The Packet Capture library provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism. It also supports saving captured packets to a ``savefile'', and reading packets from a ``savefile''.
Opening a capture handle for reading
To open a handle for a live capture, given the name of the network or other
interface on which the capture should be done, call
Pcap.create(PcapIf), set the appropriate options on the
handle, and then activate it with
Pcap.activate() fails, the handle should be closed with
To obtain a list of devices that can be opened for a live capture, call
Pcap.findAllDevs(); the list is automatically freed by
Pcap.lookupDev() will return the first
device on that list that is not a ``loopback`` network interface.
To open a handle for a ``savefile'' from which to read packets, given the
pathname of the ``savefile'', call
Pcap.openOffline(File file); to set up a handle for a
``savefile'', given a FILE * referring to a file already opened for reading,
In order to get a ``fake''
Pcap for use in routines that require a
Pcap as an argument, such as routines to open a ``savefile'' for
writing and to compile a filter expression, call
Pcap.openOffline(File file), and
Pcap.openDead(PcapDlt, int) return a reference to a
Pcap, which is the handle used for reading packets from the capture
stream or the ``savefile'', and for finding out information about the capture
stream or ``savefile''. To close a handle, use
The options that can be set on a capture handle include
- snapshot length
If, when capturing, you capture the entire contents of the packet, that requires more CPU time to copy the packet to your application, more disk and possibly network bandwidth to write the packet data to a file, and more disk space to save the packet. If you don't need the entire contents of the packet - for example, if you are only interested in the TCP headers of packets - you can set the "snapshot length" for the capture to an appropriate value. If the snapshot length is set to snaplen, and snaplen is less than the size of a packet that is captured, only the first snaplen bytes of that packet will be captured and provided as packet data.
A snapshot length of 65535 should be sufficient, on most if not all networks, to capture all the data available from the packet.
The snapshot length is set with
- promiscuous mode
On broadcast LANs such as Ethernet, if the network isn't switched, or if the adapter is connected to a "mirror port" on a switch to which all packets passing through the switch are sent, a network adapter receives all packets on the LAN, including unicast or multicast packets not sent to a network address that the network adapter isn't configured to recognize.
Normally, the adapter will discard those packets; however, many network adapters support "promiscuous mode", which is a mode in which all packets, even if they are not sent to an address that the adapter recognizes, are provided to the host. This is useful for passively capturing traffic between two or more other hosts for analysis.
Note that even if an application does not set promiscuous mode, the adapter could well be in promiscuous mode for some other reason.
For now, this doesn't work on the "any" device; if an argument of "any" or NULL is supplied, the setting of promiscuous mode is ignored.
Promiscuous mode is set with
- monitor mode
On IEEE 802.11 wireless LANs, even if an adapter is in promiscuous mode, it will supply to the host only frames for the network with which it's associated. It might also supply only data frames, not management or control frames, and might not provide the 802.11 header or radio information pseudo-header for those frames.
In "monitor mode", sometimes also called "rfmon mode" (for "Radio Frequency MONitor"), the adapter will supply all frames that it receives, with 802.11 headers, and might supply a pseudo-header with radio information about the frame as well.
Note that in monitor mode the adapter might disassociate from the network with which it's associated, so that you will not be able to use any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.
- In monitor mode
If, when capturing, packets are delivered as soon as they arrive, the application capturing the packets will be woken up for each packet as it arrives, and might have to make one or more calls to the operating system to fetch each packet.
If, instead, packets are not delivered as soon as they arrive, but are delivered after a short delay (called a "packet buffer timeout"), more than one packet can be accumulated before the packets are delivered, so that a single wakeup would be done for multiple packets, and each set of calls made to the operating system would supply multiple packets, rather than a single packet. This reduces the per-packet CPU overhead if packets are arriving at a high rate, increasing the number of packets per second that can be captured.
The packet buffer timeout is required so that an application won't wait for the operating system's capture buffer to fill up before packets are delivered; if packets are arriving slowly, that wait could take an arbitrarily long period of time.
Not all platforms support a packet buffer timeout; on platforms that don't, the packet buffer timeout is ignored. A zero value for the timeout, on platforms that support a packet buffer timeout, will cause a read to wait forever to allow enough packets to arrive, with no timeout. A negative value is invalid; the result of setting the timeout to a negative value is unpredictable.
NOTE: the packet buffer timeout cannot be used to cause calls that read packets to return within a limited period of time, because, on some platforms, the packet buffer timeout isn't supported, and, on other platforms, the timer doesn't start until at least one packet arrives. This means that the packet buffer timeout should NOT be used, for example, in an interactive application to allow the packet capture loop to ``poll'' for user input periodically, as there's no guarantee that a call reading packets will return after the timeout expires even if no packets have arrived.
The packet buffer timeout is set with
- immediate mode
In immediate mode, packets are always delivered as soon as they arrive, with no buffering. Immediate mode is set with pcap_set_immediate_mode().
- buffer size
Packets that arrive for a capture are stored in a buffer, so that they do not have to be read by the application as soon as they arrive. On some platforms, the buffer's size can be set; a size that's too small could mean that, if too many packets are being captured and the snapshot length doesn't limit the amount of data that's buffered, packets could be dropped if the buffer fills up before the application can read packets from it, while a size that's too large could use more non-pageable operating system memory than is necessary to prevent packets from being dropped.
The buffer size is set with
- timestamp type
On some platforms, the time stamp given to packets on live captures can come from different sources that can have different resolutions or that can have different relationships to the time values for the current time supplied by routines on the native operating system.
The time stamp type is set with
- Sly Technologies Inc., firstname.lastname@example.org
PackagesPackageDescriptionThe Packet Capture library provides a high level interface to packet capture systems.Various libpcap related constantsMessage servicesUtilities for jNetPcap libraryProvides support for Pcap on Microsoft Windows platforms.