لطفا منتظر باشید ...
Initialization Functions
All of the magic inside libpcap is contained inside a single monolithic pcap descriptor. Most every function inside the library requires it as an argument. The following functions create this pcap descriptor and in turn initialize the library for use.
pcap_t *pcap_open_live(char *device, int snaplen, int
promisc, int to_ms, char *errbuf);
Life with libpcap begins with pcap_open_live(). A program wishing to capture packets by using libpcap first initializes the packet capture interface and obtains a pcap descriptor with pcap_open_live(). The first argument, device, is a pointer to the network device that will perform the packet capture. This string is short and canonical and references the device (in other words, "eth0" for a 100MB Ethernet card on Linux and "fxp0" for a 100MB Ethernet card on OpenBSD). If a device string is unknown, a programmer can cull it from the system with a call to pcap_lookupdev() (see the following description). The next argument, snaplen, specifies the maximum number of bytes that pcap will capture per packet (the snapshot length; not to be confused with the 802.2 SNAP protocol header). The next argument, promisc, specifies whether or not libpcap should place the interface that device references in promiscuous mode (a positive value will set it to be on, and a negative value will set it to be off). Promiscuous mode enables the interface to capture all traffic on the local network regardless of intended destination, assuming that the underlying linklayer supports this function. If promiscuous mode is off, the interface only returns traffic destined for itself. The fourth argument, to_ms, specifies the read timeout in milliseconds. This read timeout more efficiently returns multiple packets from the kernel rather than pulling them out one at a time. libpcap will wait for to_ms milliseconds after seeing the first packet with the intent of reducing the number of system calls made. All platforms do not support this timeout option. The final argument, errbuff, is a character pointer to a warning or error string if something went wrong. errbuf should be a buffer of size PCAP_ERRBUF_SIZE, which contains an error message if the function fails. Even if pcap_open_live() succeeds, errbuf can still contain a warning message. According to the pcap manual page, the programmer should store a zero-length string in errbuf before calling pcap_open_live() and check the string after a successful return. A successful return yields a valid pcap descriptor while an unsuccessful return yields a NULL pointer.
| Note | Under Linux 2.2 kernels and later, you can specify a device of "any" or NULL that enables pcap to capture packets from all network interfaces. At this writing, if this device is set, the promisc flag is ignored. |
Under Linux, IRIX, and HP-UX, the to_ms is ignored and one packet per read is returned.Even if to_ms is supported, there is no guarantee that an attempt to read from the device will return when the timeout expires even if no packets have arrived (you cannot use it for polling). For example, Solaris supports the timeout but the timer does not start until a packet has arrived.
pcap_t *pcap_open_dead(int linktype, int snaplen);
You use pcap_open_dead() when a pcap descriptor is required for other functions inside libpcap, but live packet capturing functionality is not needed (for example, using the BPF filter code functionality). The linktype argument specifies the network data link layer type, and you should set it to whatever link layer technology you expect to use (in other words, DLT_EN10MB for all 10MB and up Ethernet networks and DLT_IEEE802_11 for 802.11 Wireless networks). Note that the DLT_ values are different from the LINKTYPE_ values, which are used in capture file headers. The snaplen is, as mentioned earlier, the snapshot length. The BPF filter code uses these values for proper filter computation. Upon success, the function returns a valid pcap descriptor. Upon failure, the function returns a NULL pointer and pcap_geterr(), pcap_perror(), or you can call pcap_strerror() to get the reason.
pcap_t *pcap_open_offline(char *fname, char *errbuf);
pcap_open_offline() opens a libpcap savefile for reading. fname is a pointer to the filename containing the libpcap savefile, and pcap_dump_open() often creates this savefile. Upon success, the function returns a pcap descriptor referring to the savefile; upon failure, the function returns a NULL pointer with the reason contained in errbuf.
| Note | You can use the "-" string as a filename as a synonym for STDIN (standard input). |
void pcap_close(pcap_t *p);
pcap_close() closes a libpcap descriptor p and destroys all associated memory objects (including any possible BPF filter programs).
| Note | Under Linux 2.0.x, one side effect is that all interfaces that p referenced and libpcap set as promiscuous will have that bit cleared. This situation might cause problems for other applications that set an interface to promiscuous separate from the libpcap application. The interface will clear the promiscuous bit, which can have undesirable effects. |
char *pcap_lookupdev(char *errbuf);
pcap_lookupdev() searches the system's interface list for a device suitable for packet capture and finds the lowest-numbered device that is ifconfig'd "up". The function is a wrapper to pcap_findalldevs(), returning the first device on the list. Upon success, the function returns a pointer to the device's canonical name. Upon failure, the function returns a NULL pointer and errbuf contains the reason.
int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf);
pcap_findalldevs() gets a list of "up" interfaces available to libpcap for packet capture. Upon success, the function returns 0 and alldevsp contains a linked list of interfaces. Upon failure, the function returns -1 and errbuf contains the reason.
void pcap_freealldevs(pcap_if_t *alldevsp);
pcap_freealldevs() frees the memory associated with alldevsp.
