Libpcap function library framework and usage
Libpcap is the packet capture library, which is the data packet capture function library. The C function interface provided by this library can be used to capture network interfaces (by setting the NIC to the mixed mode, you can capture all the datagram through this interface, the destination address is not set as the local machine) data Packet system development. The famous tcpdump was developed based on Libpcap. The interface functions provided by libpcap mainly implement and encapsulate the process related to data packet interception. This library provides consistent programming interfaces for different platforms. On the platform where libpcap is installed, programs written with Libpcap interfaces can be freely used across platforms. In Linux, Libpcap can use the BPF (Berkeley Packet Filter) packet capture mechanism to achieve high performance.
The basic steps for developing applications using the Libpcap function library and the usage of several key functions are described as follows:
-
char *pcap_lookupdev(char *errbuf) |
This function is used to return the network device name (a string pointer) that can be called by the pcap_open_live () or pcap_lookupnet () function ). If a function error occurs, null is returned, and related error messages are stored in errbuf.
-
int pcap_lookupnet(char *device, bpf_u_int32 *netp,bpf_u_int32 *maskp, char *errbuf) |
Obtain the network ID and mask of the specified network device. The netp parameter and the maskp parameter are both bpf_u_int32 pointers. If a function error occurs,-1 is returned, and related error messages are stored in errbuf.
- Enable the device
pcap_t *pcap_open_live(char *device, int snaplen,int promisc, int to_ms,char *ebuf) |
Obtains the description of the packet capture used to capture network packets. The device parameter is the name of the network device that is enabled. The snaplen parameter defines the maximum number of bytes of captured data. Promisc specifies whether to place network interfaces in hybrid mode. The to_ms parameter specifies the timeout time (in milliseconds ). The ebuf parameter is used to pass error messages only when the pcap_open_live () function returns NULL.
- Compile and set Filters
int pcap_compile(pcap_t *p, struct bpf_program *fp,char *str, int optimize, bpf_u_int32 netmask) |
Compile the string specified by the STR parameter into the filter program. FP is a pointer to the bpf_program structure and is assigned a value in the pcap_compile () function. Optimize parameter control result code optimization. The netmask parameter specifies the network mask of the local network.
int pcap_setfilter(pcap_t *p, struct bpf_program *fp) |
Specifies a filter program. The FP parameter is a bpf_program structure pointer, usually taken from pcap_compile () function call. -1 is returned when an error occurs; 0 is returned when the error is successful. Capture the next packet
- Capture Data Packets
int pcap_dispatch(pcap_t *p, int cnt,pcap_handler callback, u_char *user) |
Capture and process data packets. The CNT parameter specifies the maximum value of the previously processed data packet returned by the function. CNT =-1 indicates that all data packets are processed in a buffer zone. CNT = 0 indicates that all data packets are processed until one of the following errors is generated: Read to EOF; read times out. The callback parameter specifies a callback function with three parameters: A u_char pointer passed from the pcap_dispatch () function and a pointer in the pcap_pkthdr structure, and a data packet size u_char pointer. If yes, the number of bytes read is returned. Zero value is returned when EOF is read. -1 is returned when an error occurs. You can call the pcap_perror () or pcap_geterr () function to obtain the error message.
int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) |
The function is basically the same as the pcap_dispatch () function, except that this function returns only when CNT packets are processed or an error occurs, but does not return when reading times out. If a time-out setting with a non-zero value is specified for the pcap_open_live () function and the pcap_dispatch () function is called, The pcap_dispatch () function will return when the time-out occurs. When the CNT parameter is negative, the pcap_loop () function will always run cyclically unless an error occurs.
u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) |
Returns the u_char pointer pointing to the next packet.
-
void pcap_close(pcap_t *p) |
Close the file corresponding to the p parameter and release the resource.
- Other auxiliary functions
FILE *pcap_file(pcap_t *p) |
Returns the name of the opened file.
int pcap_fileno(pcap_t *p) |
Returns the description number of the opened file.