xref: /openbsd/lib/libpcap/pcap_open_live.3 (revision 4bdff4be) 
1.\"	$OpenBSD: pcap_open_live.3,v 1.4 2020/05/29 05:51:19 jmc Exp $
2.\"
3.\" Copyright (c) 1994, 1996, 1997
4.\"	The Regents of the University of California.  All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that: (1) source code distributions
8.\" retain the above copyright notice and this paragraph in its entirety, (2)
9.\" distributions including binary code include the above copyright notice and
10.\" this paragraph in its entirety in the documentation or other materials
11.\" provided with the distribution, and (3) all advertising materials mentioning
12.\" features or use of this software display the following acknowledgement:
13.\" ``This product includes software developed by the University of California,
14.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15.\" the University nor the names of its contributors may be used to endorse
16.\" or promote products derived from this software without specific prior
17.\" written permission.
18.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21.\"
22.Dd $Mdocdate: May 29 2020 $
23.Dt PCAP_OPEN_LIVE 3
24.Os
25.Sh NAME
26.Nm pcap_open_live ,
27.Nm pcap_open_offline ,
28.Nm pcap_dump_open ,
29.Nm pcap_dump_fopen ,
30.Nm pcap_lookupdev ,
31.Nm pcap_lookupnet ,
32.Nm pcap_dispatch ,
33.Nm pcap_loop ,
34.Nm pcap_dump ,
35.Nm pcap_inject ,
36.Nm pcap_sendpacket ,
37.Nm pcap_compile ,
38.Nm pcap_setfilter ,
39.Nm pcap_freecode ,
40.Nm pcap_next ,
41.Nm pcap_next_ex ,
42.Nm pcap_setdirection ,
43.Nm pcap_datalink ,
44.Nm pcap_snapshot ,
45.Nm pcap_is_swapped ,
46.Nm pcap_major_version ,
47.Nm pcap_minor_version ,
48.Nm pcap_stats ,
49.Nm pcap_file ,
50.Nm pcap_fileno ,
51.Nm pcap_get_selectable_fd ,
52.Nm pcap_perror ,
53.Nm pcap_geterr ,
54.Nm pcap_strerror ,
55.Nm pcap_close ,
56.Nm pcap_dump_file ,
57.Nm pcap_dump_ftell ,
58.Nm pcap_dump_flush ,
59.Nm pcap_dump_close ,
60.Nm pcap_breakloop ,
61.Nm pcap_findalldevs ,
62.Nm pcap_freealldevs ,
63.Nm pcap_getnonblock ,
64.Nm pcap_setnonblock ,
65.Nm pcap_set_datalink ,
66.Nm pcap_list_datalinks ,
67.Nm pcap_free_datalinks ,
68.Nm pcap_open_dead ,
69.Nm pcap_fopen_offline ,
70.Nm pcap_lib_version ,
71.Nm pcap_datalink_val_to_name ,
72.Nm pcap_datalink_val_to_description ,
73.Nm pcap_datalink_name_to_val ,
74.Nm pcap_create ,
75.Nm pcap_set_snaplen ,
76.Nm pcap_set_promisc ,
77.Nm pcap_can_set_rfmon ,
78.Nm pcap_set_rfmon ,
79.Nm pcap_set_timeout ,
80.Nm pcap_set_buffer_size ,
81.Nm pcap_set_immediate_mode ,
82.Nm pcap_activate ,
83.Nm pcap_statustostr ,
84.Nm pcap_offline_filter
85.Nd Packet Capture library
86.Sh SYNOPSIS
87.In pcap.h
88.Ft "pcap_t *"
89.Fn pcap_open_live "const char *source" "int snaplen" "int promisc" "int to_ms" "char *errbuf"
90.Ft "pcap_t *"
91.Fn pcap_open_offline "char *fname" "char *errbuf"
92.Ft "pcap_dumper_t *"
93.Fn pcap_dump_open "pcap_t *p" "char *fname"
94.Ft "pcap_dumper_t *"
95.Fn pcap_dump_fopen "pcap_t *p" "FILE *f"
96.Ft "char *"
97.Fn pcap_lookupdev "char *errbuf"
98.Ft int
99.Fn pcap_lookupnet "const char *device" "bpf_u_int32 *netp" "bpf_u_int32 *maskp" "char *errbuf"
100.Ft int
101.Fn pcap_dispatch "pcap_t *p" "int cnt" "pcap_handler callback" "u_char *user"
102.Ft int
103.Fn pcap_loop "pcap_t *p" "int cnt" "pcap_handler callback" "u_char *user"
