "savefile" opened
with pcap_dump_open(). Note that its calling arguments
are suitable for use with pcap_dispatch() or pcap_loop().
If called directly, the user parameter is of type
pcap_dumper_t as returned by pcap_dump_open().
\sa pcap_dump_open(), pcap_dump_close(), pcap_dispatch(), pcap_loop()
*/
void pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp);
/*! \brief Return the file position for a "savefile".
pcap_dump_ftell() returns the current file position for the "savefile", representing the number of bytes written by
pcap_dump_open() and pcap_dump() .
-1 is returned on error.
\sa pcap_dump_open(), pcap_dump()
*/
long pcap_dump_ftell(pcap_dumper_t *);
/*! \brief Compile a packet filter, converting an high level filtering expression
(see \ref language) in a program that can be interpreted by the kernel-level
filtering engine.
pcap_compile() is used to compile the string str into a filter program. program
is a pointer to a bpf_program struct and is filled in by pcap_compile(). optimize
controls whether optimization on the resulting code is performed. netmask
specifies the IPv4 netmask of the network on which packets are being captured;
it is used only when checking for IPv4 broadcast addresses in the filter program.
If the netmask of the network on which packets are being captured isn't known to
the program, or if packets are being captured on the Linux "any" pseudo-interface
that can capture on more than one network, a value of 0 can be supplied; tests for
IPv4 broadcast addreses won't be done correctly, but all other tests in the filter
program will be OK. A return of -1 indicates an error in which case pcap_geterr()
may be used to display the error text.
\sa pcap_open_live(), pcap_setfilter(), pcap_freecode(), pcap_snapshot()
*/
int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask);
/*!\brief Compile a packet filter without the need of opening an adapter. This function converts an high level filtering expression
(see \ref language) in a program that can be interpreted by the kernel-level filtering engine.
pcap_compile_nopcap() is similar to pcap_compile() except
that instead of passing a pcap structure, one passes the
snaplen and linktype explicitly. It is intended to be
used for compiling filters for direct BPF usage, without
necessarily having called pcap_open(). A return of -1
indicates an error; the error text is unavailable.
(pcap_compile_nopcap() is a wrapper around
pcap_open_dead(), pcap_compile(), and pcap_close(); the
latter three routines can be used directly in order to get
the error text for a compilation error.)
Look at the \ref language section for details on the
str parameter.
\sa pcap_open_live(), pcap_setfilter(), pcap_freecode(), pcap_snapshot()
*/
int pcap_compile_nopcap(int snaplen_arg, int linktype_arg, struct bpf_program *program, char *buf, int optimize, bpf_u_int32 mask);
/*! \brief Associate a filter to a capture.
pcap_setfilter() is used to specify a filter program. fp
is a pointer to a bpf_program struct, usually the result
of a call to pcap_compile(). -1 is returned on failure,
in which case pcap_geterr() may be used to display the
error text; 0 is returned on success.
\sa pcap_compile(), pcap_compile_nopcap()
*/
int pcap_setfilter(pcap_t *p, struct bpf_program *fp);
/*! \brief Free a filter.
pcap_freecode() is used to free up allocated memory
pointed to by a bpf_program struct generated by pcap_compile()
when that BPF program is no longer needed, for
example after it has been made the filter program for a
pcap structure by a call to pcap_setfilter().
\sa pcap_compile(), pcap_compile_nopcap()
*/
void pcap_freecode(struct bpf_program *fp);
/*! \brief Return the link layer of an adapter.
returns the link layer type; link layer types it can return include:
- DLT_NULL BSD loopback encapsulation; the link layer header is a 4-byte field, in host byte order, containing a PF_ value from socket.h for the network-layer protocol of the packet.
Note that ``host byte order'' is the byte order of the machine on which the packets are captured, and the PF_ values are for the OS of the machine on which the packets are captured; if a live capture is being done, ``host byte order'' is the byte order of the machine capturing the packets, and the PF_ values are those of the OS of the machine capturing the packets, but if a ``savefile'' is being read, the byte order and PF_ values are not necessarily those of the machine reading the capture file.
- DLT_EN10MB Ethernet (10Mb, 100Mb, 1000Mb, and up)
- DLT_IEEE802: IEEE 802.5 Token Ring
- DLT_ARCNET: ARCNET
- DLT_SLIP: SLIP; the link layer header contains, in order:
-# a 1-byte flag, which is 0 for packets received by the machine and 1 for packets sent by the machine;
-# a 1-byte field, the upper 4 bits of which indicate the type of packet, as per RFC 1144:
- 0x40: an unmodified IP datagram (TYPE_IP);
- 0x70: an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being the first byte of the raw IP header on the wire, containing the connection number in the protocol field;
- 0x80: a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the first byte of the compressed TCP/IP datagram header;
-# for UNCOMPRESSED_TCP, the rest of the modified IP header, and for COMPRESSED_TCP, the compressed TCP/IP datagram header;
-# for a total of 16 bytes; the uncompressed IP datagram follows the header.
