pcap.h

Windows XP下的抓包程序实现

/*! \brief Translates a data link type name, which is a DLT_ name 
  with the DLT_ removed, to the corresponding data link type value. The translation is 
  case-insensitive. -1 is returned on failure.
*/
int pcap_datalink_name_to_val(const char *name);

/*! \brief Translates a data link type value to the corresponding data 
link type name. NULL is returned on failure. 
*/
const char *pcap_datalink_val_to_name(int dlt);

/*! \brief Translates a data link type value to a short 
description of that data link type. NULL is returned on failure. 
*/
const char *pcap_datalink_val_to_description(int dlt);


/*! \brief Return the dimension of the packet portion (in bytes) that is delivered to the application.

       pcap_snapshot() returns the snapshot length specified when
       pcap_open_live was called.

\sa pcap_open_live(), pcap_compile(), pcap_compile_nopcap()
*/
int pcap_snapshot(pcap_t *p);


/*! \brief returns true if the current savefile
uses a different byte order than the current system.
*/
int pcap_is_swapped(pcap_t *p);


/*! \brief return the major version number of the pcap library used to write the savefile.

\sa pcap_minor_version()
*/
int pcap_major_version(pcap_t *p);


/*! \brief return the minor version number of the pcap library used to write the savefile.

\sa pcap_major_version()
*/
int pcap_minor_version(pcap_t *p);

/*! \brief Return the standard stream of an offline capture.
 
       pcap_file() returns the standard I/O stream of the "savefile",
       if    a    "savefile"    was    opened   with
       pcap_open_offline(), or NULL,  if  a  network  device  was
       opened with pcap_open_live().
       \deprecated Due to incompatibilities between the C Runtime (CRT) used to
       compile WinPcap and the one used by WinPcap-based applications, this function 
       may return an invalid FILE pointer, i.e. a descriptor that causes all the standard I/O stream 
       functions (ftell, fseek, fclose...) to fail. The function is still available for 
       backwards binary compatibility, only.

\sa pcap_open_offline(), pcap_open_live()
*/
FILE *pcap_file(pcap_t *p);

/*! \brief Return statistics on current capture.

 pcap_stats()  returns  0  and fills in a pcap_stat struct.
 The values represent packet statistics from the  start  of
 the  run  to the time of the call. If there is an error or
 the  underlying  packet  capture  doesn't  support  packet
 statistics,  -1  is  returned  and  the  error text can be
 obtained    with    pcap_perror()    or     pcap_geterr().
 pcap_stats()  is  supported  only on live captures, not on
 "savefiles"; no statistics are stored in  "savefiles",
  so no statistics are available when reading from a "savefile".

\sa pcap_stats_ex(), pcap_open_live()
*/
int pcap_stats(pcap_t *p, struct pcap_stat *ps);

/*! \brief print the text of the last pcap library error on stderr, prefixed by prefix.

\sa pcap_geterr()
*/
void pcap_perror(pcap_t *p, char *prefix);


/*! \brief return the error  text  pertaining  to  the
       last  pcap  library  error.   

       \note the pointer Return will no longer point to a valid 
       error message string after the pcap_t passed to it is closed; 
       you must use or copy the string before closing the pcap_t. 

\sa pcap_perror()
*/
char *pcap_geterr(pcap_t *p);


/*! \brief Provided  in  case  strerror()  isn't
       available.

\sa pcap_perror(), pcap_geterr()
*/
char *pcap_strerror(int error);

/*! \brief Returns a pointer to a string giving information about the 
  version of the libpcap library being used; note that it contains more information than 
  just a version number. 
*/
const char *pcap_lib_version(void);

/*! \brief
       close the files associated with p and deallocates resources.

\sa pcap_open_live(), pcap_open_offline(), pcap_open_dead()
*/
void pcap_close(pcap_t *p);

/*! \brief return the standard I/O stream of the 'savefile' opened by pcap_dump_open(). */
FILE *pcap_dump_file(pcap_dumper_t *p);

/*! \brief Flushes the output buffer to the ``savefile,'' so that any 
     packets written with pcap_dump() but not yet written to the ``savefile'' will be 
     written. -1 is returned on error, 0 on success. 
*/
int pcap_dump_flush(pcap_dumper_t *p);

/*! \brief Closes a savefile.

\sa pcap_dump_open(), pcap_dump()
*/
void pcap_dump_close(pcap_dumper_t *p);

//\}
// End of Unix-compatible functions







/** \name Windows-specific Extensions

	The functions in this section extend libpcap to offer advanced functionalities (like remote packet 
	capture, packet buffer size variation or high-precision packet injection). Howerver, at the moment 
	they can be used only in Windows.
 */
//\{ 

/*!	\brief Returns the AirPcap handler associated with an adapter. This handler can be used to change
           the wireless-related settings of the CACE Technologies AirPcap wireless capture adapters.