104.Ft void
105.Fn pcap_dump "u_char *user" "const struct pcap_pkthdr *h" "const u_char *sp"
106.Ft int
107.Fn pcap_inject "pcap_t *p" "const void *buf" "size_t len"
108.Ft int
109.Fn pcap_sendpacket "pcap_t *p" "const u_char *buf" "int size"
110.Ft int
111.Fn pcap_compile "pcap_t *p" "struct bpf_program *program" "const char *buf" "int optimize" "bpf_u_int32 netmask"
112.Ft int
113.Fn pcap_setfilter "pcap_t *p" "struct bpf_program *fp"
114.Ft void
115.Fn pcap_freecode "struct bpf_program *program"
116.Ft "u_char *"
117.Fn pcap_next "pcap_t *p" "struct pcap_pkthdr *h"
118.Ft int
119.Fn pcap_next_ex "pcap_t *p" "struct pcap_pkthdr **pkt_header" "const u_char **pkt_data"
120.Ft int
121.Fn pcap_setdirection "pcap_t *p" "pcap_direction_t d"
122.Ft int
123.Fn pcap_datalink "pcap_t *p"
124.Ft int
125.Fn pcap_snapshot "pcap_t *p"
126.Ft int
127.Fn pcap_is_swapped "pcap_t *p"
128.Ft int
129.Fn pcap_major_version "pcap_t *p"
130.Ft int
131.Fn pcap_minor_version "pcap_t *p"
132.Ft int
133.Fn pcap_stats "pcap_t *p" "struct pcap_stat *ps"
134.Ft "FILE *"
135.Fn pcap_file "pcap_t *p"
136.Ft int
137.Fn pcap_fileno "pcap_t *p"
138.Ft int
139.Fn pcap_get_selectable_fd "pcap_t *p"
140.Ft void
141.Fn pcap_perror "pcap_t *p" "const char *prefix"
142.Ft "char *"
143.Fn pcap_geterr "pcap_t *p"
144.Ft "const char *"
145.Fn pcap_strerror "int errnum"
146.Ft void
147.Fn pcap_close "pcap_t *p"
148.Ft "FILE *"
149.Fn pcap_dump_file "pcap_dumper_t *p"
150.Ft long
151.Fn pcap_dump_ftell "pcap_dumper_t *p"
152.Ft int
153.Fn pcap_dump_flush "pcap_dumper_t *p"
154.Ft void
155.Fn pcap_dump_close "pcap_dumper_t *p"
156.Ft void
157.Fn pcap_breakloop "pcap_t *p"
158.Ft int
159.Fn pcap_findalldevs "pcap_if_t **alldevsp" "char *errbuf"
160.Ft void
161.Fn pcap_freealldevs "pcap_if_t *alldevs"
162.Ft int
163.Fn pcap_getnonblock "pcap_t *p" "char *errbuf"
164.Ft int
165.Fn pcap_setnonblock "pcap_t *p" "int nonblock" "char *errbuf"
166.Ft int
167.Fn pcap_set_datalink "pcap_t *p" "int dlt"
168.Ft int
169.Fn pcap_list_datalinks "pcap_t *p" "int **dlt_buffer"
170.Ft void
171.Fn pcap_free_datalinks "int *dlt_list"
172.Ft pcap_t
173.Fn pcap_open_dead "int linktype" "int snaplen"
174.Ft pcap_t
175.Fn pcap_fopen_offline "FILE *fp" "char *errbuf"
176.Ft const char *
177.Fn pcap_lib_version "void"
178.Ft const char *
179.Fn pcap_datalink_val_to_name "int dlt"
180.Ft const char *
181.Fn pcap_datalink_val_to_description "int dlt"
182.Ft int
183.Fn pcap_datalink_name_to_val "const char *name"
184.Ft "pcap_t *"
185.Fn pcap_create "const char *device" "char *errbuf"
186.Ft int
187.Fn pcap_set_snaplen "pcap_t *p" "int snaplen"
188.Ft int
189.Fn pcap_set_promisc "pcap_t *p" "int promisc"
190.Ft int
191.Fn pcap_can_set_rfmon "pcap_t *p"
192.Ft int
193.Fn pcap_set_rfmon "pcap_t *p" "int rfmon"
194.Ft int
195.Fn pcap_set_timeout "pcap_t *p" "int timeout_ms"
196.Ft int
197.Fn pcap_set_buffer_size "pcap_t *p" "int buffer_size"
198.Ft int
199.Fn pcap_set_immediate_mode "pcap_t *p" "int immediate"
200.Ft int
201.Fn pcap_activate "pcap_t *p"
202.Ft const char *
203.Fn pcap_statustostr "int errnum"
204.Ft int
205.Fn pcap_offline_filter "const struct bpf_program *fp" "const struct pcap_pkthdr *h" "const u_char *pkt"
206.Sh DESCRIPTION
207.Nm
208provides a high level interface to packet capture systems.
