NetBSD/lib/libpcap/pcap.3

.\" $NetBSD: pcap.3,v 1.23 2004/09/28 09:36:14 wiz Exp $
.\
.\" @(#) Header: /tcpdump/master/libpcap/pcap.3,v 1.51.2.9 2004/03/28 21:45:32 fenner Exp
.\"
.\" Copyright (c) 1994, 1996, 1997
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.Dd February 27, 2004
.Os
.Dt PCAP 3
.Sh NAME
.Nm pcap
.Nd packet capture library
.Sh LIBRARY
.Lb libpcap
.Sh SYNOPSIS
.In pcap.h
.Vt char errbuf[PCAP_ERRBUF_SIZE] ;
.Ft pcap_t *
.Fn pcap_open_live "const char *device" "int snaplen" "int promisc" \
"int to_ms" "char *errbuf"
.Ft pcap_t *
.Fn pcap_open_dead "int linktype" "int snaplen"
.Ft pcap_t *
.Fn pcap_open_offline "const char *fname" "char *errbuf"
.Ft pcap_dumper_t *
.Fn pcap_dump_open "pcap_t *p" "const char *fname"
.Ft int
.Fn pcap_setnonblock "pcap_t *p" "int nonblock" "char *errbuf"
.Ft int
.Fn pcap_getnonblock "pcap_t *p" "char *errbuf"
.Ft int
.Fn pcap_findalldevs "pcap_if_t **alldevsp" "char *ebuf"
.Ft void
.Fn pcap_freealldevs "pcap_if_t *alldevs"
.Ft char *
.Fn pcap_lookupdev "char *errbuf"
.Ft int
.Fn pcap_lookupnet "const char *device" "bpf_u_int32 *netp" \
"bpf_u_int32 *maskp" "char *errbuf"
.Ft int
.Fn pcap_dispatch "pcap_t *p" "int cnt" "pcap_handler callback" "u_char *user"
.Ft int
.Fn pcap_loop "pcap_t *p" "int cnt" "pcap_handler callback" "u_char *user"
.Ft void
.Fn pcap_dump "u_char *user" "struct pcap_pkthdr *h" "u_char *sp"
.Ft int
.Fn pcap_compile "pcap_t *p" "struct bpf_program *fp" \
"char *str" "int optimize" "bpf_u_int32 netmask"
.Ft int
.Fn pcap_compile_nopcap "int snaplen" "int linktype" \
"struct bpf_program *fp" "char *str" "int optimize" \
"bpf_uint32 netmask" "char *errbuf"
.Ft int
.Fn pcap_setfilter "pcap_t *p" "struct bpf_program *fp"
.Ft void
.Fn pcap_freecode "struct bpf_program *"
.Ft const u_char *
.Fn pcap_next "pcap_t *p" "struct pcap_pkthdr *h"
.Ft int
.Fn pcap_next_ex "pcap_t *p" "struct pcap_pkthdr **pkt_header" "const u_char **pkt_data"
.Ft void
.Fn pcap_breakloop "pcap_t *"
.Ft int
.Fn pcap_datalink "pcap_t *p"
.Ft int
.Fn pcap_list_datalinks "pcap_t *p" "int **dlt_buf"
.Ft int
.Fn pcap_set_datalink "pcap_t *p" "int dlt"
.Ft int
.Fn pcap_datalink_name_to_val "const char *name"
.Ft const char *
.Fn pcap_datalink_val_to_name "int dlt"
.Ft const char *
.Fn pcap_datalink_val_to_description "int dlt"
.Ft int
.Fn pcap_snapshot "pcap_t *p"
.Ft int
.Fn pcap_is_swapped "pcap_t *p"
.Ft int
.Fn pcap_major_version "pcap_t *p"
.Ft int
.Fn pcap_minor_version "pcap_t *p"
.Ft int
.Fn pcap_stats "pcap_t *p" "struct pcap_stat *ps"
.Ft FILE *
.Fn pcap_file "pcap_t *p"
.Ft int
.Fn pcap_fileno "pcap_t *p"
.Ft int
.Fn pcap_get_selectable_fd "pcap_t *p"
.Ft void
.Fn pcap_perror "pcap_t *p" "char *prefix"
.Ft char *
.Fn pcap_geterr "pcap_t *p"
.Ft char *
.Fn pcap_strerror "int error"
.Ft const char *
.Fn pcap_lib_version "void"
.Ft void
.Fn pcap_close "pcap_t *p"
.Ft int
.Fn pcap_dump_flush "pcap_dumper_t *p"
.Ft FILE *
.Fn pcap_dump_file "pcap_dumper_t *p"
.Ft void
.Fn pcap_dump_close "pcap_dumper_t *p"
.Sh DESCRIPTION
The
.Nm
library provides a high level interface to packet capture systems.
