لطفا منتظر باشید ...
Capture Functions
The majority of libpcap's code revolves around reading packets from the network. The following first three functions accomplish the actual packet capturing, and they all call the same underlying internal libpcap function, pcap_read(). Each offer different functionality, however.
int pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback,
u_char *user);
pcap_dispatch() is the main function used to gather and process packets. The first argument, p, specifies the libpcap descriptor from which to read packets. The second argument, cnt, specifies the maximum number of packets that pcap_dispatch() should process before returning. A cnt of -1 processes all packets received in one buffer when reading from a live capture (pcap_open_live()) or all of the packets in the savefile from a dead capture (pcap_open_dead()). The callback argument specifies a function to call in order to process each packet with three arguments, two of which pcap automatically generates:
A u_char pointer to user data. This data is arbitrary, specified by the application programmer, and passed into the callback function. The constituency of the callback function dictates its use (if at all).A pointer to the pcap_pkthdr structure. This structure contains useful statistical information about the captured packet, including a microsecond granularity timestamp and packet capture length.A u_char pointer to the start of the actual packet. This pointer refers to the actual packet.The final argument to pcap_dispatch(), user, is the aforementioned user data. Upon success, the function returns the number of packets read; upon failure, the function returns -1 and you can use one of the pcap_*err() functions to find the reason. The function may return 0 if no packets were read for one of the following reasons:No packets were read because they were all discarded because they did not pass the packet filter rules.No packets were read because the read timeout expired before any packets arrived on the interface.
No packets were read because the file descriptor for the capture device was in non-blocking mode, and no packets were available to be read at that time.No packets were read because the savefile is out of packets.
int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user);
pcap_loop() has the same functionality as pcap_dispatch() except that it keeps reading packets from p until callback receives and processes cnt packets or until an error occurs. A cnt of -1 causes the function to loop indefinitely or until an error occurs. The function will not return if the timer expires and read times out.
u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h);
pcap_next() returns the next packet available. It is actually a wrapper to pcap_dispatch() with a cnt of 1 and a callback function that extracts the pcap packet header structure and separates the actual packet. h is a pointer to the pcap_pkthdr structure, which fills in with the relevant statistics. Upon success, the function returns a u_char pointer to the captured packet. Upon failure, it returns 0, and you can use one of the pcap_*err() functions to find out the reason. Like pcap_dispatch(), this function returns NULL if the pcap timer expires and there is no data in the read buffer, so it is important to check for this scenario.
int pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf);
pcap_setnonblock() sets or removes non-blocking mode on the underlying descriptor referenced by p. If nonblock is 0, the function attempts to set the descriptor to be non-blocking; if nonblock is 1, the function attempts to remove it from being non-blocking. This function only works with pcap descriptors opened with pcap_open_live() and with the pcap_dispatch() capturing functionality. In non-blocking mode, an attempt to read from p returns immediately to the caller if no packets are available, rather than blocking until network traffic arrives. Upon success, the function returns 0; upon failure, the function returns -1 and errbuf contains the reason.
int pcap_getnonblock(pcap_t *p, char *errbuf);
pcap_getnonblock() returns the current blocking status of the descriptor that p references. If the descriptor is in blocking mode, the function returns 0, and if the function is in non-blocking mode, the function returns 1. Upon failure, the function returns -1 and errbuf contains the reason.
