dect
/
libpcap
Archived
13
0
Fork 0
Code Releases Activity

Split the pcap(3) man page into a bunch of individual man pages for 

functions plus an overall man page for libpcap, and put them all into
section 3PCAP.  That means you can actually do "man pcap_open_live" and
get something meaningful, rather than having to do "man pcap" and then
scroll through all the other stuff in the man page.
This commit is contained in:
guy 2008-04-05 20:19:41 +00:00
parent b043aa85c0
commit baadfaab07
43 changed files with 2986 additions and 1342 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
FILES
View File

@ -115,10 +115,48 @@ pcap-snoop.c
pcap-usb-linux.c
pcap-usb-linux.h
pcap-win32.c
pcap.3
pcap.3pcap
pcap.c
pcap.h
pcap_breakloop.3pcap
pcap_close.3pcap
pcap_compile.3pcap
pcap_datalink.3pcap
pcap_datalink_name_to_val.3pcap
pcap_dump.3pcap
pcap_dump_close.3pcap
pcap_dump_file.3pcap
pcap_dump_flush.3pcap
pcap_dump_ftell.3pcap
pcap_dump_open.3pcap
pcap_file.3pcap
pcap_fileno.3pcap
pcap_findalldevs.3pcap
pcap_freealldevs.3pcap
pcap_freecode.3pcap
pcap_get_selectable_fd.3pcap
pcap_geterr.3pcap
pcap_inject.3pcap
pcap_is_swapped.3pcap
pcap_lib_version.3pcap
pcap_list_datalinks.3pcap
pcap_lookupdev.3pcap
pcap_lookupnet.3pcap
pcap_loop.3pcap
pcap_major_version.3pcap
pcap_next_ex.3pcap
pcap_open_dead.3pcap
pcap_open_live.3pcap
pcap_open_offline.3pcap
pcap_set_datalink.3pcap
pcap_setdirection.3pcap
pcap_setfilter.3pcap
pcap_setnonblock.3pcap
pcap_snapshot.3pcap
pcap_stats.3pcap
pcap_strerror.3pcap
pcap-filter.4
pcap-linktype.4
ppp.h
runlex.sh
savefile.c

42
INSTALL.txt
View File

@ -1,4 +1,4 @@
@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.25 2008-03-13 18:13:57 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.26 2008-04-05 20:19:41 guy Exp $ (LBL)
To build libpcap, run "./configure" (a shell script). The configure
script will determine your system attributes and generate an
@ -391,10 +391,48 @@ pcap-snoop.c - IRIX Snoop network monitoring support
pcap-usb-linux.c - USB capture support for Linux
pcap-usb-linux.h - USB capture support for Linux
pcap-win32.c - WinPcap capture support
pcap.3 - manual entry for the library
pcap.3pcap - manual entry for the library
pcap.c - pcap utility routines
pcap.h - header for backwards compatibility
pcap_breakloop.3pcap - manual entry for pcap_breakloop
pcap_close.3pcap - manual entry for pcap_close
pcap_compile.3pcap - manual entry for pcap_compile
pcap_datalink.3pcap - manual entry for pcap_datalink
pcap_datalink_name_to_val.3pcap - manual entry for pcap_datalink_name_to_val
pcap_dump.3pcap - manual entry for pcap_dump
pcap_dump_close.3pcap - manual entry for pcap_dump_close
pcap_dump_file.3pcap - manual entry for pcap_dump_file
pcap_dump_flush.3pcap - manual entry for pcap_dump_flush
pcap_dump_ftell.3pcap - manual entry for pcap_dump_ftell
pcap_dump_open.3pcap - manual entry for pcap_dump_open and pcap_dump_fopen
pcap_file.3pcap - manual entry for pcap_file
pcap_fileno.3pcap - manual entry for pcap_fileno
pcap_findalldevs.3pcap - manual entry for pcap_findalldevs
pcap_freealldevs.3pcap - manual entry for pcap_freealldevs
pcap_freecode.3pcap - manual entry for pcap_freecode
pcap_get_selectable_fd.3pcap - manual entry for pcap_get_selectable_fd
pcap_geterr.3pcap - manual entry for pcap_geterr and pcap_perror
pcap_inject.3pcap - manual entry for pcap_inject and pcap_sendpacket
pcap_is_swapped.3pcap - manual entry for pcap_is_swapped
pcap_lib_version.3pcap - manual entry for pcap_lib_version
pcap_list_datalinks.3pcap - manual entry for pcap_list_datalinks
pcap_lookupdev.3pcap - manual entry for pcap_lookupdev
pcap_lookupnet.3pcap - manual entry for pcap_lookupnet
pcap_loop.3pcap - manual entry for pcap_loop and pcap_dispatch
pcap_major_version.3pcap - manual entry for pcap_major_version and pcap_minor_version
pcap_next_ex.3pcap - manual entry for pcap_next_ex and pcap_next
pcap_open_dead.3pcap - manual entry for pcap_open_dead
pcap_open_live.3pcap - manual entry for pcap_open_live
pcap_open_offline.3pcap - manual entry for pcap_open_offline and pcap_fopen_offline
pcap_set_datalink.3pcap - manual entry for pcap_set_datalink
pcap_setdirection.3pcap - manual entry for pcap_setdirection
pcap_setfilter.3pcap - manual entry for pcap_setfilter
pcap_setnonblock.3pcap - manual entry for pcap_setnonblock and pcap_getnonblock
pcap_snapshot.3pcap - manual entry for pcap_snapshot
pcap_stats.3pcap - manual entry for pcap_stats
pcap_strerror.3pcap - manual entry for pcap_strerror
pcap-filter.4 - manual entry for filter syntax
pcap-linktype.4 - manual entry for link-layer header types
ppp.h - Point to Point Protocol definitions
runlex.sh - wrapper for Lex/Flex
savefile.c - offline support