All packets on the network, even those destined for other hosts, are
accessible through this mechanism.
.Sh ROUTINES
NOTE:
.Fa errbuf
in
.Fn pcap_open_live ,
.Fn pcap_open_dead ,
.Fn pcap_open_offline ,
.Fn pcap_setnonblock ,
.Fn pcap_getnonblock ,
.Fn pcap_findalldevs ,
.Fn pcap_lookupdev ,
and
.Fn pcap_lookupnet
is assumed to be able to hold at least
.Dv PCAP_ERRBUF_SIZE
chars.
.Pp
.Fn pcap_open_live
is used to obtain a packet capture descriptor to look
at packets on the network.
.Fa device
is a string that specifies the network device to open; on Linux systems
with 2.2 or later kernels, a
.Fa device
argument of
.Em any
or
.Dv NULL
can be used to capture packets from all interfaces.
.Fa snaplen
specifies the maximum number of bytes to capture.
If this value is less
than the size of a packet that is captured, only the first
.Fa snaplen
bytes of that packet will be captured and provided as packet data.
A value of
.Li 65535
should be sufficient, on most if not all networks, to
capture all the data available from the packet.
.Fa promisc
specifies if the interface is to be put into promiscuous mode.
(Note that even if this parameter is false, the interface could well be in
promiscuous mode for some other reason.)
For now, this doesn't work on the
.Li any
device; if an argument of
.Em any
or
.Em NULL
is supplied, the
.Fa promisc
flag is ignored.
.Fa to_ms
specifies the read timeout in milliseconds.
The read timeout is used to
arrange that the read not necessarily return immediately when a packet
is seen, but that it wait for some amount of time to allow more packets
to arrive and to read multiple packets from the OS kernel in one
operation.
Not all platforms support a read timeout; on platforms that
don't, the read timeout is ignored.
A zero value for
.Fa to_ms ,
on platforms that support a read timeout,
will cause a read to wait forever to allow enough packets to
arrive, with no timeout.
.Fa errbuf
is used to return error or warning text.  It will be set to error text when
.Fn pcap_open_live
fails and returns
.Em NULL .
.Fa errbuf
may also be set to warning text when
.Fn pcap_open_live
succeeds; to detect this case the caller should store a zero-length string in
.Fa errbuf
before calling
.Fn pcap_open_live
and display the warning to the user if
.Fa errbuf
is no longer a zero-length string.
.Pp
.Fn pcap_open_dead
is used for creating a
.Vt pcap_t
structure to use when calling the other functions in libpcap.
It is typically used when just using libpcap for compiling BPF code.
.Pp
.Fn pcap_open_offline
is called to open a
.Dq savefile
for reading.
.Fa fname
specifies the name of the file to open.
The file has the same format as those used by
.Xr tcpdump 8 .
The name
.Dq \&-
is a synonym for
.Em stdin .
.Fa errbuf
is used to return error text and is only set when
.Fn pcap_open_offline
fails and returns
.Em NULL .
.Pp
.Fn pcap_dump_open
is called to open a
.Dq savefile
for writing.
The name
.Dq \&-
is a synonym
for
.Em stdout .
.Em NULL
is returned on failure.
.Fa p
is a
.Fa pcap
struct as returned by
.Fn pcap_open_offline
or
.Fn pcap_open_live .
.Fa fname
specifies the name of the file to open.
If
.Em NULL
is returned,
.Fn pcap_geterr
can be used to get the error text.
.Pp
.Fn pcap_setnonblock
puts a capture descriptor, opened with
.Fn pcap_open_live ,
into
.Dq non-blocking
mode, or takes it out of
.Dq non-blocking
mode, depending on whether the
.Fa nonblock
argument is non-zero or zero.
It has no effect on
.Dq savefiles .
If there is an error, \-1 is returned and
.Fa errbuf
is filled in with an appropriate error message; otherwise, 0 is
returned.
In
.Dq non-blocking
mode, an attempt to read from the capture descriptor with
.Fn pcap_dispatch
will, if no packets are currently available to be read, return 0
immediately rather than blocking waiting for packets to arrive.
.Fn pcap_loop
and
.Fn pcap_next
will not work in
.Dq non-blocking
mode.
.Pp
.Fn pcap_getnonblock
returns the current
.Dq non-blocking
state of the capture descriptor; it
always returns 0 on
.Dq savefiles .
If there is an error, \-1 is returned and
.Fa errbuf
is filled in with an appropriate error message.
.Pp
.Fn pcap_findalldevs
constructs a list of network devices that can be opened with
.Fn pcap_open_live .
