1. Open, read the device, set the filter section. 1.1 PCAP_READ () 1.2 PCAP_T * PCAP_OPEN_LIVE (Char * Device, int SNAPLEN, INT Promisc, int to_ms, char * errbuf); This function is used to get an abstract packet capture handle, and a lot of libpcap functions will use this handle, similar file The operation function frequently uses the file handle. Device Specifies the network interface device name, such as "eth0.snaplen specifies the maximum number of single packages, to ensure that the package capture is too low efficiency, Snaplen is as appropriate, to obtain the required protocol layer data as accurate. Promisc specified network Whether the interface enters a mixed mode, pay attention to even if the parameter is false (0), the network interface is still possible to be in a mixed mode for other reasons. TO_MS specifies millisecond times, and there is no value to indicate what value means never timeout, The conclusions tested, 0 may never time out. If the call fails returns null, errbuf contains the failure reason. /Usr/include/pcap.htypedPedef struct PCAP PCAP_T; PCAP-INT.H defines struct pcap {} struct pcap {} struct PCAP { int fd; int snapshot; int linktype; int tzoff; / * timezone offset * / int offset; / * offset for proper alignment * / struct pcap_sf sf; struct pcap_md md; int bufsize; / * Read buffer * / u_char * buffer; U_CHAR * BP; INT CC; u_char * pkt; / * Place Holder for PCAP_NEXT () * / STRUCT BPF_PROGRAM FCODE; / * PlaceHolder for Filter Code if bpf not in kernel. * / Char errbuf [pcap_errbuf_size];}; 1.3 INT PCAP_SETFILTER (PCAP_T * P, Struct BPF_Program * fp); This function is used to set the filtration rule 2, compile, optimize, and debug filter rules expressions, compile, optimize, and debug filter rules. 2.1 INT PCAP_COMPILE (PCAP_T * P, Struct BPF_PROGRAM * FP, CHAR * STR, INT OPTIMIZE, BPF_U_INT32 NETMASK); This function is used to resolve the filter rule string, fill in the BPF_Program structure.
STR points to the filter rule string, the format is visited by TCPDUMP's Manbook, such as tcpdump -x -vv -n -t ip proto // TCP and TCP [13] / & 2 = 2 This filtering rule will capture All TCP packets carrying the SYN logo to 192.168.8.90. The filtering rule string can be an empty string (""), which represents all the passing messages. Optimize is 1 to optimize the filtering rule. NetMask specifies the subnet mask, which is generally obtained from the PCAP_LOOKUPNET () call. The return value is less than zero indicates that the call failed. This function may be more difficult to understand, the concept involved in the BPF, the Linux system does not have this concept, but libpcap uses PCAP_Compile () and PCAP_SETFILTER () combined with the combination of various link layers, whether it is SOCK_PACKET, DLPI . 3, offline mode listening section. 3.1 PCAP_Open_offline () 3.2 PCAP_Offline_read () 4, the local network settings section. 4.1 CHAR * PCAP_LOOKUPDEV (Char * Errbuf); This function returns a network device interface name, similar to libnet_select_device (), is the name of "Eth0" for Linux. Returns null when failure, Errbuf contains failure. errbuf generally defined as follows: /usr/include/pcap.h#define PCAP_ERRBUF_SIZE 256char errbuf [PCAP_ERRBUF_SIZE]; 4.2 int pcap_lookupnet (char * device, bpf_u_int32 * netp, bpf_u_int32 * maskp, char * errbuf); This function is used to specify a network acquisition The IP address of the interface, the subnet mask. Don't be confused by Netp's name, it corresponds to the IP address, MASKP corresponds to the subnet mask. /usr/include/pcap.htypedef u_int BPF_U_INT32; It is clearly understood that 32-bit can be understood. Returns -1, errbuf contains failure if the call fails. 5, the master program and version part. 5.1 PCAP_NEXT () 6, 6.1 INT PCAP_DISPATCH (PCAP_T * P, INT CNT, PCAP_HANDLER CALLBACK, U_CHAR * User); This function is used to capture packets, distribute packets to pre-specify the processing function (callback function). PCAP_DISPATCH () receives enough CNT packets to return, if the CNT is -1 means that all packets are concentrated in a buffer. If the CNT is 0, only an error occurs, read to EOF or read timeout (specified in PCAP_OPEN_LIVE) to stop capturing packets and returns. Callback specifies the following types of callback functions to handle packets captured by PCAP_DISPATCH (): typedef void (* pcap_handler) (u_char *, const struct pcap_pkthdr *, const u_char *); PCAP_DISPATCH () Returns the captured message Number, if you touch EOF when you read a static file (in the previous package capture process), it returns 0. Returns -1 indicates an error, at which point PCAP_PERROR (), PCAP_GETERR () can be displayed.