83
Makefile.in
View File

@ -17,7 +17,7 @@
# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#
# @(#) $Header: /tcpdump/master/libpcap/Makefile.in,v 1.112 2008-02-04 21:08:05 guy Exp $ (LBL)
# @(#) $Header: /tcpdump/master/libpcap/Makefile.in,v 1.113 2008-04-05 20:19:41 guy Exp $ (LBL)
#
# Various configurable paths (remember to edit Makefile.in, not Makefile)
@ -100,6 +100,48 @@ TAGFILES = \
CLEANFILES = $(OBJ) libpcap.a $(GENSRC) $(GENHDR) lex.yy.c
MAN3PCAP = pcap.3pcap \
pcap_breakloop.3pcap \
pcap_close.3pcap \
pcap_compile.3pcap \
pcap_datalink.3pcap \
pcap_datalink_name_to_val.3pcap \
pcap_dump.3pcap \
pcap_dump_close.3pcap \
pcap_dump_file.3pcap \
pcap_dump_flush.3pcap \
pcap_dump_ftell.3pcap \
pcap_dump_open.3pcap \
pcap_file.3pcap \
pcap_fileno.3pcap \
pcap_findalldevs.3pcap \
pcap_freealldevs.3pcap \
pcap_freecode.3pcap \
pcap_get_selectable_fd.3pcap \
pcap_geterr.3pcap \
pcap_inject.3pcap \
pcap_is_swapped.3pcap \
pcap_lib_version.3pcap \
pcap_list_datalinks.3pcap \
pcap_lookupdev.3pcap \
pcap_lookupnet.3pcap \
pcap_loop.3pcap \
pcap_major_version.3pcap \
pcap_next_ex.3pcap \
pcap_open_dead.3pcap \
pcap_open_live.3pcap \
pcap_open_offline.3pcap \
pcap_set_datalink.3pcap \
pcap_setdirection.3pcap \
pcap_setfilter.3pcap \
pcap_setnonblock.3pcap \
pcap_snapshot.3pcap \
pcap_stats.3pcap \
pcap_strerror.3pcap
MAN4 = pcap-filter.4 \
pcap-linktype.4
all: libpcap.a
libpcap.a: $(OBJ)
@ -209,10 +251,28 @@ install: libpcap.a
$(DESTDIR)$(includedir)/pcap-bpf.h
$(INSTALL_DATA) $(srcdir)/pcap-namedb.h \
$(DESTDIR)$(includedir)/pcap-namedb.h
$(INSTALL_DATA) $(srcdir)/pcap.3 \
$(DESTDIR)$(mandir)/man3/pcap.3
$(INSTALL_DATA) $(srcdir)/pcap-filter.4 \
$(DESTDIR)$(mandir)/man4/pcap-filter.4
for i in $(MAN3PCAP); do \
$(INSTALL_DATA) $(srcdir)/$$i \
$(DESTDIR)$(mandir)/man3/$$i; done
ln $(DESTDIR)$(mandir)/man3/pcap_dump_open.3pcap \
$(DESTDIR)$(mandir)/man3/pcap_dump_fopen.3pcap
ln $(DESTDIR)$(mandir)/man3/pcap_geterr.3pcap \
$(DESTDIR)$(mandir)/man3/pcap_perror.3pcap
ln $(DESTDIR)$(mandir)/man3/pcap_inject.3pcap \
$(DESTDIR)$(mandir)/man3/pcap_sendpacket.3pcap
ln $(DESTDIR)$(mandir)/man3/pcap_loop.3pcap \
$(DESTDIR)$(mandir)/man3/pcap_dispatch.3pcap
ln $(DESTDIR)$(mandir)/man3/pcap_major_version.3pcap \
$(DESTDIR)$(mandir)/man3/pcap_minor_version.3pcap
ln $(DESTDIR)$(mandir)/man3/pcap_next_ex.3pcap \
$(DESTDIR)$(mandir)/man3/pcap_next.3pcap
ln $(DESTDIR)$(mandir)/man3/pcap_open_offline.3pcap \
$(DESTDIR)$(mandir)/man3/pcap_fopen_offline.3pcap
ln $(DESTDIR)$(mandir)/man3/pcap_setnonblock.3pcap \
$(DESTDIR)$(mandir)/man3/pcap_getnonblock.3pcap
for i in $(MAN4); do \
$(INSTALL_DATA) $(srcdir)/$$i \
$(DESTDIR)$(mandir)/man4/$$i; done
install-shared: install-shared-$(DYEXT)
install-shared-so: libpcap.so
@ -232,7 +292,18 @@ uninstall:
rm -f $(DESTDIR)$(includedir)/pcap.h
rm -f $(DESTDIR)$(includedir)/pcap-bpf.h
rm -f $(DESTDIR)$(includedir)/pcap-namedb.h
rm -f $(DESTDIR)$(mandir)/man3/pcap.3
for i in $(MAN3PCAP); do \
rm -f $(DESTDIR)$(mandir)/man3/$$i; done
rm -f $(DESTDIR)$(mandir)/man3/pcap_dump_fopen.3pcap
rm -f $(DESTDIR)$(mandir)/man3/pcap_perror.3pcap
rm -f $(DESTDIR)$(mandir)/man3/pcap_sendpacket.3pcap
rm -f $(DESTDIR)$(mandir)/man3/pcap_dispatch.3pcap
rm -f $(DESTDIR)$(mandir)/man3/pcap_minor_version.3pcap
rm -f $(DESTDIR)$(mandir)/man3/pcap_next.3pcap
rm -f $(DESTDIR)$(mandir)/man3/pcap_fopen_offline.3pcap
rm -f $(DESTDIR)$(mandir)/man3/pcap_getnonblock.3pcap
for i in $(MAN4); do \
rm -f $(DESTDIR)$(mandir)/man4/$$i; done
clean:
rm -f $(CLEANFILES) libpcap*.dylib libpcap.so*

309
pcap-linktype.4 Normal file
View File

@ -0,0 +1,309 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap-linktype.4,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP-LINKTYPE 4 "4 April 2008"
.SH NAME
pcap-linktype \- link-layer header types supported by libpcap
.SH DESCRIPTION
Libpcap supplies for a live capture or ``savefile'' value that indicates
the type of link-layer header at the beginning of the packets it
provides. This is not necessarily the type of link-layer header that
the packets being captured have on the network from which they're being
captured; for example, packets from an IEEE 802.11 network might be
provided by libpcap with Ethernet headers that the network adapter or
the network adapter driver generates from the 802.11 headers.
.PP
The link-layer header types supported by libpcap are:
.RS 5
.TP 5
.B DLT_NULL
BSD loopback encapsulation; the link layer header is a 4-byte field, in
.I host
byte order, containing a PF_ value from
.B socket.h
for the network-layer protocol of the packet.
.IP
Note that ``host byte order'' is the byte order of the machine on which
the packets are captured, and the PF_ values are for the OS of the
machine on which the packets are captured; if a live capture is being
done, ``host byte order'' is the byte order of the machine capturing the
packets, and the PF_ values are those of the OS of the machine capturing
the packets, but if a ``savefile'' is being read, the byte order and PF_
values are
.I not
necessarily those of the machine reading the capture file.
.TP 5
.B DLT_EN10MB
Ethernet (10Mb, 100Mb, 1000Mb, and up)
.TP 5
.B DLT_IEEE802
IEEE 802.5 Token Ring
.TP 5
.B DLT_ARCNET
ARCNET
.TP 5
.B DLT_SLIP
SLIP; the link layer header contains, in order:
.RS 10
.LP
a 1-byte flag, which is 0 for packets received by the machine and 1 for
packets sent by the machine;
.LP
a 1-byte field, the upper 4 bits of which indicate the type of packet,
as per RFC 1144:
.RS 5
.TP 5
0x40
an unmodified IP datagram (TYPE_IP);
.TP 5
0x70
an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being
the first byte of the raw IP header on the wire, containing the
connection number in the protocol field;
.TP 5
0x80
a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the
first byte of the compressed TCP/IP datagram header;
.RE
.LP
for UNCOMPRESSED_TCP, the rest of the modified IP header, and for
COMPRESSED_TCP, the compressed TCP/IP datagram header;
.RE
.RS 5
.LP
for a total of 16 bytes; the uncompressed IP datagram follows the header.
.RE
.TP 5
.B DLT_PPP
PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like
framing, with the PPP header following those two bytes, otherwise it's
PPP without framing, and the packet begins with the PPP header.
.TP 5
.B DLT_FDDI
FDDI
.TP 5
.B DLT_ATM_RFC1483
RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2
LLC header.
.TP 5
.B DLT_RAW
raw IP; the packet begins with an IP header.
.TP 5
.B DLT_PPP_SERIAL
PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC
framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF
for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP
with HDLC framing.
.TP 5
.B DLT_PPP_ETHER
PPPoE; the packet begins with a PPPoE header, as per RFC 2516.
.TP 5
.B DLT_C_HDLC
Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.
.TP 5
.B DLT_IEEE802_11
IEEE 802.11 wireless LAN
.TP 5
.B DLT_FRELAY
Frame Relay
.TP 5
.B DLT_LOOP
OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in
.I network
byte order, containing a PF_ value from OpenBSD's
.B socket.h
for the network-layer protocol of the packet.
.IP
Note that, if a ``savefile'' is being read, those PF_ values are
.I not
necessarily those of the machine reading the capture file.
.TP 5
.B DLT_LINUX_SLL
Linux "cooked" capture encapsulation; the link layer header contains, in
order:
.RS 10
.LP
a 2-byte "packet type", in network byte order, which is one of:
.RS 5
.TP 5
0
packet was sent to us by somebody else
.TP 5
1
packet was broadcast by somebody else
.TP 5
2
packet was multicast, but not broadcast, by somebody else
.TP 5
3
packet was sent by somebody else to somebody else
.TP 5
4
packet was sent by us
.RE
.LP
a 2-byte field, in network byte order, containing a Linux ARPHRD_ value
for the link layer device type;
.LP
a 2-byte field, in network byte order, containing the length of the
link layer address of the sender of the packet (which could be 0);
.LP
an 8-byte field containing that number of bytes of the link layer header
(if there are more than 8 bytes, only the first 8 are present);
.LP
a 2-byte field containing an Ethernet protocol type, in network byte
order, or containing 1 for Novell 802.3 frames without an 802.2 LLC
header or 4 for frames beginning with an 802.2 LLC header.
.RE
.TP 5
.B DLT_LTALK
Apple LocalTalk; the packet begins with an AppleTalk LLAP header.
.TP 5
.B DLT_PFLOG
OpenBSD pflog; the link layer header contains, in order:
.RS 10
.LP
a 1-byte header length, in host byte order;
.LP
a 4-byte PF_ value, in host byte order;
.LP
a 2-byte action code, in network byte order, which is one of:
.RS 5
.TP 5
0
passed
.TP 5
1
dropped
.TP 5
2
scrubbed
.RE
.LP
a 2-byte reason code, in network byte order, which is one of:
.RS 5
.TP 5
0
match
.TP 5
1
bad offset
.TP 5
2
fragment
.TP 5
3
short
.TP 5
4
normalize
.TP 5
5
memory
.RE
.LP
a 16-character interface name;
.LP
a 16-character ruleset name (only meaningful if subrule is set);
.LP
a 4-byte rule number, in network byte order;
.LP
a 4-byte subrule number, in network byte order;
.LP
a 1-byte direction, in network byte order, which is one of:
.RS 5
.TP 5
0
incoming or outgoing
.TP 5
1
incoming
.TP 5
2
outgoing
.RE
.RE
.TP 5
.B DLT_PRISM_HEADER
Prism monitor mode information followed by an 802.11 header.
.TP 5
.B DLT_IP_OVER_FC
RFC 2625 IP-over-Fibre Channel, with the link-layer header being the
Network_Header as described in that RFC.
.TP 5
.B DLT_SUNATM
SunATM devices; the link layer header contains, in order:
.RS 10
.LP
a 1-byte flag field, containing a direction flag in the uppermost bit,
which is set for packets transmitted by the machine and clear for
packets received by the machine, and a 4-byte traffic type in the
low-order 4 bits, which is one of:
.RS 5
.TP 5
0
raw traffic
.TP 5
1
LANE traffic
.TP 5
2
LLC-encapsulated traffic
.TP 5
3
MARS traffic
.TP 5
4
IFMP traffic
.TP 5
5
ILMI traffic
.TP 5
6
Q.2931 traffic
.RE
.LP
a 1-byte VPI value;
.LP
a 2-byte VCI field, in network byte order.
.RE
.TP 5
.B DLT_IEEE802_11_RADIO
link-layer information followed by an 802.11 header - see
http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description
of the link-layer information.
.TP 5
.B DLT_ARCNET_LINUX
ARCNET, with no exception frames, reassembled packets rather than raw
frames, and an extra 16-bit offset field between the destination host
and type bytes.
.TP 5
.B DLT_LINUX_IRDA
Linux-IrDA packets, with a
.B DLT_LINUX_SLL
header followed by the IrLAP header.
.TP 5
.B DLT_LINUX_LAPD
LAPD (Q.921) frames, with a
.B DLT_LINUX_SLL
header captured via vISDN.
.RE

