Libpcap and WinPcap

After you can physically access traffic on the network, you need to write it down using software. Here, we explore the most common repositories used to record, parse, and analyze captured packets: Libpcap and WinPcap. Tools based on these two libraries, including Tcpdump, Wireshark, are also introduced.

Libpcap and WinPcap

Libpcap is a C function library under UNIX that provides the API to get and filter frames from any piece of network card on the data link layer. Different UNIX systems have different architectures to handle data frames on the data link layer, so if a programmer wants to write an application that can run on UNIX, read directly or manipulate frames on the data link layer, he will have to write a function that accesses the frame specifically for this feature version of UNIX. The purpose of LIBPCAP is to provide an abstraction layer so that programmers can write package acquisition and analysis tools that run on all versions of UNIX.

WinPcap is a libpcap-based library designed for Windows systems. Address: http://www.winpcap.org/

The most popular packet sniffing and analysis tools (Tcpdump,wireshark,snort,nmap,ngrep and many more) are based on the LIBPCAP function library. So the tools are compatible with each other, which means that the packets we grab with one tool can be read and analyzed directly by another tool. LIBPCAP-based applications have a typical feature: they can crawl a second layer of packets from any network interface device and store the acquired data in a file for later analysis. Other tools can read these "grab files" or "pcap" files, and after filtering traffic based on specific protocol information, it may be possible to write the condensed data in another file for further analysis.

Libpcap and WinPcap