\note THIS FUNCTION SHOULD BE CONSIDERED PROVISIONAL, AND MAY BE REPLACED IN THE FUTURE BY A MORE COMPLETE SET
OF FUNCTIONS FOR WIRELESS SUPPORT.

pcap_get_airpcap_handle() allows to obtain the airpcap handle of an open adapter. This handle can be used with
the AirPcap API functions to perform wireless-releated operations, e.g. changing the channel or enabling 
WEP decryption. For more details about the AirPcap wireless capture adapters, see 
http://www.cacetech.com/products/airpcap.htm
	
\param p: handle to an open libpcap adapter

\return a pointer to an open AirPcap handle, used internally by the libpcap open adapter. NULL if the libpcap 
 adapter doesn't have wireless support through AirPcap.
*/
PAirpcapHandle pcap_get_airpcap_handle(pcap_t *p);

/*!	\brief Returns if a given filter applies to an offline packet.
	
This function is used to apply a filter to a packet that is currently in memory.
This process does not need to open an adapter; we need just to create the proper filter (by settings
parameters like the snapshot length, or the link-layer type) by means of the pcap_compile_nopcap().

The current API of libpcap does not allow to receive a packet and to filter the packet after it has been
received. However, this can be useful in case you want to filter packets in the application, instead of into 
the receiving process. This function allows you to do the job.
	
\param prog: bpf program (created with the pcap_compile_nopcap() )
\param header: header of the packet that has to be filtered
\param pkt_data: buffer containing the packet, in network-byte order.

\return the length of the bytes that are currently available into the packet if the packet satisfies the filter,
0 otherwise.
*/
bool pcap_offline_filter(struct bpf_program *prog, const struct pcap_pkthdr *header, const u_char *pkt_data);

/*! \brief Save a capture to file.

  \note: this function does not work in current version of WinPcap.

pcap_live_dump() dumps the network traffic from an interface to
a file. Using this function the dump is performed at kernel level, therefore it is more efficient than using
pcap_dump().

The parameters of this function are an interface descriptor (obtained with pcap_open_live()), a string with 
the name of the dump file, the maximum size of the file (in bytes) and the maximum number of packets that the file
will contain. Setting maxsize or maxpacks to 0 means no limit. When maxsize or maxpacks are reached, 
the dump ends.

pcap_live_dump() is non-blocking, threfore Return immediately. pcap_live_dump_ended() can be used to 
check the status of the dump process or to wait until it is finished. pcap_close() can instead be used to 
end the dump process.

Note that when one of the two limits is reached, the dump is stopped, but the file remains opened. In order 
to correctly flush the data and put the file in a consistent state, the adapter must be closed with 
pcap_close().


\sa pcap_live_dump_ended(), pcap_open_live(), pcap_close(), pcap_dump_open(), pcap_dump()
*/
int pcap_live_dump(pcap_t *p, char *filename, int maxsize, int maxpacks);


/*! \brief Return the status of the kernel dump process, i.e. tells if one of the limits defined with pcap_live_dump() has been reached.

    \note: this function does not work in current version of WinPcap.

pcap_live_dump_ended() informs the user about the limits that were set with a previous call to 
pcap_live_dump() on the interface pointed by p: if the return value is nonzero, one of the limits has been 
reched and the dump process is currently stopped.

If sync is nonzero, the function blocks until the dump is finished, otherwise Return immediately.

\warning if the dump process has no limits (i.e. if the maxsize and maxpacks arguments of pcap_live_dump() 
were both 0), the dump process will never stop, therefore setting sync to TRUE will block the application 
on this call forever.

\sa pcap_live_dump()
*/
int pcap_live_dump_ended(pcap_t *p, int sync);


/*! \brief Return statistics on current capture.

pcap_stats_ex() extends the pcap_stats() allowing to return more statistical parameters than the old call.
One of the advantages of this new call is that the pcap_stat structure is not allocated by the user; instead,
it is returned back by the system. This allow to extend the pcap_stat structure without affecting backward compatibility
on older applications. These will simply check at the values of the members at the beginning of the structure, 
while only newest applications are able to read new statistical values, which are appended in tail.

To be sure not to read a piece of mamory which has not been allocated by the system, the variable pcap_stat_size
will return back the size of the structure pcap_stat allocated by the system.

\param p: pointer to the pcap_t currently in use.
\param pcap_stat_size: pointer to an integer that will contain (when the function returns back) the size of the
structure pcap_stat as it has been allocated by the system.

\return: a pointer to a pcap_stat structure, that will contain the statistics related to the current device.
The return value is NULL in case of errors, and the  error text can be obtained with pcap_perror() or pcap_geterr().