1333
pcap.3
View File

File diff suppressed because it is too large Load Diff

144
pcap.3pcap Normal file
View File

@ -0,0 +1,144 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP 3PCAP "4 April 2008"
.SH NAME
pcap \- Packet Capture library
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.LP
.ft B
.ft
.fi
.SH DESCRIPTION
The Packet Capture library
provides a high level interface to packet capture systems. All packets
on the network, even those destined for other hosts, are accessible
through this mechanism.
It also supports saving captured packets to a ``savefile'', and reading
packets from a ``savefile''.
.PP
To open a live capture stream, call
.BR pcap_open_live() ,
and to open a ``savefile'' to read the packets in that file, call
.BR pcap_open_offline() .
Both routines return a pointer to a
.BR pcap_t ,
which is the handle used for reading packets from the capture stream or
the ``savefile'', and for finding out information about the capture
stream or ``savefile''.
.PP
To open a ``savefile`` to which to write packets, call
.BR pcap_dump_open() .
It returns a pointer to a
.BR pcap_dumper_t ,
which is the handle used for writing packets to the ``savefile''.
.PP
Packets are read with
.B pcap_dispatch()
or
.BR pcap_loop() ,
which process one or more packets, calling a callback routine for each
packet, or with
.B pcap_next()
or
.BR pcap_next_ex() ,
which return the next packet.
The callback for
.B pcap_dispatch()
and
.BR pcap_loop()
is supplied a pointer to a
.IR struct pcap_pkthdr ,
which includes the following members:
.RS
.TP
.B ts
a
.I struct timeval
containing the time when the packet was captured
.TP
.B caplen
a
.I bpf_u_int32
giving the number of bytes of the packet that are available from the
capture
.TP
.B len
a
.I bpf_u_int32
giving the length of the packet, in bytes (which might be more than the
number of bytes available from the capture, if the length of the packet
is larger than the maximum number of bytes to capture).
.RE
.PP
.B pcap_next_ex()
supplies that pointer through a pointer argument.
.B pcap_next()
is passed an argument that points to a
.I struct pcap_pkthdr
structure, and fills it in.
.PP
The callback is also supplied a
.I const u_char
pointer to the first
.B caplen
(as given in the
.I struct pcap_pkthdr
a pointer to which is passed to the callback routine)
bytes of data from the packet. This won't necessarily be the entire
packet; to capture the entire packet, you will have to provide a value
for
.I snaplen
in your call to
.B pcap_open_live()
that is sufficiently large to get all of the packet's data - a value of
65535 should be sufficient on most if not all networks). When reading
from a ``savefile'', the snapshot length specified when the capture was
performed will limit the amount of packet data available.
.B pcap_next()
returns that pointer;
.B pcap_next_ex()
supplies that pointer through a pointer argument.
.SH ROUTINES
.SH SEE ALSO
tcpdump(1), tcpslice(1), pcap-filter(4)
.SH AUTHORS
The original authors of libpcap are:
.LP
Van Jacobson,
Craig Leres and
Steven McCanne, all of the
Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
.LP
The current version is available from "The Tcpdump Group"'s Web site at
.LP
.RS
.I http://www.tcpdump.org/
.RE
.SH BUGS
Please send problems, bugs, questions, desirable enhancements, etc. to:
.LP
.RS
tcpdump-workers@tcpdump.org
.RE

105
pcap_breakloop.3pcap Normal file
View File

@ -0,0 +1,105 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_breakloop.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_BREAKLOOP 3PCAP "4 April 2008"
.SH NAME
pcap_breakloop \- force a pcap_dispatch() or pcap_loop() call to return
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
void pcap_breakloop(pcap_t *);
.ft
.fi
.SH DESCRIPTION
.B pcap_breakloop()
sets a flag that will force
.B pcap_dispatch()
or
.B pcap_loop()
to return rather than looping; they will return the number of packets
that have been processed so far, or \-2 if no packets have been
processed so far.
.PP
This routine is safe to use inside a signal handler on UNIX or a console
control handler on Windows, as it merely sets a flag that is checked
within the loop.
.PP
The flag is checked in loops reading packets from the OS - a signal by
itself will not necessarily terminate those loops - as well as in loops
processing a set of packets returned by the OS.
.ft B
Note that if you are catching signals on UNIX systems that support
restarting system calls after a signal, and calling pcap_breakloop()
in the signal handler, you must specify, when catching those signals,
that system calls should NOT be restarted by that signal. Otherwise,
if the signal interrupted a call reading packets in a live capture,
when your signal handler returns after calling pcap_breakloop(), the
call will be restarted, and the loop will not terminate until more
packets arrive and the call completes.
.PP
Note also that, in a multi-threaded application, if one thread is
blocked in
.BR pcap_dispatch() ,
.BR pcap_loop() ,
.BR pcap_next() ,
or
.BR pcap_next_ex() ,
a call to
.B pcap_breakloop()
in a different thread will not unblock that thread; you will need to use
whatever mechanism the OS provides for breaking a thread out of blocking
calls in order to unblock the thread, such as thread cancellation in
systems that support POSIX threads.
.ft R
.PP
Note that
.B pcap_next()
and
.B pcap_next_ex()
will, on some platforms, loop reading packets from the OS; that loop
will not necessarily be terminated by a signal, so
.B pcap_breakloop()
should be used to terminate packet processing even if
.B pcap_next()
or
.B pcap_next_ex()
is being used.
.PP
.B pcap_breakloop()
does not guarantee that no further packets will be processed by
.B pcap_dispatch()
or
.B pcap_loop()
after it is called; at most one more packet might be processed.
.PP
If \-2 is returned from
.B pcap_dispatch()
or
.BR pcap_loop() ,
the flag is cleared, so a subsequent call will resume reading packets.
If a positive number is returned, the flag is not cleared, so a
subsequent call will return \-2 and clear the flag.
.SH SEE ALSO
pcap_loop(3PCAP), pcap_next_ex(3PCAP)

