[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Communications Programming Concepts
Packet Capture Library Overview
The Packet Capture Library provides a high-level interface to packet capture systems.
In the operating system, the Berkeley Packet Filter (BPF) is the packet capture system.
This library provides user-level subroutines that interface with the BPF to allow users
access for reading unprocessed network traffic. By using the Packet Capture Library, users
can write their own network-monitoring tools. Applications using the Packet Capture Library
subroutines must be run as root user. A reference for BPF is in UNIX Network Programming,
Volume 1: Networking APIs: Sockets and XTI, Second Edition by W. Richard Stevens, 1998.
Performing Packet Capture
To accomplish packet capture, follow these steps:
- Decide which network device will be the packet capture device.
Use the pcap_lookupdev subroutine to do this.
- Obtain a packet capture descriptor by using the pcap_open_live subroutine.
- Choose a packet filter. The filter expression identifies which
packets you are interested in capturing.
- Compile the packet filter into a filter program using the
pcap_compile subroutine. The packet filter expression is specified in an
ASCII string. Refer to
Packet Capture Library Filter Expressions for more information.
- After a BPF filter program is compiled, notify the packet capture
device of the filter using the pcap_setfilter subroutine. If the packet capture
data is to be saved to a file for processing later, open the previously saved
packet capture data file, known as the savefile,
using the pcap_dump_open subroutine.
- Use the pcap_dispatch or pcap_loop subroutine
to read in the captured packets and call the subroutine to process them.
This processing subroutine can be the pcap_dump subroutine,
if the packets are to be written to a savefile, or some other
subroutine you provide.
- Call the pcap_close subroutine to cleanup the open files
and deallocate the resources used by the packet capture descriptor.
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]