209All packets
210on the network, even those destined for other hosts, are accessible
211through this mechanism.
212.Pp
213Note that
214.Fa errbuf
215in
216.Fn pcap_open_live ,
217.Fn pcap_open_offline ,
218.Fn pcap_findalldevs ,
219.Fn pcap_lookupdev ,
220.Fn pcap_lookupnet ,
221.Fn pcap_getnonblock ,
222.Fn pcap_setnonblock ,
223.Fn pcap_fopen_offline ,
224and
225.Fn pcap_create
226is assumed to be able to hold at least
227.Dv PCAP_ERRBUF_SIZE
228chars.
229.Pp
230.Fn pcap_open_live
231is used to obtain a packet capture descriptor to look
232at packets on the network.
233.Fa source
234is a string that specifies the network device to open.
235.Fa snaplen
236specifies the maximum number of bytes to capture from one packet.
237.Fa promisc
238specifies if the interface is to be put into promiscuous mode.
239(Note that even if this parameter is false, the interface
240could well be in promiscuous mode for some other reason.)
241.Fa to_ms
242specifies the read timeout in milliseconds.
243.Fa errbuf
244is used to return error text and is only set when
245.Fn pcap_open_live
246fails and returns
247.Dv NULL .
248.Pp
249.Fn pcap_open_offline
250is called to open a
251.Dq savefile
252for reading.
253.Fa fname
254specifies the name of the file to open.
255The file has the same format as those used by
256.Xr tcpdump 8 .
257.\" and
258.\" .BR tcpslice(1) .
259The name
260.Ql -
261is a synonym for
262.Dv stdin .
263.Fa errbuf
264is used to return error text and is only set when
265.Fn pcap_open_offline
266fails and returns
267.Dv NULL .
268.Pp
269.Fn pcap_dump_open
270is called to open a
271.Dq savefile
272for writing.
273The name
274.Ql -
275is a synonym for
276.Dv stdout .
277.Dv NULL
278is returned on failure.
279.Fa p
280is a
281.Fa pcap
282struct as returned by
283.Fn pcap_open_offline
284or
285.Fn pcap_open_live .
286.Fa fname
287specifies the name of the file to open.
288If
289.Dv NULL
290is returned,
291.Fn pcap_geterr
292can be used to get the error text.
293.Pp
294.Fn pcap_dump_fopen
295allows the use of savefile functions on the already-opened stream
296.Fa f .
297.Pp
298.Fn pcap_lookupdev
299returns a pointer to a network device suitable for use with
300.Fn pcap_open_live
301and
302.Fn pcap_lookupnet .
303If there is an error,
304.Dv NULL
305is returned and
306.Fa errbuf
307is filled in with an appropriate error message.
308.Pp
309.Fn pcap_lookupnet
310is used to determine the network number and mask
311associated with the network device
312.Fa device .
313Both
314.Fa netp
315and
316.Fa maskp
317are
318.Fa bpf_u_int32
319pointers.
320A return of \-1 indicates an error in which case
321.Fa errbuf
322is filled in with an appropriate error message.
323.Pp
324.Fn pcap_dispatch
325is used to collect and process packets.
326.Fa cnt
327specifies the maximum number of packets to process before returning.
328A
329.Fa cnt
330of \-1 processes all the packets received in one buffer.
331A
332.Fa cnt
333of 0 processes all packets until an error occurs, EOF is reached,
334or the read times out (when doing live reads and a non-zero
335read timeout is specified).
336.Fa callback
337specifies a routine to be called with three arguments: a
338.Fa u_char
339pointer which is passed in from
340.Fn pcap_dispatch ,
341a pointer to the
342.Fa pcap_pkthdr
343struct (which precedes the actual network headers and data),
344and a
345.Fa u_char
346pointer to the packet data.
347The number of packets read is returned.
348Zero is returned when EOF is reached in a savefile.
349A return of \-1 indicates an error in which case
350.Fn pcap_perror
351or
352.Fn pcap_geterr
353may be used to display the error text.
354.Pp
355.Fn pcap_dump
356outputs a packet to a save file previously opened using
357.Fn pcap_dump_open
358or
359.Fn pcap_dump_fopen .
360Note that the
361.Fa user
362argument contains the handle to the save file and should be of type
363.Ft "pcap_dumper_t *" .
