Communications Programming Concepts

Packet Capture Library Overview

The Packet Capture Library provides a high-level interface to packet capture systems. In the operating system, the Berkeley Packet Filter (BPF) is the packet capture system. This library provides user-level subroutines that interface with the BPF to allow users access for reading unprocessed network traffic. By using the Packet Capture Library, users can write their own network-monitoring tools. Applications using the Packet Capture Library subroutines must be run as root user. A reference for BPF is in UNIX Network Programming, Volume 1: Networking APIs: Sockets and XTI, Second Edition by W. Richard Stevens, 1998.

Performing Packet Capture

To accomplish packet capture, follow these steps:

1. Decide which network device will be the packet capture device. Use the pcap_lookupdev subroutine to do this.
2. Obtain a packet capture descriptor by using the pcap_open_live subroutine.
3. Choose a packet filter. The filter expression identifies which packets you are interested in capturing.
4. Compile the packet filter into a filter program using the pcap_compile subroutine. The packet filter expression is specified in an ASCII string. Refer to Packet Capture Library Filter Expressions for more information.
5. After a BPF filter program is compiled, notify the packet capture device of the filter using the pcap_setfilter subroutine. If the packet capture data is to be saved to a file for processing later, open the previously saved packet capture data file, known as the savefile, using the pcap_dump_open subroutine.
6. Use the pcap_dispatch or pcap_loop subroutine to read in the captured packets and call the subroutine to process them. This processing subroutine can be the pcap_dump subroutine, if the packets are to be written to a savefile, or some other subroutine you provide.
7. Call the pcap_close subroutine to cleanup the open files and deallocate the resources used by the packet capture descriptor.