Learn Libpcap with me ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------- Doggy 2002-05-24 14:07:37 Recent Interested in network programming, starting to study Libpcap, writing some of his learning history, definitely a shallow home hopes to help this article Copyright: Doggy (chaujy@x263.net) Welcome non-profit reprint any other form Please contact the author 1. Getting started using the article This article tells how to capture the simplest libppcap capture program can be char ebuf [pcap_errbuf_size]; PCAP_T * PD = PCAP_OPEN_LIVE ("Eth0", 68, 0 , 1000, EBUF; establish libpCAP capture handle, if an error, EBUF returns an error string .EBUF can be NULL (later) Struct BPF_PROGRAM FCODE; PCAP_COMPILE (PD, & Fcode, NULL, 1, 0); Add filtering rule string Fcode, you can empty (ie, the third parameter, the format is later) PCAP_SETFILTER (PD, & fcode); set the filter rule on the PD (PD, 10, Eth_printer, null); main loop, start capture, Grab 10 (specified by the second parameter), enter the package, enter the function eth_printerpcap_close (PD); End this is the simplest program, which is unknown, in the type of PCAP_LOOP parameter Eth_printer is PCAP_HANDLER, PCAP_HANDLER Definition As follows: typedef void (* pcap_handler) (u_char *, const struct pcap_pkthdr *, const u_char *); of course, you need to include #include "pcap.h" compile to add -LPCAP as for how to get libpcap, there is installation, I will not Fissed this article Copyright: Doggy (chaujy@x263.net) Welcome to reproduced 2. Advanced articles Just now, we have to compile the program, can run success now, we let this program practical points 2.1 Other functions introduction These functions are characterized by simple but irrelevant, now we have quit char * pcap_lo Okupdev (char * errbuf); this function is to find the network interface device on this machine. Return "Eth0" on the machine, use it before pcap_open_live, it doesn't mean, anyway, I don't love to use it int PCAP_LOOKUPNET (char *, BPF_U_INT32 *, CHAR *); The first parameter is the interface name returned by PCAP_LOOKUPDEV. The two-three parameters are 32-bit unsigned numbers. They are IP network sections and masks. The last parameter is EBUFINT PCAP_DATALINK (PCAP_T * It returns to your network type, such as DLT_EN10MB is 10M Ethernet makes people ft are these constant definitions are not in pcap.h, where is it? I found it ;-) int pcap_snapshot (PCAP_T *); return to the longest catch How many bytes are the int PCAP_STATS (PCAP_T *, STRUCT PCAP_STAT *) set in PCAP_OPEN_LIVE; count, how many filters have been filtered, see the definition of struct pcap_stat, understand Struct PCAP_STAT {U_INT ps_recv; / * number of packets received * / u_int ps_drop; / * number of packets dropped * / u_int ps_ifdrop; / * drops by interface XXX not yet supported * /}; int pcap_major_version (pcap_t *);