364This makes
365.Fn pcap_dump
366a suitable callback function for use as an argument to
367.Fn pcap_dispatch .
368.Pp
369.Fn pcap_inject
370uses
371.Xr write 2
372to inject a raw packet through the network interface.
373It returns the number of bytes written or \-1 on failure.
374.Pp
375.Fn pcap_sendpacket
376is an alternate interface for packet injection (provided for compatibility).
377It returns 0 on success or \-1 on failure.
378.Pp
379.Fn pcap_compile
380is used to compile the string
381.Fa buf
382into a filter program.
383.Fa program
384is a pointer to a
385.Fa bpf_program
386struct and is filled in by
387.Fn pcap_compile .
388.Fa optimize
389controls whether optimization on the resulting code is performed.
390.Fa netmask
391specifies the netmask of the local net.
392.Pp
393.Fn pcap_setfilter
394is used to specify a filter program.
395.Fa fp
396is a pointer to an array of
397.Fa bpf_program
398struct, usually the result of a call to
399.Fn pcap_compile .
400\-1
401is returned on failure;
4020
403is returned on success.
404.Pp
405.Fn pcap_freecode
406is used to free up allocated memory pointed to by a
407.Fa bpf_program
408struct generated by
409.Fn pcap_compile
410when that BPF program is no longer needed, for example after it has
411been made the filter program for a pcap structure by a call to
412.Fn pcap_setfilter .
413.Pp
414.Fn pcap_loop
415is similar to
416.Fn pcap_dispatch
417except it keeps reading packets until
418.Fa cnt
419packets are processed or an error occurs.
420It does
421.Em not
422return when live read timeouts occur.
423Rather, specifying a non-zero read timeout to
424.Fn pcap_open_live
425and then calling
426.Fn pcap_loop
427allows the reception and processing of any packets that arrive when the
428timeout occurs.
429A negative
430.Fa cnt
431causes
432.Fn pcap_loop
433to loop forever (or at least until an error occurs).
434.Fn pcap_loop
435may be terminated early through an explicit call to
436.Fn pcap_breakloop .
437In this case, the return value of
438.Fn pcap_loop
439will be \-2.
440.Pp
441.Fn pcap_next
442returns a
443.Fa u_char
444pointer to the next packet.
445.Pp
446.Fn pcap_next_ex
447reads the next packet and returns a success/failure indication: a
448return value of 1 indicates success, 0 means that the timeout was exceeded
449on a live capture, \-1 indicates that an error occurred whilst reading
450the packet and \-2 is returned when there are no more packets to read in a
451savefile.
452.Pp
453.Fn pcap_datalink
454returns the link layer type, e.g., DLT_EN10MB.
455.Pp
456.Fn pcap_snapshot
457returns the snapshot length specified when
458.Fn pcap_open_live
459was called.
460.Pp
461.Fn pcap_is_swapped
462returns true if the current savefile
463uses a different byte order than the current system.
464.Pp
465.Fn pcap_major_version
466returns the major number of the version of the pcap used to write the savefile.
467.Pp
468.Fn pcap_minor_version
469returns the minor number of the version of the pcap used to write the savefile.
470.Pp
471.Fn pcap_file
472returns the stream associated with the savefile.
473.Pp
474.Fn pcap_stats
475returns 0 and fills in a
476.Fa pcap_stat
477struct.
478The values represent packet statistics from the start of the
479run to the time of the call.
480If there is an error or the underlying
481packet capture doesn't support packet statistics, \-1 is returned and
482the error text can be obtained with
483.Fn pcap_perror
484or
485.Fn pcap_geterr .
486.Pp
487.Fn pcap_fileno
488and
489.Fn pcap_get_selectable_fd
490return the file descriptor number of the savefile.
491.Pp
492.Fn pcap_perror
493prints the text of the last pcap library error on
494.Dv stderr ,
495prefixed by
496.Fa prefix .
497.Pp
498.Fn pcap_geterr
499returns the error text pertaining to the last pcap library error.
500.Pp
501.Fn pcap_strerror
502is provided in case
503.Xr strerror 3
504isn't available.
505.Pp
506.Fn pcap_close
507closes the files associated with
508.Fa p
509and deallocates resources.
510.Pp
511.Fn pcap_dump_file
512returns the stream associated with a savefile.
513.Pp
514.Fn pcap_dump_ftell
515returns the current file offset within a savefile.
516.Pp
517.Fn pcap_dump_flush
518ensures that any buffered data has been written to a savefile.
519.Pp
520.Fn pcap_dump_close
521closes the savefile.
522.Pp
523.Fn pcap_findalldevs
524constructs a linked list of network devices that are suitable for
525opening with
526.Fn pcap_open_live .