39
pcap_close.3pcap Normal file
View File

@ -0,0 +1,39 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_close.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_CLOSE 3PCAP "4 April 2008"
.SH NAME
pcap_close \- close a capture device or savefile
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
void pcap_close(pcap_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_close()
closes the files associated with
.I p
and deallocates resources.

72
pcap_compile.3pcap Normal file
View File

@ -0,0 +1,72 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_compile.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_COMPILE 3PCAP "4 April 2008"
.SH NAME
pcap_compile \- compile a filter expression
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_compile(pcap_t *p, struct bpf_program *fp,
.ti +8
const char *str, int optimize, bpf_u_int32 netmask);
.ft
.fi
.SH DESCRIPTION
.B pcap_compile()
is used to compile the string
.I str
into a filter program. See
.BR pcap-filter (4)
for the syntax of that string.
.I program
is a pointer to a
.I bpf_program
struct and is filled in by
.BR pcap_compile() .
.I optimize
controls whether optimization on the resulting code is performed.
.I netmask
specifies the IPv4 netmask of the network on which packets are being
captured; it is used only when checking for IPv4 broadcast addresses in
the filter program. If the netmask of the network on which packets are
being captured isn't known to the program, or if packets are being
captured on the Linux "any" pseudo-interface that can capture on more
than one network, a value of 0 can be supplied; tests for IPv4 broadcast
addreses won't be done correctly, but all other tests in the filter
program will be OK.
.SH RETURN VALUE
.B pcap_compile()
returns 0 on success and \-1 on failure.
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.SH SEE ALSO
pcap_setfilter(3PCAP), pcap_freecode(3PCAP), pcap_geterr(3PCAP),
pcap-filter(4)

39
pcap_datalink.3pcap Normal file
View File

@ -0,0 +1,39 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_datalink.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_DATALINK 3PCAP "4 April 2008"
.SH NAME
pcap_datalink \- get the link-layer header type
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_datalink(pcap_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_datalink()
returns the link layer type for the live capture or ``savefile''
specified by
.IR p .

46
pcap_datalink_name_to_val.3pcap Normal file
View File

@ -0,0 +1,46 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_datalink_name_to_val.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_DATALINK_NAME_TO_VAL 3PCAP "4 April 2008"
.SH NAME
pcap_datalink_name_to_val \- get the link-layer header type value
corresponding to a header type name
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_datalink_name_to_val(const char *name);
.ft
.fi
.SH DESCRIPTION
.B pcap_datalink_name_to_val()
translates a data link type name, which is a
.B DLT_
name with the
.B DLT_
removed, to the corresponding data link type value. The translation
is case-insensitive.
.SH RETURN VALUE
.B pcap_datalink_name_to_val()
returns 0 on success and \-1 on failure.

52
pcap_dump.3pcap Normal file
View File

@ -0,0 +1,52 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_DUMP 3PCAP "4 April 2008"
.SH NAME
pcap_dump \- write a packet to a capture file
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
void pcap_dump(u_char *user, struct pcap_pkthdr *h,
.ti +8
u_char *sp);
.ft
.fi
.SH DESCRIPTION
.B pcap_dump()
outputs a packet to the ``savefile'' opened with
.BR pcap_dump_open() .
Note that its calling arguments are suitable for use with
.B pcap_dispatch()
or
.BR pcap_loop() .
If called directly, the
.I user
parameter is of type
.B pcap_dumper_t
as returned by
.BR pcap_dump_open() .
.SH SEE ALSO
pcap_dump_open(3PCAP), pcap_dispatch(3PCAP), pcap_loop(3PCAP)

39
pcap_dump_close.3pcap Normal file
View File

@ -0,0 +1,39 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump_close.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_DUMP_CLOSE 3PCAP "4 April 2008"
.SH NAME
pcap_dump_close \- close a savefile being written to
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
void pcap_dump_close(pcap_dumper_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_dump_close()
closes the ``savefile.''
.SH SEE ALSO
pcap_dump_open(3PCAP), pcap_dump(3PCAP)

38
pcap_dump_file.3pcap Normal file
View File

@ -0,0 +1,38 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump_file.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_DUMP_FILE 3PCAP "4 April 2008"
.SH NAME
pcap_dump_file \- get the standard I/O stream for a savefile being written
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
FILE *pcap_dump_file(pcap_dumper_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_dump_file()
returns the standard I/O stream of the ``savefile'' opened by
.BR pcap_dump_open() .

45
pcap_dump_flush.3pcap Normal file
View File

@ -0,0 +1,45 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump_flush.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_DUMP_FLUSH 3PCAP "4 April 2008"
.SH NAME
pcap_dump_flush \- flush to a savefile packets dumped
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_dump_flush(pcap_dumper_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_dump_flush()
flushes the output buffer to the ``savefile,'' so that any packets
written with
.B pcap_dump()
but not yet written to the ``savefile'' will be written.
.SH RETURN VALUE
.B pcap_dump_flush()
returns 0 on success and \-1 on failure.
.SH SEE ALSO
pcap_dump_open(3PCAP), pcap_dump(3PCAP)

44
pcap_dump_ftell.3pcap Normal file
View File

@ -0,0 +1,44 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump_ftell.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_DUMP_FTELL 3PCAP "4 April 2008"
.SH NAME
pcap_dump_ftell \- get the current file offset for a savefile being written
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
long pcap_dump_ftell(pcap_dumper_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_dump_ftell()
returns the current file position for the ``savefile'', representing the
number of bytes written by
.B pcap_dump_open()
and
.BR pcap_dump() .
\-1 is returned on error.
.SH SEE ALSO
pcap_dump_open(3PCAP), pcap_dump(3PCAP)

83
pcap_dump_open.3pcap Normal file
View File

@ -0,0 +1,83 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_dump_open.3pcap,v 1.1 2008-04-05 20:19:41 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_DUMP_OPEN 3PCAP "4 April 2008"
.SH NAME
pcap_dump_open, pcap_dump_fopen \- open a file to which to write packets
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.nf
.LP
.ft B
pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname);
pcap_dumper_t *pcap_dump_fopen(pcap_t *p, FILE *fp);
.ft
.fi
.SH DESCRIPTION
.B pcap_dump_open()
is called to open a ``savefile'' for writing.
.I fname
specifies the name of the file to open. The file will have
the same format as those used by
.BR tcpdump (1)
and
.BR tcpslice (1).
The name "-" in a synonym
for
.BR stdout .
.PP
.B pcap_dump_fopen()
is called to write data to an existing open stream
.IR fp .
Note that on Windows, that stream should be opened in binary mode.
.PP
.I p
is a
.B pcap_t
struct returned by an earlier call to
.BR pcap_open_offline() ,
.BR pcap_open_live() ,
or
.BR pcap_open_dead() .
The link-layer type and snapshot length from
.I p
are used as the link-layer type and snapshot length of the output file.
.SH RETURN VALUES
A pointer to a
.B pcap_dumper_t
structure to use in subsequent
.B pcap_dump()
and
.B pcap_dump_close()
calls is returned on success.
.B NULL
is returned on failure.
If
.B NULL
is returned,
.B pcap_geterr(\fIp\fB)
can be used to get the error text.
.SH SEE ALSO
pcap_open_offline(3PCAP), pcap_open_live(3PCAP), pcap_open_dead(3PCAP),
pcap_dump(3PCAP), pcap_dump_close(3PCAP), pcap_geterr(3PCAP)

53
pcap_file.3pcap Normal file
View File

@ -0,0 +1,53 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_file.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_FILE 3PCAP "4 April 2008"
.SH NAME
pcap_file \- get the standard I/O stream for a savefile being read
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
FILE *pcap_file(pcap_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_file()
returns the standard I/O stream of the ``savefile,'' if a ``savefile''
was opened with
.BR pcap_open_offline() ,
or NULL, if a network device was opened with
.BR pcap_open_live() .
.PP
Note that the Packet Capture library is usually built with large file
support, so the standard I/O stream of the ``savefile'' might refer to
a file larger than 2 gigabytes; applications that use
.B pcap_file()
should, if possible, use calls that support large files on the return
value of
.B pcap_file()
or the value returned by
.B fileno()
when passed the return value of
.BR pcap_file() .

41
pcap_fileno.3pcap Normal file
View File

@ -0,0 +1,41 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_fileno.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_FILENO 3PCAP "4 April 2008"
.SH NAME
pcap_fileno \- get the file descriptor for a live capture
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_fileno(pcap_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_fileno()
returns the file descriptor number from which captured packets are read,
if a network device was opened with
.BR pcap_open_live() ,
or \-1, if a ``savefile'' was opened with
.BR pcap_open_offline() .

153
pcap_findalldevs.3pcap Normal file
View File

@ -0,0 +1,153 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_findalldevs.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_FINDALLDEVS 3PCAP "4 April 2008"
.SH NAME
pcap_findalldevs \- get a list of capture devices
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.nf
.ft B
char errbuf[PCAP_ERRBUF_SIZE];
.ft
.LP
.ft B
int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf);
.ft
.fi
.SH DESCRIPTION
.B pcap_findalldevs()
constructs a list of network devices that can be opened with
.BR pcap_open_live() .
(Note that there may be network devices that cannot be opened with
.BR pcap_open_live()
by the
process calling
.BR pcap_findalldevs() ,
because, for example, that process might not have sufficient privileges
to open them for capturing; if so, those devices will not appear on the
list.)
.I alldevsp
is set to point to the first element of the list; each element of the
list is of type
.BR pcap_if_t ,
and has the following members:
.RS
.TP
.B next
if not
.BR NULL ,
a pointer to the next element in the list;
.B NULL
for the last element of the list
.TP
.B name
a pointer to a string giving a name for the device to pass to
.B pcap_open_live()
.TP
.B description
if not
.BR NULL ,
a pointer to a string giving a human-readable description of the device
.TP
.B addresses
a pointer to the first element of a list of addresses for the interface
.TP
.B flags
interface flags:
.RS
.TP
.B PCAP_IF_LOOPBACK
set if the interface is a loopback interface
.RE
.RE
.PP
Each element of the list of addresses is of type
.BR pcap_addr_t ,
and has the following members:
.RS
.TP
.B next
if not
.BR NULL ,
a pointer to the next element in the list;
.B NULL
for the last element of the list
.TP
.B addr
a pointer to a
.B "struct sockaddr"
containing an address
.TP
.B netmask
if not
.BR NULL ,
a pointer to a
.B "struct sockaddr"
that contains the netmask corresponding to the address pointed to by
.B addr
.TP
.B broadaddr
if not
.BR NULL ,
a pointer to a
.B "struct sockaddr"
that contains the broadcast address corresponding to the address pointed
to by
.BR addr ;
may be null if the interface doesn't support broadcasts
.TP
.B dstaddr
if not
.BR NULL ,
a pointer to a
.B "struct sockaddr"
that contains the destination address corresponding to the address pointed
to by
.BR addr ;
may be null if the interface isn't a point-to-point interface
.RE
.PP
Note that not all the addresses in the list of addresses are
necessarily IPv4 or IPv6 addresses - you must check the
.B sa_family
member of the
.B "struct sockaddr"
before interpreting the contents of the address.
.PP
The list of devices must be freed with
.BR pcap_freealldevs() .
.SH RETURN VALUE
.B pcap_findalldevs()
returns 0 on success and \-1 on failure.
If \-1 is returned,
.I errbuf
is filled in with an appropriate error message.
.I errbuf
is assumed to be able to hold at least
.B PCAP_ERRBUF_SIZE
chars.
.SH SEE ALSO
pcap_open_live(3PCAP), pcap_freealldevs(3PCAP)

40
pcap_freealldevs.3pcap Normal file
View File

@ -0,0 +1,40 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_freealldevs.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_FREEALLDEVS 3PCAP "4 April 2008"
.SH NAME
pcap_freealldevs \- free a list of capture devices
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
void pcap_freealldevs(pcap_if_t *alldevs);
.ft
.fi
.SH DESCRIPTION
.B pcap_freealldevs()
is used to free a list allocated by
.BR pcap_findalldevs() .
.SH SEE ALSO
pcap_findalldevs(3PCAP)

45
pcap_freecode.3pcap Normal file
View File

@ -0,0 +1,45 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_freecode.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_FREECODE 3PCAP "4 April 2008"
.SH NAME
pcap_freecode \- free a BPF program
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
void pcap_freecode(struct bpf_program *);
.ft
.fi
.SH DESCRIPTION
.B pcap_freecode()
is used to free up allocated memory pointed to by a
.I bpf_program
struct generated by
.B pcap_compile()
when that BPF program is no longer needed, for example after it
has been made the filter program for a pcap structure by a call to
.BR pcap_setfilter() .
.SH SEE ALSO
pcap_compile(3PCAP), pcap_setfilter(3PCAP)

112
pcap_get_selectable_fd.3pcap Normal file
View File

@ -0,0 +1,112 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_get_selectable_fd.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_GET_SELECTABLE_FD 3PCAP "4 April 2008"
.SH NAME
pcap_get_selectable_fd \- get a file descriptor on which a select() can
be done for a live capture
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_get_selectable_fd(pcap_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_get_selectable_fd()
returns, on UNIX, a file descriptor number for a file descriptor on
which one can
do a
.B select()
or
.B poll()
to wait for it to be possible to read packets without blocking, if such
a descriptor exists, or \-1, if no such descriptor exists. Some network
devices opened with
.B pcap_open_live()
do not support
.B select()
or
.B poll()
(for example, regular network devices on FreeBSD 4.3 and 4.4, and Endace
DAG devices), so \-1 is returned for those devices.
.PP
Note that on most versions of most BSDs (including Mac OS X)
.B select()
and
.B poll()
do not work correctly on BPF devices;
.B pcap_get_selectable_fd()
will return a file descriptor on most of those versions (the exceptions
being FreeBSD 4.3 and 4.4), a simple
.B select()
or
.B poll()
will not return even after a timeout specified in
.B pcap_open_live()
expires. To work around this, an application that uses
.B select()
or
.B poll()
to wait for packets to arrive must put the
.B pcap_t
in non-blocking mode, and must arrange that the
.B select()
or
.B poll()
have a timeout less than or equal to the timeout specified in
.BR pcap_open_live() ,
and must try to read packets after that timeout expires, regardless of
whether
.B select()
or
.B poll()
indicated that the file descriptor for the
.B pcap_t
is ready to be read or not. (That workaround will not work in FreeBSD
4.3 and later; however, in FreeBSD 4.6 and later,
.B select()
and
.B poll()
work correctly on BPF devices, so the workaround isn't necessary,
although it does no harm.)
.PP
Note also that
.B poll()
doesn't work on character special files, including BPF devices, in Mac
OS X 10.4 and 10.5, so, while
.B select()
can be used on the descriptor returned by
.BR pcap_get_selectable_fd() ,
.B poll()
cannot be used on it those versions of Mac OS X. Kqueues also don't
work on that descriptor.
.PP
.B pcap_get_selectable_fd()
is not available on Windows.
.SH RETURN VALUE
A selectable file descriptor is returned if one exists; otherwise, \-1
is returned.
.SH SEE ALSO
select(2), poll(2)

51
pcap_geterr.3pcap Normal file
View File

@ -0,0 +1,51 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_geterr.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_GETERR 3PCAP "4 April 2008"
.SH NAME
pcap_geterr, pcap_perror \- get or print libpcap error message text
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
char *pcap_geterr(pcap_t *p);
void pcap_perror(pcap_t *p, char *prefix);
.ft
.fi
.SH DESCRIPTION
.B pcap_geterr()
returns the error text pertaining to the last pcap library error.
.BR NOTE :
the pointer it returns will no longer point to a valid error message
string after the
.B pcap_t
passed to it is closed; you must use or copy the string before closing
the
.BR pcap_t .
.PP
.B pcap_perror()
prints the text of the last pcap library error on
.BR stderr ,
prefixed by
.IR prefix .