- DLT_PPP: PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like framing, with the PPP header following those two bytes, otherwise it's PPP without framing, and the packet begins with the PPP header.
- DLT_FDDI: FDDI
- DLT_ATM_RFC1483: RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2 LLC header.
- DLT_RAW: raw IP; the packet begins with an IP header.
- DLT_PPP_SERIAL: PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP with HDLC framing.
- DLT_PPP_ETHER: PPPoE; the packet begins with a PPPoE header, as per RFC 2516.
- DLT_C_HDLC: Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.
- DLT_IEEE802_11: IEEE 802.11 wireless LAN
- DLT_FRELAY: Frame Relay
- DLT_LOOP: OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in network byte order, containing a PF_ value from OpenBSD's socket.h for the network-layer protocol of the packet.
Note that, if a ``savefile'' is being read, those PF_ values are not necessarily those of the machine reading the capture file.
- DLT_LINUX_SLL: Linux "cooked" capture encapsulation; the link layer header contains, in order:
- a 2-byte "packet type", in network byte order, which is one of:
-# packet was sent to us by somebody else
-# packet was broadcast by somebody else
-# packet was multicast, but not broadcast, by somebody else
-# packet was sent by somebody else to somebody else
-# packet was sent by us
- a 2-byte field, in network byte order, containing a Linux ARPHRD_ value for the link layer device type;
- a 2-byte field, in network byte order, containing the length of the link layer address of the sender of the packet (which could be 0);
- an 8-byte field containing that number of bytes of the link layer header (if there are more than 8 bytes, only the first 8 are present);
- 2-byte field containing an Ethernet protocol type, in network byte order, or containing 1 for Novell 802.3 frames without an 802.2 LLC header or 4 for frames beginning with an 802.2 LLC header.
- DLT_LTALK: Apple LocalTalk; the packet begins with an AppleTalk LLAP header.
- DLT_PFLOG: OpenBSD pflog; the link layer header contains, in order:
- a 4-byte PF_ value, in network byte order;
- a 16-character interface name;
- a 2-byte rule number, in network byte order;
- a 2-byte reason code, in network byte order, which is one of:
-# match
-# bad offset
-# fragment
-# short
-# normalize
-# memory
-a 2-byte action code, in network byte order, which is one of:
-# passed
-# dropped
-# scrubbed
- a 2-byte direction, in network byte order, which is one of:
-# incoming or outgoing
-# incoming
-# outgoing
- DLT_PRISM_HEADER: Prism monitor mode information followed by an 802.11 header.
- DLT_IP_OVER_FC: RFC 2625 IP-over-Fibre Channel, with the link-layer header being the Network_Header as described in that RFC.
- DLT_SUNATM: SunATM devices; the link layer header contains, in order:
- a 1-byte flag field, containing a direction flag in the uppermost bit, which is set for packets transmitted by the machine and clear for packets received by the machine, and a 4-byte traffic type in the low-order 4 bits, which is one of:
-# raw traffic
-# LANE traffic
-# LLC-encapsulated traffic
-# MARS traffic
-# IFMP traffic
-# ILMI traffic
-# Q.2931 traffic
- a 1-byte VPI value;
- a 2-byte VCI field, in network byte order.
- DLT_IEEE802_11_RADIO: link-layer information followed by an 802.11 header - see http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description of the link-layer information.
- DLT_ARCNET_LINUX: ARCNET, with no exception frames, reassembled packets rather than raw frames, and an extra 16-bit offset field between the destination host and type bytes.
- DLT_LINUX_IRDA: Linux-IrDA packets, with a DLT_LINUX_SLL header followed by the IrLAP header.
\sa pcap_list_datalinks(), pcap_set_datalink(), pcap_datalink_name_to_val()
*/
int pcap_datalink(pcap_t *p);
/*! \brief list datalinks
pcap_list_datalinks() is used to get a list of the supported data link types of the
interface associated with the pcap descriptor. pcap_list_datalinks() allocates an array
to hold the list and sets *dlt_buf. The caller is responsible for freeing the array. -1
is returned on failure; otherwise, the number of data link types in the array is returned.
\sa pcap_datalink(), pcap_set_datalink(), pcap_datalink_name_to_val()
*/
int pcap_list_datalinks(pcap_t *p, int **dlt_buf);
/*! \brief Set the current data link type of the pcap
descriptor to the type specified by dlt. -1 is returned on failure. */
int pcap_set_datalink(pcap_t *p, int dlt);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -