diff options
Diffstat (limited to 'contrib/libpcap/pcap.3')
| -rw-r--r-- | contrib/libpcap/pcap.3 | 471 |
1 files changed, 435 insertions, 36 deletions
diff --git a/contrib/libpcap/pcap.3 b/contrib/libpcap/pcap.3 index 2ef8026..7aad4a1 100644 --- a/contrib/libpcap/pcap.3 +++ b/contrib/libpcap/pcap.3 @@ -1,4 +1,4 @@ -.\" @(#) $Header: /tcpdump/master/libpcap/pcap.3,v 1.31 2001/12/29 21:57:07 guy Exp $ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap.3,v 1.51.2.9 2004/03/28 21:45:32 fenner Exp $ .\" .\" Copyright (c) 1994, 1996, 1997 .\" The Regents of the University of California. All rights reserved. @@ -19,7 +19,7 @@ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" -.TH PCAP 3 "3 January 2001" +.TH PCAP 3 "27 February 2004" .SH NAME pcap \- Packet Capture library .SH SYNOPSIS @@ -34,12 +34,12 @@ char errbuf[PCAP_ERRBUF_SIZE]; .ft .LP .ft B -pcap_t *pcap_open_live(char *device, int snaplen, +pcap_t *pcap_open_live(const char *device, int snaplen, .ti +8 int promisc, int to_ms, char *errbuf) pcap_t *pcap_open_dead(int linktype, int snaplen) -pcap_t *pcap_open_offline(char *fname, char *errbuf) -pcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname) +pcap_t *pcap_open_offline(const char *fname, char *errbuf) +pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname) .ft .LP .ft B @@ -49,9 +49,9 @@ int pcap_getnonblock(pcap_t *p, char *errbuf); .LP .ft B int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf) -void pcap_freealldevs(pcap_if_t *) +void pcap_freealldevs(pcap_if_t *alldevs) char *pcap_lookupdev(char *errbuf) -int pcap_lookupnet(char *device, bpf_u_int32 *netp, +int pcap_lookupnet(const char *device, bpf_u_int32 *netp, .ti +8 bpf_u_int32 *maskp, char *errbuf) .ft @@ -77,13 +77,23 @@ void pcap_freecode(struct bpf_program *); .ft .LP .ft B -u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) +const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) +int pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header, +.ti +8 +const u_char **pkt_data) +.ft +.LP +.ft B +void pcap_breakloop(pcap_t *) .ft .LP .ft B int pcap_datalink(pcap_t *p) int pcap_list_datalinks(pcap_t *p, int **dlt_buf); int pcap_set_datalink(pcap_t *p, int dlt); +int pcap_datalink_name_to_val(const char *name); +const char *pcap_datalink_val_to_name(int dlt); +const char *pcap_datalink_val_to_description(int dlt); int pcap_snapshot(pcap_t *p) int pcap_is_swapped(pcap_t *p) int pcap_major_version(pcap_t *p) @@ -91,13 +101,17 @@ int pcap_minor_version(pcap_t *p) int pcap_stats(pcap_t *p, struct pcap_stat *ps) FILE *pcap_file(pcap_t *p) int pcap_fileno(pcap_t *p) +int pcap_get_selectable_fd(pcap_t *p) void pcap_perror(pcap_t *p, char *prefix) char *pcap_geterr(pcap_t *p) char *pcap_strerror(int error) +const char *pcap_lib_version(void) .ft .LP .ft B void pcap_close(pcap_t *p) +int pcap_dump_flush(pcap_dumper_t *p) +FILE *pcap_dump_file(pcap_dumper_t *p) void pcap_dump_close(pcap_dumper_t *p) .ft .fi @@ -135,7 +149,12 @@ argument of "any" or .B NULL can be used to capture packets from all interfaces. .I snaplen -specifies the maximum number of bytes to capture. +specifies the maximum number of bytes to capture. If this value is less +than the size of a packet that is captured, only the first +.I snaplen +bytes of that packet will be captured and provided as packet data. A +value of 65535 should be sufficient, on most if not all networks, to +capture all the data available from the packet. .I promisc specifies if the interface is to be put into promiscuous mode. (Note that even if this parameter is false, the interface @@ -150,7 +169,11 @@ arrange that the read not necessarily return immediately when a packet is seen, but that it wait for some amount of time to allow more packets to arrive and to read multiple packets from the OS kernel in one operation. Not all platforms support a read timeout; on platforms that -don't, the read timeout is ignored. +don't, the read timeout is ignored. A zero value for +.IR to_ms , +on platforms that support a read timeout, +will cause a read to wait forever to allow enough packets to +arrive, with no timeout. .I errbuf is used to return error or warning text. It will be set to error text when .B pcap_open_live() @@ -331,6 +354,13 @@ to by may be null if the interface isn't a point-to-point interface .RE .PP +.B \-1 +is returned on failure, in which case +.B errbuf +is filled in with an appropriate error message; +.B 0 +is returned on success. +.PP .B pcap_freealldevs() is used to free a list allocated by .BR pcap_findalldevs() . @@ -379,12 +409,45 @@ a .I u_char pointer which is passed in from .BR pcap_dispatch() , -a pointer to the -.I pcap_pkthdr -struct (which precede the actual network headers and data), +a +.I const struct pcap_pkthdr +pointer to a structure with the following members: +.RS +.TP +.B ts +a +.I struct timeval +containing the time when the packet was captured +.TP +.B caplen +a +.I bpf_u_int32 +giving the number of bytes of the packet that are available from the +capture +.TP +.B len +a +.I bpf_u_int32 +giving the length of the packet, in bytes (which might be more than the +number of bytes available from the capture, if the length of the packet +is larger than the maximum number of bytes to capture) +.RE +.PP and a -.I u_char -pointer to the packet data. +.I const u_char +pointer to the first +.B caplen +(as given in the +.I struct pcap_pkthdr +a pointer to which is passed to the callback routine) +bytes of data from the packet (which won't necessarily be the entire +packet; to capture the entire packet, you will have to provide a value +for +.I snaplen +in your call to +.B pcap_open_live() +that is sufficiently large to get all of the packet's data - a value of +65535 should be sufficient on most if not all networks). .PP The number of packets read is returned. 0 is returned if no packets were read from a live capture (if, for @@ -399,6 +462,14 @@ an error in which case or .B pcap_geterr() may be used to display the error text. +A return of \-2 indicates that the loop terminated due to a call to +.B pcap_breakloop() +before any packets were processed. +.ft B +If your application uses pcap_breakloop(), +make sure that you explicitly check for \-1 and \-2, rather than just +checking for a return value < 0. +.ft R .PP .BR NOTE : when reading a live capture, @@ -433,7 +504,17 @@ A negative .I cnt causes .B pcap_loop() -to loop forever (or at least until an error occurs). +to loop forever (or at least until an error occurs). \-1 is returned on +an error; 0 is returned if +.I cnt +is exhausted; \-2 is returned if the loop terminated due to a call to +.B pcap_breakloop() +before any packets were processed. +.ft B +If your application uses pcap_breakloop(), +make sure that you explicitly check for \-1 and \-2, rather than just +checking for a return value < 0. +.ft R .PP .B pcap_next() reads the next packet (by calling @@ -445,6 +526,107 @@ of 1) and returns a pointer to the data in that packet. (The .I pcap_pkthdr struct for that packet is not supplied.) +.B NULL +is returned if an error occured, or if no packets were read from a live +capture (if, for example, they were discarded because they didn't pass +the packet filter, or if, on platforms that support a read timeout that +starts before any packets arrive, the timeout expires before any packets +arrive, or if the file descriptor for the capture device is in +non-blocking mode and no packets were available to be read), or if no +more packets are available in a ``savefile.'' Unfortunately, there is +no way to determine whether an error occured or not. +.PP +.B pcap_next_ex() +reads the next packet and returns a success/failure indication: +.RS +.TP +1 +the packet was read without problems +.TP +0 +packets are being read from a live capture, and the timeout expired +.TP +\-1 +an error occurred while reading the packet +.TP +\-2 +packets are being read from a ``savefile'', and there are no more +packets to read from the savefile. +.RE +.PP +If the packet was read without problems, the pointer pointed to by the +.I pkt_header +argument is set to point to the +.I pcap_pkthdr +struct for the packet, and the +pointer pointed to by the +.I pkt_data +argument is set to point to the data in the packet. +.PP +.B pcap_breakloop() +sets a flag that will force +.B pcap_dispatch() +or +.B pcap_loop() +to return rather than looping; they will return the number of packets +that have been processed so far, or \-2 if no packets have been +processed so far. +.PP +This routine is safe to use inside a signal handler on UNIX or a console +control handler on Windows, as it merely sets a flag that is checked +within the loop. +.PP +The flag is checked in loops reading packets from the OS - a signal by +itself will not necessarily terminate those loops - as well as in loops +processing a set of packets returned by the OS. +.ft B +Note that if you are catching signals on UNIX systems that support +restarting system calls after a signal, and calling pcap_breakloop() +in the signal handler, you must specify, when catching those signals, +that system calls should NOT be restarted by that signal. Otherwise, +if the signal interrupted a call reading packets in a live capture, +when your signal handler returns after calling pcap_breakloop(), the +call will be restarted, and the loop will not terminate until more +packets arrive and the call completes. +.PP +Note also that, in a multi-threaded application, if one thread is +blocked in +.BR pcap_dispatch() , +.BR pcap_loop() , +.BR pcap_next() , +or +.BR pcap_next_ex() , +a call to +.B pcap_breakloop() +in a different thread will not unblock that thread; you will need to use +whatever mechanism the OS provides for breaking a thread out of blocking +calls in order to unblock the thread, such as thread cancellation in +systems that support POSIX threads. +.ft R +.PP +Note that +.B pcap_next() +will, on some platforms, loop reading packets from the OS; that loop +will not necessarily be terminated by a signal, so +.B pcap_breakloop() +should be used to terminate packet processing even if +.B pcap_next() +is being used. +.PP +.B pcap_breakloop() +does not guarantee that no further packets will be processed by +.B pcap_dispatch() +or +.B pcap_loop() +after it is called; at most one more packet might be processed. +.PP +If \-2 is returned from +.B pcap_dispatch() +or +.BR pcap_loop() , +the flag is cleared, so a subsequent call will resume reading packets. +If a positive number is returned, the flag is not cleared, so a +subsequent call will return \-2 and clear the flag. .PP .B pcap_dump() outputs a packet to the ``savefile'' opened with @@ -472,8 +654,14 @@ struct and is filled in by .I optimize controls whether optimization on the resulting code is performed. .I netmask -specifies the netmask of the local net. -A return of \-1 indicates an error in which case +specifies the IPv4 netmask of the network on which packets are being +captured; it is used only when checking for IPv4 broadcast addresses in +the filter program. If the netmask of the network on which packets are +being captured isn't known to the program, or if packets are being +captured on the Linux "any" pseudo-interface that can capture on more +than one network, a value of 0 can be supplied; tests for IPv4 broadcast +addreses won't be done correctly, but all other tests in the filter +program will be OK. A return of \-1 indicates an error in which case .BR pcap_geterr() may be used to display the error text. .PP @@ -529,7 +717,7 @@ BSD loopback encapsulation; the link layer header is a 4-byte field, in .I host byte order, containing a PF_ value from .B socket.h -for the network-layer protocol of the packet +for the network-layer protocol of the packet. .IP Note that ``host byte order'' is the byte order of the machine on which the packets are captured, and the PF_ values are for the OS of the @@ -579,45 +767,48 @@ COMPRESSED_TCP, the compressed TCP/IP datagram header; .RE .RS 5 .LP -for a total of 16 bytes; the uncompressed IP datagram follows the header +for a total of 16 bytes; the uncompressed IP datagram follows the header. .RE .TP 5 .B DLT_PPP PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like framing, with the PPP header following those two bytes, otherwise it's -PPP without framing, and the packet begins with the PPP header +PPP without framing, and the packet begins with the PPP header. .TP 5 .B DLT_FDDI FDDI .TP 5 .B DLT_ATM_RFC1483 RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2 -LLC header +LLC header. .TP 5 .B DLT_RAW -raw IP; the packet begins with an IP header +raw IP; the packet begins with an IP header. .TP 5 .B DLT_PPP_SERIAL PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP -with HDLC framing +with HDLC framing. .TP 5 .B DLT_PPP_ETHER -PPPoE; the packet begins with a PPPoE header, as per RFC 2516 +PPPoE; the packet begins with a PPPoE header, as per RFC 2516. .TP 5 .B DLT_C_HDLC -Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547 +Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547. .TP 5 .B DLT_IEEE802_11 IEEE 802.11 wireless LAN .TP 5 +.B DLT_FRELAY +Frame Relay +.TP 5 .B DLT_LOOP OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in .I network byte order, containing a PF_ value from OpenBSD's .B socket.h -for the network-layer protocol of the packet +for the network-layer protocol of the packet. .IP Note that, if a ``savefile'' is being read, those PF_ values are .I not @@ -662,7 +853,131 @@ header or 4 for frames beginning with an 802.2 LLC header. .RE .TP 5 .B DLT_LTALK -Apple LocalTalk; the packet begins with an AppleTalk LLAP header +Apple LocalTalk; the packet begins with an AppleTalk LLAP header. +.TP 5 +.B DLT_PFLOG +OpenBSD pflog; the link layer header contains, in order: +.RS 10 +.LP +a 1-byte header length, in host byte order; +.LP +a 4-byte PF_ value, in host byte order; +.LP +a 2-byte action code, in network byte order, which is one of: +.RS 5 +.TP 5 +0 +passed +.TP 5 +1 +dropped +.TP 5 +2 +scrubbed +.RE +.LP +a 2-byte reason code, in network byte order, which is one of: +.RS 5 +.TP 5 +0 +match +.TP 5 +1 +bad offset +.TP 5 +2 +fragment +.TP 5 +3 +short +.TP 5 +4 +normalize +.TP 5 +5 +memory +.RE +.LP +a 16-character interface name; +.LP +a 16-character ruleset name (only meaningful if subrule is set); +.LP +a 4-byte rule number, in network byte order; +.LP +a 4-byte subrule number, in network byte order; +.LP +a 1-byte direction, in network byte order, which is one of: +.RS 5 +.TP 5 +0 +incoming or outgoing +.TP 5 +1 +incoming +.TP 5 +2 +outgoing +.RE +.RE +.TP 5 +.B DLT_PRISM_HEADER +Prism monitor mode information followed by an 802.11 header. +.TP 5 +.B DLT_IP_OVER_FC +RFC 2625 IP-over-Fibre Channel, with the link-layer header being the +Network_Header as described in that RFC. +.TP 5 +.B DLT_SUNATM +SunATM devices; the link layer header contains, in order: +.RS 10 +.LP +a 1-byte flag field, containing a direction flag in the uppermost bit, +which is set for packets transmitted by the machine and clear for +packets received by the machine, and a 4-byte traffic type in the +low-order 4 bits, which is one of: +.RS 5 +.TP 5 +0 +raw traffic +.TP 5 +1 +LANE traffic +.TP 5 +2 +LLC-encapsulated traffic +.TP 5 +3 +MARS traffic +.TP 5 +4 +IFMP traffic +.TP 5 +5 +ILMI traffic +.TP 5 +6 +Q.2931 traffic +.RE +.LP +a 1-byte VPI value; +.LP +a 2-byte VCI field, in network byte order. +.RE +.TP 5 +.B DLT_IEEE802_11_RADIO +link-layer information followed by an 802.11 header - see +http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description +of the link-layer information. +.TP 5 +.B DLT_ARCNET_LINUX +ARCNET, with no exception frames, reassembled packets rather than raw +frames, and an extra 16-bit offset field between the destination host +and type bytes. +.TP 5 +.B DLT_LINUX_IRDA +Linux-IrDA packets, with a +.B DLT_LINUX_SLL +header followed by the IrLAP header. .RE .PP .B pcap_list_datalinks() @@ -690,12 +1005,20 @@ name with the .B DLT_ removed, to the corresponding data link type value. The translation is case-insensitive. -is used to set the current data link type of the pcap descriptor -NULL is returned on failure. +.B \-1 +is returned on failure. +.PP +.B pcap_datalink_val_to_name() +translates a data link type value to the corresponding data link type +name. NULL is returned on failure. +.PP +.B pcap_datalink_val_to_description() +translates a data link type value to a short description of that data +link type. NULL is returned on failure. .PP .B pcap_snapshot() returns the snapshot length specified when -.B pcap_open_live +.B pcap_open_live() was called. .PP .B pcap_is_swapped() @@ -703,12 +1026,10 @@ returns true if the current ``savefile'' uses a different byte order than the current system. .PP .B pcap_major_version() -returns the major number of the version of the pcap used to write the -savefile. -.PP +returns the major number of the file format of the savefile; .B pcap_minor_version() -returns the minor number of the version of the pcap used to write the -savefile. +returns the minor number of the file format of the savefile. The +version number is stored in the header of the savefile. .PP .B pcap_file() returns the standard I/O stream of the ``savefile,'' if a ``savefile'' @@ -739,6 +1060,67 @@ if a network device was opened with or \-1, if a ``savefile'' was opened with .BR pcap_open_offline() . .PP +.B pcap_get_selectable_fd() +returns, on UNIX, a file descriptor number for a file descriptor on +which one can +do a +.B select() +or +.B poll() +to wait for it to be possible to read packets without blocking, if such +a descriptor exists, or \-1, if no such descriptor exists. Some network +devices opened with +.B pcap_open_live() +do not support +.B select() +or +.B poll() +(for example, regular network devices on FreeBSD 4.3 and 4.4, and Endace +DAG devices), so \-1 is returned for those devices. +.PP +Note that on most versions of most BSDs (including Mac OS X) +.B select() +and +.B poll() +do not work correctly on BPF devices; +.B pcap_get_selectable_fd() +will return a file descriptor on most of those versions (the exceptions +being FreeBSD 4.3 and 4.4), a simple +.B select() +or +.B poll() +will not return even after a timeout specified in +.B pcap_open_live() +expires. To work around this, an application that uses +.B select() +or +.B poll() +to wait for packets to arrive must put the +.B pcap_t +in non-blocking mode, and must arrange that the +.B select() +or +.B poll() +have a timeout less than or equal to the timeout specified in +.BR pcap_open_live() , +and must try to read packets after that timeout expires, regardless of +whether +.B select() +or +.B poll() +indicated that the file descriptor for the +.B pcap_t +is ready to be read or not. (That workaround will not work in FreeBSD +4.3 and later; however, in FreeBSD 4.6 and later, +.B select() +and +.B poll() +work correctly on BPF devices, so the workaround isn't necessary, +although it does no harm.) +.PP +.B pcap_get_selectable_fd() +is not available on Windows. +.PP .B pcap_perror() prints the text of the last pcap library error on .BR stderr , @@ -760,11 +1142,28 @@ is provided in case .BR strerror (1) isn't available. .PP +.B pcap_lib_version() +returns a pointer to a string giving information about the version of +the libpcap library being used; note that it contains more information +than just a version number. +.PP .B pcap_close() closes the files associated with .I p and deallocates resources. .PP +.B pcap_dump_file() +returns the standard I/O stream of the ``savefile'' opened by +.BR pcap_dump_open(). +.PP +.B pcap_dump_flush() +flushes the output buffer to the ``savefile,'' so that any packets +written with +.B pcap_dump() +but not yet written to the ``savefile'' will be written. +.B \-1 +is returned on error, 0 on success. +.PP .B pcap_dump_close() closes the ``savefile.'' .PP |