90
pcap_inject.3pcap Normal file
View File

@ -0,0 +1,90 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_inject.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_INJECT 3PCAP "4 April 2008"
.SH NAME
pcap_inject, pcap_sendpacket \- transmit a packet
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_inject(pcap_t *p, const void *buf, size_t size);
int pcap_sendpacket(pcap_t *p, const u_char *buf, int size);
.ft
.fi
.SH DESCRIPTION
.B pcap_inject()
sends a raw packet through the network interface;
.I buf
points to the data of the packet, including the link-layer header, and
.I size
is the number of bytes in the packet.
.PP
Note that, even if you successfully open the network interface, you
might not have permission to send packets on it, or it might not support
sending packets; as
.I pcap_open_live()
doesn't have a flag to indicate whether to open for capturing, sending,
or capturing and sending, you cannot request an open that supports
sending and be notified at open time whether sending will be possible.
Note also that some devices might not support sending packets.
.PP
Note that, on some platforms, the link-layer header of the packet that's
sent might not be the same as the link-layer header of the packet
supplied to
.BR pcap_inject() ,
as the source link-layer address, if the header contains such an
address, might be changed to be the address assigned to the interface on
which the packet it sent, if the platform doesn't support sending
completely raw and unchanged packets. Even worse, some drivers on some
platforms might change the link-layer type field to whatever value
libpcap used when attaching to the device, even on platforms that
.I do
nominally support sending completely raw and unchanged packets.
.PP
.B pcap_sendpacket()
is like
.BR pcap_inject() ,
but it returns 0 on success, rather than returning the number of bytes
written.
.RB ( pcap_inject()
comes from OpenBSD;
.B pcap_sendpacket()
comes from WinPcap. Both are provided for compatibility.)
.SH RETURN VALUE
.B pcap_inject()
returns the number of bytes written on success and \-1 on failure.
.PP
.B pcap_sendpacket()
returns 0 on success and \-1 on failure.
.PP
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.SH SEE ALSO
pcap_geterr(3PCAP)

40
pcap_is_swapped.3pcap Normal file
View File

@ -0,0 +1,40 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_is_swapped.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_IS_SWAPPED 3PCAP "4 April 2008"
.SH NAME
pcap_is_swapped \- find out whether a savefile has the native byte order
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_is_swapped(pcap_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_is_swapped()
returns true if
.I p
refers to a ``savefile'' that uses a different byte order
than the current system. For a live capture, it always returns false.

39
pcap_lib_version.3pcap Normal file
View File

@ -0,0 +1,39 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_lib_version.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_LIB_VERSION 3PCAP "4 April 2008"
.SH NAME
pcap_lib_version \- get the version information for libpcap
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
const char *pcap_lib_version(void);
.ft
.fi
.SH DESCRIPTION
.B pcap_lib_version()
returns a pointer to a string giving information about the version of
the libpcap library being used; note that it contains more information
than just a version number.

57
pcap_list_datalinks.3pcap Normal file
View File

@ -0,0 +1,57 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_list_datalinks.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_LIST_DATALINKS 3PCAP "4 April 2008"
.SH NAME
pcap_list_datalinks \- get a list of link-layer header types supported
by a capture device
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_list_datalinks(pcap_t *p, int **dlt_buf);
.ft
.fi
.SH DESCRIPTION
.B pcap_list_datalinks()
is used to get a list of the supported data link types of the interface
associated with the pcap descriptor.
.B pcap_list_datalinks()
allocates an array to hold the list and sets
.IR *dlt_buf .
The caller is responsible for freeing the array with
.BR free (3).
.SH RETURN VALUE
.B pcap_list_datalinks()
returns the number of data link types in the array on success and \-1
on failure.
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.SH SEE ALSO
pcap_geterr(3PCAP)

57
pcap_lookupdev.3pcap Normal file
View File

@ -0,0 +1,57 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_lookupdev.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_LOOKUPDEV 3PCAP "4 April 2008"
.SH NAME
pcap_lookupdev \- find the default device on which to capture
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.nf
.ft B
char errbuf[PCAP_ERRBUF_SIZE];
.ft
.LP
.ft B
char *pcap_lookupdev(char *errbuf);
.ft
.fi
.SH DESCRIPTION
.B pcap_lookupdev()
returns a pointer to a string giving the name of a network device
suitable for use with
.B pcap_open_live()
and
.BR pcap_lookupnet() .
If there is an error,
.B NULL
is returned and
.I errbuf
is filled in with an appropriate error message.
.I errbuf
is assumed to be able to hold at least
.B PCAP_ERRBUF_SIZE
chars.
.SH SEE ALSO
pcap_open_live(3PCAP), pcap_lookupnet(3PCAP)

63
pcap_lookupnet.3pcap Normal file
View File

@ -0,0 +1,63 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_lookupnet.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_LOOKUPNET 3PCAP "4 April 2008"
.SH NAME
pcap_lookupnet \- find the IPv4 network number and netmask for a device
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.nf
.ft B
char errbuf[PCAP_ERRBUF_SIZE];
.ft
.LP
.ft B
int pcap_lookupnet(const char *device, bpf_u_int32 *netp,
.ti +8
bpf_u_int32 *maskp, char *errbuf);
.ft
.fi
.SH DESCRIPTION
.B pcap_lookupnet()
is used to determine the IPv4 network number and mask
associated with the network device
.IR device .
Both
.I netp
and
.I maskp
are
.I bpf_u_int32
pointers.
.SH RETURN VALUE
.B pcap_lookupnet()
returns 0 on success and \-1 on failure.
If \-1 is returned,
.I errbuf
is filled in with an appropriate error message.
.I errbuf
is assumed to be able to hold at least
.B PCAP_ERRBUF_SIZE
chars.

164
pcap_loop.3pcap Normal file
View File

@ -0,0 +1,164 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_loop.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_LOOP 3PCAP "4 April 2008"
.SH NAME
pcap_loop, pcap_dispatch \- process packets from a live capture or savefile
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h,
.ti +8
const u_char *bytes);
.ft
.LP
.ft B
int pcap_loop(pcap_t *p, int cnt,
.ti +8
pcap_handler callback, u_char *user);
int pcap_dispatch(pcap_t *p, int cnt,
.ti +8
pcap_handler callback, u_char *user);
.ft
.fi
.SH DESCRIPTION
.B pcap_loop()
processes packets from a live capture or ``savefile'' until
.I cnt
packets are processed, the end of the ``savefile'' is
reached when reading from a ``savefile'',
.B pcap_breakloop()
is called, or an error occurs.
It does
.B not
return when live read timeouts occur.
A value of \-1 or 0 for
.I cnt
is equivalent to infinity, so that packets are processed until another
ending condition occurs.
.PP
.B pcap_dispatch()
processes packets from a live capture or ``savefile'' until
.I cnt
packets are processed, the end of the current bufferful of packets is
reached when doing a live capture, the end of the ``savefile'' is
reached when reading from a ``savefile'',
.B pcap_breakloop()
is called, or an error occurs.
Thus, when doing a live capture,
.I cnt
is the maximum number of packets to process before returning, but is not
a minimum number; when reading a live capture, only one
bufferful of packets is read at a time, so fewer than
.I cnt
packets may be processed. A value of \-1 or 0 for
.I cnt
causes all the packets received in one buffer to be processed when
reading a live capture, and causes all the packets in the file to be
processed when reading a ``savefile''.
.PP
.ft B
(In older versions of libpcap, the behavior when
\fIcnt\fP
was 0 was undefined; different platforms and devices behaved
differently, so code that must work with older versions of libpcap
should use \-1, nor 0, as the value of
\fIcnt\fP.)
.ft R
.PP
.I callback
specifies a routine to be called with three arguments:
a
.I u_char
pointer which is passed in the
.I user
argument to
.B pcap_loop()
or
.BR pcap_dispatch() ,
a
.I const struct pcap_pkthdr
pointer pointing to the packet time stamp and lengths, and a
.I const u_char
pointer to the first
.B caplen
(as given in the
.I struct pcap_pkthdr
a pointer to which is passed to the callback routine)
bytes of data from the packet.
.PP
.BR NOTE :
when reading a live capture,
.B pcap_dispatch()
will not necessarily return when the read times out; on some platforms,
the read timeout isn't supported, and, on other platforms, the timer
doesn't start until at least one packet arrives. This means that the
read timeout should
.B NOT
be used in, for example, an interactive application, to allow the packet
capture loop to ``poll'' for user input periodically, as there's no
guarantee that
.B pcap_dispatch()
will return after the timeout expires.
.SH RETURN VALUE
.B pcap_loop()
returns 0 if
.I cnt
is exhausted, \-1 if an error occurs, or \-2 if the loop terminated due
to a call to
.B pcap_breakloop()
before any packets were processed.
It does
.B not
return when live read timeouts occur; instead, it attempts to read more
packets.
.PP
.B pcap_dispatch()
returns the number of packets processed on success; this can be 0 if no
packets were read from a live capture (if, for example, they were
discarded because they didn't pass the packet filter, or if, on
platforms that support a read timeout that starts before any packets
arrive, the timeout expires before any packets arrive, or if the file
descriptor for the capture device is in non-blocking mode and no packets
were available to be read) or if no more packets are available in a
``savefile.'' It returns \-1 if an error occurs or \-2 if the loop
terminated due to a call to
.B pcap_breakloop()
before any packets were processed.
.ft B
If your application uses pcap_breakloop(),
make sure that you explicitly check for \-1 and \-2, rather than just
checking for a return value < 0.
.ft R
.PP
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.SH SEE ALSO
pcap_geterr(3PCAP), pcap_breakloop(3PCAP)

52
pcap_major_version.3pcap Normal file
View File

@ -0,0 +1,52 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_major_version.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_MAJOR_VERSION 3PCAP "4 April 2008"
.SH NAME
pcap_major_version, pcap_minor_version \- get the version number of a savefile
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_major_version(pcap_t *p);
int pcap_minor_version(pcap_t *p);
.ft
.fi
.SH DESCRIPTION
If
.I p
refers to a savefile,
.B pcap_major_version()
returns the major number of the file format of the savefile and
.B pcap_minor_version()
returns the minor number of the file format of the savefile. The
version number is stored in the header of the savefile.
.PP
If
.I p
refers to a live capture, the values returned by
.B pcap_major_version()
and
.B pcap_minor_version()
are not meaningful.

90
pcap_next_ex.3pcap Normal file
View File

@ -0,0 +1,90 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_next_ex.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_NEXT_EX 3PCAP "4 April 2008"
.SH NAME
pcap_next_ex, pcap_next \- read the next packet from a pcap_t
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header,
.ti +8
const u_char **pkt_data);
const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h);
.ft
.fi
.SH DESCRIPTION
.B pcap_next_ex()
reads the next packet and returns a success/failure indication.
If the packet was read without problems, the pointer pointed to by the
.I pkt_header
argument is set to point to the
.I pcap_pkthdr
struct for the packet, and the
pointer pointed to by the
.I pkt_data
argument is set to point to the data in the packet.
.PP
.B pcap_next()
reads the next packet (by calling
.B pcap_dispatch()
with a
.I cnt
of 1) and returns a
.I u_char
pointer to the data in that packet.
The
.I pcap_pkthdr
structure pointed to by
.I h
is filled in with the appropriate values for the packet.
.SH RETURN VALUE
.B pcap_next_ex()
returns 1 if the packet was read without problems, 0
if packets are being read from a live capture, and the timeout expired,
\-1 if an error occurred while reading the packet, and \-2 if
packets are being read from a ``savefile'', and there are no more
packets to read from the savefile.
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.PP
.B pcap_next()
returns a pointer to the packet data on success, and returns
.B NULL
if an error occured, or if no packets were read from a live
capture (if, for example, they were discarded because they didn't pass
the packet filter, or if, on platforms that support a read timeout that
starts before any packets arrive, the timeout expires before any packets
arrive, or if the file descriptor for the capture device is in
non-blocking mode and no packets were available to be read), or if no
more packets are available in a ``savefile.'' Unfortunately, there is
no way to determine whether an error occured or not.
.SH SEE ALSO
pcap_geterr(3PCAP), pcap_dispatch(3PCAP)

50
pcap_open_dead.3pcap Normal file
View File

@ -0,0 +1,50 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_open_dead.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_OPEN_DEAD 3PCAP "4 April 2008"
.SH NAME
pcap_open_dead \- open a fake pcap_t for compiling filters or opening a
capture for output
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
pcap_t *pcap_open_dead(int linktype, int snaplen);
.ft
.fi
.SH DESCRIPTION
.PP
.B pcap_open_dead()
is used for creating a
.B pcap_t
structure to use when calling the other functions in libpcap. It is
typically used when just using libpcap for compiling BPF code.
.PP
.I linktype
specifies the link-layer type for the
.BR pcap_t .
.PP
.I snaplen
specifies the snapshot length for the
.BR pcap_t .

107
pcap_open_live.3pcap Normal file
View File

@ -0,0 +1,107 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_open_live.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_OPEN_LIVE 3PCAP "4 April 2008"
.SH NAME
pcap_open_live \- open a device for capturing
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.nf
.ft B
char errbuf[PCAP_ERRBUF_SIZE];
.ft
.LP
.ft B
pcap_t *pcap_open_live(const char *device, int snaplen,
.ti +8
int promisc, int to_ms, char *errbuf);
.ft
.fi
.SH DESCRIPTION
.B pcap_open_live()
is used to obtain a packet capture descriptor to look
at packets on the network.
.I device
is a string that specifies the network device to open; on Linux systems
with 2.2 or later kernels, a
.I device
argument of "any" or
.B NULL
can be used to capture packets from all interfaces.
.PP
.I snaplen
specifies the maximum number of bytes to capture. If this value is less
than the size of a packet that is captured, only the first
.I snaplen
bytes of that packet will be captured and provided as packet data. A
value of 65535 should be sufficient, on most if not all networks, to
capture all the data available from the packet.
.PP
.I promisc
specifies if the interface is to be put into promiscuous mode.
(Note that even if this parameter is false, the interface
could well be in promiscuous mode for some other reason.) For now, this
doesn't work on the "any" device; if an argument of "any" or NULL is
supplied, the
.I promisc
flag is ignored.
.PP
.I to_ms
specifies the read timeout in milliseconds. The read timeout is used to
arrange that the read not necessarily return immediately when a packet
is seen, but that it wait for some amount of time to allow more packets
to arrive and to read multiple packets from the OS kernel in one
operation. Not all platforms support a read timeout; on platforms that
don't, the read timeout is ignored. A zero value for
.IR to_ms ,
on platforms that support a read timeout,
will cause a read to wait forever to allow enough packets to
arrive, with no timeout.
.SH RETURN VALUE
.B pcap_open_live()
returns a
.I pcap_t *
on success and
.B NULL
on failure.
If
.B NULL
is returned,
.I errbuf
is filled in with an appropriate error message.
.I errbuf
may also be set to warning text when
.B pcap_open_live()
succeds; to detect this case the caller should store a zero-length string in
.I errbuf
before calling
.B pcap_open_live()
and display the warning to the user if
.I errbuf
is no longer a zero-length string.
.I errbuf
is assumed to be able to hold at least
.B PCAP_ERRBUF_SIZE
chars.

