Native Datatypes
Libpcap provides a few native datatypes that the applications programmer needs to recognize.
pcap_t
pcap_t is a typedef from the pcap structure, libpcap's native handler datatype. pcap_t is the main monolithic structure containing all of the details that make up a pcap descriptor, which in turn references a libpcap session. One of the pcap_open_*() functions initializes this dataype for the user. Every major function within libpcap either modifies or reads from a pcap_t pcap descriptor. While it is vital to understand the pcap_t datatype, it is a fully opaque structure (the applications programmer should never have to look inside it).
pcap_addr_t
pcap_addr_t is a typedef from the pcap_addr structure. This datatype holds address information inside pcap_if_t. The following elements of pcap_addr_t are useful to the application programmer.
struct pcap_addr *next;
next is the next element in the list.
struct sockaddr *addr;
addr contains the network address of the interface.
struct sockaddr *netmask;
netmask contains the netmask for the address.
struct sockaddr *broadaddr;
broadaddr contains the broadcast for the address.
struct sockaddr *dstaddr;
dstaddr contains the point-to-point destination for the address.
pcap_if_t
pcap_if_t is a typedef from the pcap_if structure. This datatype holds information about interfaces that are available to libpcap, usually filled in by pcap_findalldevs(). The following elements of pcap_if_t are useful to the application programmer.
struct pcap_if *next;
next is the next element in the list.
char *name;
name is the canonical name of the interface, which is useful to pass to pcap_open_live().
char *description;
description is an optional description of the device.
struct pcap_addr addresses;
addresses contains a linked list of address information (described earlier).
struct pcap_stat {
pcap_stat is where libpcap stores its statistical information about each session. Depending on the underlying packet capturing interface and whether or not a libpcap filter has been installed, the semantics of the interpretation of each of the following structure members changes.
u_int ps_recv;
ps_recv counts the number of received packets, and you should interpret it as per Table 2.1.
INTERFACE | MEANING |
---|---|
BPF | packets handed to the filter |
DLPI | packets handed to the filter |
Linux | packets that passed the filter |
NIT | packets handed to the filter |
PF | packets that passed the filter |
SNIT | packets handed to the filter |
Snoop | packets that passed the filter |
u_int ps_drop;
ps_drop counts the number of dropped packets, and you should interpret it as per Table 2.2.
INTERFACE | MEANING |
---|---|
BPF | packets handed to the filter but dropped due to insufficient buffer space |
DLPI | packets dropped due to resource limitations regardless of the filter |
Linux 2.2.x | not implemented |
Linux 2.4.x | packets dropped due to resource exhaustion or flow control regardless of the filter |
NIT | packets dropped due to resource exhaustion or flow control regardless of the filter |
PF | packets dropped due to a full input queue regardless of the filter |
SNIT | packets dropped due to resource exhaustion or flow control regardless of the filter |
Snoop | packets dropped due to hardware problems or resource limits regardless of the filter |
u_int ps_ifdrop;
ps_ifdrop is only implemented on systems supporting the pf interface (Ultrix and Digital Unix). On these systems, it records the number of packets that the network interface actually drops.
};
struct pcap_pkthdr {
pcap_pkthdr is the structure overlay that is prepended to every packet that libpcap returns to the pcap_handler function.
struct timeval ts;
ts records the time in seconds and microseconds that the packet arrived on the interface.
bpf_u_int32 caplen;
caplen records the length of the packet actually captured by libpcap. The snapshot length (snaplen) variable set often constrains this datatype in pcap_open_live().
bpf_u_int32 len;
len records the length of the packet as it appeared directly from the wire.
};