527.Pp
528.Fn pcap_freealldevs
529frees a list of interfaces built by
530.Fn pcap_findalldevs .
531.Pp
532.Fn pcap_getnonblock
533returns 1 if the capture file descriptor is in non-blocking mode, 0
534if it is in blocking mode, or \-1 on error.
535.Pp
536.Fn pcap_setnonblock
537sets or resets non-blocking mode on a capture file descriptor.
538.Pp
539.Fn pcap_set_datalink
540sets the datalink type on a live capture device that supports multiple
541datalink types.
542.Pp
543.Fn pcap_setdirection
544is used to limit the direction that packets must be flowing in order
545to be captured.
546The direction is either
547.Dv PCAP_D_INOUT ,
548.Dv PCAP_D_IN
549or
550.Dv PCAP_D_OUT .
551Direction is only relevant to live captures.
552When reading from a dump file,
553.Fn pcap_setdirection
554has no effect.
555.Pp
556.Fn pcap_list_datalinks
557returns an array of the supported datalink types for an opened live capture
558device as a \-1 terminated array.
559It is the caller's responsibility to free this list with
560.Fn pcap_free_datalinks ,
561which frees the list of link-layer header types pointed to by
562.Dv dlt_list .
563.Pp
564.Fn pcap_breakloop
565safely breaks out of a
566.Fn pcap_loop .
567This function sets an internal flag and is safe to be called from inside a
568signal handler.
569.Pp
570.Fn pcap_open_dead
571is used for creating a pcap_t structure to use when calling the
572other functions in libpcap.
573It is typically used when just using libpcap for compiling BPF code.
574.Pp
575.Fn pcap_fopen_offline
576may be used to read dumped data from an existing open stream
577.Fa fp .
578.Pp
579.Fn pcap_lib_version
580returns a string describing the version of libpcap.
581.Pp
582.Fn pcap_datalink_val_to_name
583and
584.Fn pcap_datalink_val_to_description
585look up the name or description of a datalink type by number.
586These functions return
587.Dv NULL
588if the specified datalink type is not known.
589.Fn pcap_datalink_name_to_val
590finds the datalink number for a given datalink name.
591Returns \-1 if the name is not known.
592.Pp
593.Fn pcap_create
594is used to create a packet capture handle to look at
595packets on the network.
596The returned handle must be activated with
597.Fn pcap_activate
598before packets can be captured with it; options for the
599capture, such as promiscuous mode, can be set on the handle
600before activating it.
601.Pp
602.Fn pcap_set_snaplen
603sets the snapshot length to be used on a capture handle when the
604handle is activated to
605.Fa snaplen .
606.Pp
607.Fn pcap_set_promisc
608sets whether promiscuous mode should be set on a capture handle
609when the handle is activated.
610If
611.Fa promisc
612is non-zero, promiscuous mode will be set, otherwise it will not be set.
613.Pp
614.Fn pcap_can_set_rfmon
615checks whether monitor mode could be set on a capture handle when the
616handle is activated.
617.Pp
618.Fn pcap_set_rfmon
619sets whether monitor mode should be set on a capture handle
620when the handle is activated.
621If
622.Fa rfmon
623is non-zero, monitor mode will be set, otherwise it will not be set.
624.Pp
625.Fn pcap_set_timeout
626sets the read timeout that will be used on a capture handle when the
627handle is activated to
628.Fa to_ms ,
629which is in units of milliseconds.
630.Pp
631.Fn pcap_set_buffer_size
632sets the buffer size that will be used on a capture handle when the
633handle is activated to
634.Fa buffer_size ,
635which is in units of bytes.
636.Pp
637.Fn pcap_set_immediate_mode
638sets whether immediate mode should be set on a capture handle when
639the handle is activated.
640If
641.Fa immediate
642is non-zero, immediate mode will be set, otherwise it will not be set.
643.Pp
644.Fn pcap_activate
645is used to activate a packet capture handle to look at
646packets on the network, with the options that were set on the handle
647being in effect.
648.Pp
649.Fn pcap_statustostr
650converts a PCAP_ERROR_ or PCAP_WARNING_ value returned by a libpcap
651routine to an error string.
652.Pp
653.Fn pcap_offline_filter
654checks whether a filter matches a packet.
655.Sh SEE ALSO
656.Xr pcap-filter 5 ,
657.Xr tcpdump 8
658.\" , tcpslice(1)
659.Sh AUTHORS
660.An -nosplit
661.An Van Jacobson ,
662.An Craig Leres ,
663and
664.An Steven McCanne ,
665all of the
666Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
667