76
pcap_open_offline.3pcap Normal file
View File

@ -0,0 +1,76 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap_open_offline.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_OPEN_OFFLINE 3PCAP "4 April 2008"
.SH NAME
pcap_open_offline, pcap_fopen_offline \- open a saved capture file for reading
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.nf
.ft B
char errbuf[PCAP_ERRBUF_SIZE];
.ft
.LP
.ft B
pcap_t *pcap_open_offline(const char *fname, char *errbuf);
pcap_t *pcap_fopen_offline(FILE *fp, char *errbuf);
.ft
.fi
.SH DESCRIPTION
.B pcap_open_offline()
is called to open a ``savefile'' for reading.
.PP
.I fname
specifies the name of the file to open. The file has
the same format as those used by
.BR tcpdump (1)
and
.BR tcpslice (1).
The name "-" in a synonym for
.BR stdin .
.PP
Alternatively, you may call
.B pcap_fopen_offline()
to read dumped data from an existing open stream
.IR fp .
Note that on Windows, that stream should be opened in binary mode.
.SH RETURN VALUE
.B pcap_open_offline()
and
.B pcap_fopen_offline()
return a
.I pcap_t *
on success and
.B NULL
on failure.
If
.B NULL
is returned,
.I errbuf
is filled in with an appropriate error message.
.I errbuf
is assumed to be able to hold at least
.B PCAP_ERRBUF_SIZE
chars.

52
pcap_set_datalink.3pcap Normal file
View File

@ -0,0 +1,52 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_set_datalink.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_SET_DATALINK 3PCAP "4 April 2008"
.SH NAME
pcap_set_datalink \- set the link-layer header type to be used by a
capture device
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_set_datalink(pcap_t *p, int dlt);
.ft
.fi
.SH DESCRIPTION
.B pcap_set_datalink()
is used to set the current data link type of the pcap descriptor
to the type specified by
.IR dlt .
.SH RETURN VALUE
.B pcap_set_datalink()
returns 0 on success and \-1 on failure.
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.SH SEE ALSO
pcap_geterr(3PCAP)

71
pcap_setdirection.3pcap Normal file
View File

@ -0,0 +1,71 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_setdirection.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_SETDIRECTION 3PCAP "4 April 2008"
.SH NAME
pcap_setdirection \- set the direction for which packets will be captured
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_setdirection(pcap_t *p, pcap_direction_t d);
.ft
.fi
.SH DESCRIPTION
.B pcap_setdirection()
is used to specify a direction that packets will be captured.
.I d
is one of the constants
.BR PCAP_D_IN ,
.B PCAP_D_OUT
or
.BR PCAP_D_INOUT .
.B PCAP_D_IN
will only capture packets received by the device,
.B PCAP_D_OUT
will only capture packets sent by the device and
.B PCAP_D_INOUT
will capture packets received by or sent by the device.
.B PCAP_D_INOUT
is the default setting if this function is not called.
.PP
.B pcap_setdirection()
isn't necessarily fully supported on all platforms; some platforms might
return an error for all values, and some other platforms might not
support
.BR PCAP_D_OUT .
.PP
This operation is not supported if a ``savefile'' is being read.
.SH RETURN VALUE
.B pcap_setdirection()
returns 0 on success and \-1 on failure.
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.SH SEE ALSO
pcap_geterr(3PCAP)

54
pcap_setfilter.3pcap Normal file
View File

@ -0,0 +1,54 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_setfilter.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_SETFILTER 3PCAP "4 April 2008"
.SH NAME
pcap_setfilter \- set the filter
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_setfilter(pcap_t *p, struct bpf_program *fp);
.ft
.fi
.SH DESCRIPTION
.B pcap_setfilter()
is used to specify a filter program.
.I fp
is a pointer to a
.I bpf_program
struct, usually the result of a call to
.BR pcap_compile() .
.SH RETURN VALUE
.B pcap_setfilter()
returns 0 on success and \-1 on failure.
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.SH SEE ALSO
pcap_geterr(3PCAP)

77
pcap_setnonblock.3pcap Normal file
View File

@ -0,0 +1,77 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_setnonblock.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_SETNONBLOCK 3PCAP "4 April 2008"
.SH NAME
pcap_setnonblock, pcap_getnonblock \- set or get the state of
non-blocking mode on a capture device
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.nf
.ft B
char errbuf[PCAP_ERRBUF_SIZE];
.ft
.LP
.ft B
int pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf);
int pcap_getnonblock(pcap_t *p, char *errbuf);
.ft
.fi
.SH DESCRIPTION
.B pcap_setnonblock()
puts a capture descriptor, opened with
.BR pcap_open_live() ,
into ``non-blocking'' mode, or takes it out of ``non-blocking'' mode,
depending on whether the
.I nonblock
argument is non-zero or zero. It has no effect on ``savefiles''.
If there is an error, \-1 is returned and
.I errbuf
is filled in with an appropriate error message; otherwise, 0 is
returned.
In
``non-blocking'' mode, an attempt to read from the capture descriptor
with
.B pcap_dispatch()
will, if no packets are currently available to be read, return 0
immediately rather than blocking waiting for packets to arrive.
.B pcap_loop()
and
.B pcap_next()
will not work in ``non-blocking'' mode.
.SH RETURN VALUE
.B pcap_getnonblock()
returns the current ``non-blocking'' state of the capture descriptor; it
always returns 0 on ``savefiles''.
If there is an error, \-1 is returned and
.I errbuf
is filled in with an appropriate error message.
.PP
.I errbuf
is assumed to be able to hold at least
.B PCAP_ERRBUF_SIZE
chars.
.SH SEE ALSO
pcap_loop(3PCAP), pcap_next_ex(3PCAP), pcap_geterr(3PCAP)

40
pcap_snapshot.3pcap Normal file
View File

@ -0,0 +1,40 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_snapshot.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_SNAPSHOT 3PCAP "4 April 2008"
.SH NAME
pcap_snapshot \- get the snapshot length
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_snapshot(pcap_t *p);
.ft
.fi
.SH DESCRIPTION
.B pcap_snapshot()
returns the snapshot length specified when
.B pcap_open_live()
was called, for a live capture, or the snapshot length from the capture
file, for a ``savefile''.

59
pcap_stats.3pcap Normal file
View File

@ -0,0 +1,59 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_stats.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_SNAPSHOT 3PCAP "4 April 2008"
.SH NAME
pcap_stats \- get capture statistics
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
int pcap_stats(pcap_t *p, struct pcap_stat *ps);
.ft
.fi
.SH DESCRIPTION
.B pcap_stats()
fills in the
.I pcap_stat
structure pointed to by its second argument. The values represent
packet statistics from the start of the run to the time of the call.
.PP
.B pcap_stats()
is supported only on live captures, not on ``savefiles''; no statistics
are stored in ``savefiles'', so no statistics are available when reading
from a ``savefile''.
.SH RETURN VALUE
.B pcap_stats()
returns 0 on success and returns \-1 if there is an error or the
.I p
doesn't support packet statistics.
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.SH SEE ALSO
pcap_geterr(3PCAP)

42
pcap_strerror.3pcap Normal file
View File

@ -0,0 +1,42 @@
.\" @(#) $Header: /tcpdump/master/libpcap/pcap_strerror.3pcap,v 1.1 2008-04-05 20:19:42 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_STRERROR 3PCAP "4 April 2008"
.SH NAME
pcap_strerror \- convert an errno value to a string
.SH SYNOPSIS
.nf
.ft B
#include <pcap.h>
.ft
.LP
.ft B
const char *pcap_strerror(int error);
.ft
.fi
.SH DESCRIPTION
.B pcap_strerror()
is provided in case
.BR strerror (3)
isn't available. It returns an error message string corresponding to
.IR error .
.SH SEE ALSO
strerror(3)