Now that we know how to obtain the information of the network card, we can start to really work: Open the network card and capture the data stream. Here, we will write a program that prints information about each packet passing through the network. The enable Nic function is implemented through pcap_open_live (). It has three parameters: snaplen, promisc, and to_ms. Snaplen is used to specify the specific part of the captured packet. On some systems (such as xbsd and Win32), the driver only gives part of the captured packet, not all, this reduces the number of copied data and improves the packet capture efficiency. Promisc indicates that the NIC is in mixed mode. Under normal circumstances, the NIC only accepts packets sent to it, while the packets sent to other hosts are ignored. On the contrary, when the network adapter is in hybrid mode, it will receive all data packets flowing through it. This means that data packets sent to other hosts can be captured in the case of shared media. Most packet capture programs set the mixed mode to the default mode. In the following example, the NIC is also set to the mixed mode. The to_ms parameter specifies the timeout Control for read data. The timeout value is calculated in milliseconds. When there is no data on the internal network card during the timeout period, the read operation on the NIC will return (such as pcap_dispatch () or pcap_next_ex ). Also, if the network card is in statistical mode (see "Statistics and collection of network data streams") to_ms also defines the statistical interval. If this parameter is set to 0, there is no timeout control, and the read operation on the NIC will be blocked forever when no data arrives. Pcap_t * pcap_open_live (const char * device, int snaplen, int promisc, int to_ms, char * ebuf) pcap_open_live is used to obtain a packet capture descriptor to view packets on the network. Device indicates the name of the network device that is enabled. Snaplen specifies the maximum number of bytes that can be captured. If the snaplen value is smaller than the captured data packet size, only the data in the first snaplen bytes in the data packet will be captured and provided as the packet data. The size of 65535 bytes should be enough to capture most data packets. Promisc specifies whether to set the NIC to the hybrid mode. Ms sets the timeout (in milliseconds) for data reading so that the program has time to allow more data packets to arrive and read multiple data packets at a time. (Note: not all platforms support this parameter. Unsupported platforms ignore this parameter ). If it is set to 0, the program will wait until enough packets arrive. Ebuf is used to return error or warning code. The Int pcap_loop (pcap_t * P, int CNT, pcap_handler callback, u_char * User) parameter P is a session handle, CNT, which specifies the number of data packets captured by the function, and then returns the result (if it is a negative value, it continues until an error occurs ). Callback is the name of the callback function. The user parameter is null in most cases, but we need to use it if we want to pass the parameter in the callback function. Callback Function Declaration: typedef void (*) pcap_handler (u_char * user, const struct pcap_pkthdr * pkt_header, const u_char * pkt_data) another function pcap_dispatch () can be captured in a package, the functions of these two functions are very similar. pcap_dispatch () can not be blocked, while pcap_loop () will block struct pcap_pkthdr {timeval ts when no data flow arrives; // time stamp bpf_u_int32 caplen; // length of portion present bpf_u_int32 Len; // length this packet} sample code: # include "pcap. H "/* prototype of the packet handler */ Void packet_handler (u_char * Param, const struct pcap_pkthdr * Header, const u_char * pkt_data); main () {callback * alldevs; pcap_if_t * D; int inum; int I = 0; pcap_t * adhandle; char errbuf [pcap_errbuf_size];/* obtain the NIC list */If (pcap_findalldevs (& alldevs, errbuf) =-1) {fprintf (stderr, "Error in pcap_findalldevs: % s/n", errbuf); exit (1);}/* print Nic information */For (D = alldevs; D; D = D-> next) {printf ("% d. % s ", ++ I, d-> name); If (d-> Description) printf ("(% s)/n", D-> description); elseprintf ("(no description available)/n ");} if (I = 0) {printf ("/Nno interfaces found! Make sure Winpcap is installed. /n "); Return-1;} printf (" Enter the interface number (1-% d): ", I); scanf (" % d ", & inum ); // enter the nic id to be enabled if (inum <1 | inum> I) // check the validity of the ID {printf ("/ninterface number out of range. /n ");/* free the device list */pcap_freealldevs (alldevs); Return-1;}/* Find the network card structure to select */For (D = alldevs, I = 0; I <inum-1; D = D-> next, I ++);/* Open the selected Nic */If (adhandle = pcap_open_live (D-> name, // device name 65536, // portion of the packet to capture. // 65536 grants that the whole packet will be captured on all the macs.1, // mixed mode 1000, // read timeout is 1 second errbuf // Error Buffer) = NULL) {fprintf (stderr, "/nunable to open the adapter. % s is not supported by Winpcap/N ");/* free the device list */pcap_freealldevs (alldevs); Return-1 ;} printf ("/nlistening on % s... /n ", D-> description);/* at this point, we don't need any more the device list. free It */pcap_freealldevs (alldevs);/* start to capture packets */pcap_loop (adhandle, 0, packet_handler, null); Return 0 ;} /* call this function for each incoming packet */void packet_handler (u_char * Param, const struct pcap_pkthdr * Header, const u_char * pkt_data) {struct TM * ltime; char timestr [16];/* converts the timestamp to a readable standard format */ltime = localtime (& header-> TS. TV _sec); strftime (timestr, sizeof timestr, "% H: % m: % s", ltime); printf ("% s, %. 6D Len: % d/N ", timestr, header-> TS. TV _usec, header-> Len);} 1