(Note that there may be network devices that cannot be opened with
.Fn pcap_open_live
by the
process calling
.Fn pcap_findalldevs ,
because, for example, that process might not have sufficient privileges
to open them for capturing; if so, those devices will not appear on the
list.)
.Fa alldevsp
is set to point to the first element of the list; each element of the
list is of type
.Vt pcap_if_t ,
and has the following members:
.Bl -tag -width "description" -compact -offset indent
.It Va next
if not
.Dv NULL ,
a pointer to the next element in the list;
.Dv NULL
for the last element of the list
.It Va name
a pointer to a string giving a name for the device to pass to
.Fn pcap_open_live
.It Va description
if not
.Dv NULL ,
a pointer to a string giving a human-readable description of the device
.It Va addresses
a pointer to the first element of a list of addresses for the interface
.It Va flags
interface flags:
.Bl -tag -width "PCAP_IF_LOOPBACK" -compact -offset indent
.It Dv PCAP_IF_LOOPBACK
set if the interface is a loopback interface
.El
.El
.Pp
Each element of the list of addresses is of type
.Vt pcap_addr_t ,
and has the following members:
.Bl -tag -width "broadaddr" -compact -offset indent
.It Va next
if not
.Dv NULL ,
a pointer to the next element in the list;
.Dv NULL
for the last element of the list
.It Va addr
a pointer to a
.Vt "struct sockaddr"
containing an address
.It Va netmask
if not
.Dv NULL ,
a pointer to a
.Vt "struct sockaddr"
that contains the netmask corresponding to the address pointed to by
.Va addr
.It Va broadaddr
if not
.Dv NULL ,
a pointer to a
.Vt "struct sockaddr"
that contains the broadcast address corresponding to the address pointed
to by
.Va addr ;
may be
.Dv NULL if the interface doesn't support broadcasts
.It Va dstaddr
if not
.Dv NULL ,
a pointer to a
.Vt "struct sockaddr"
that contains the destination address corresponding to the address pointed
to by
.Va addr ;
may be null if the interface isn't a point-to-point interface
.El
.Pp
.Em \-1
is returned on failure, in which case
.Fa errbuf
is filled in with an appropriate error message;
.Em 0
is returned on success.
.Pp
.Fn pcap_freealldevs
is used to free a list allocated by
.Fn pcap_findalldevs .
.Pp
.Fn pcap_lookupdev
returns a pointer to a network device suitable for use with
.Fn pcap_open_live
and
.Fn pcap_lookupnet .
If there is an error,
.Em NULL
is returned and
.Fa errbuf
is filled in with an appropriate error message.
.Pp
.Fn pcap_lookupnet
is used to determine the network number and mask
associated with the network device
.Em device .
Both
.Fa netp
and
.Fa maskp
are
.Fa bpf_u_int32
pointers.
A return of \-1 indicates an error in which case
.Fa errbuf
is filled in with an appropriate error message.
.Pp
.Fn pcap_dispatch
is used to collect and process packets.
.Fa cnt
specifies the maximum number of packets to process before returning.
This is not a minimum number; when reading a live capture, only one
bufferful of packets is read at a time, so fewer than
.Fa cnt
packets may be processed.
A
.Fa cnt
of \-1 processes all the packets received in one buffer when reading a
live capture, or all the packets in the file when reading a
.Dq savefile .
A
.Fa cnt
of 0 processes all packets until an error occurs (or
.Em EOF
is reached).
.Fa callback
specifies a routine to be called with three arguments:
a
.Fa u_char
pointer which is passed in from
.Fn pcap_dispatch ,
a
.Vt const struct pcap_pkthdr
pointer to a structure (which precedes the actual network headers
and data) with the following members:
.Bl -tag -width "caplen" -compact -offset indent
.It Va ts
a
.Vt struct timeval
containing the time when the packet was captured
.It Va caplen
a
.Vt bpf_u_int32
giving the number of bytes of the packet that are available from the
capture
.It Va len
a
.Vt bpf_u_int32
giving the length of the packet, in bytes (which might be more than the
number of bytes available from the capture, if the length of the packet
is larger than the maximum number of bytes to capture)
.El
.Pp
and a
.Vt const u_char
pointer to the first
.Va caplen
(as given in the
.Vt struct pcap_pkthdr
a pointer to which is passed to the callback routine)
bytes of data from the packet (which won't necessarily be the entire
packet; to capture the entire packet, you will have to provide a value
for
.Va snaplen
in your call to
.Fn pcap_open_live
that is sufficiently large to get all of the packet's data - a value of
65535 should be sufficient on most if not all networks).
.Pp
The number of packets read is returned.
Zero is returned if no packets were read from a live capture (if, for
example, they were discarded because they didn't pass the packet filter,
or if, on platforms that support a read timeout that starts before any
packets arrive, the timeout expires before any packets arrive, or if the
file descriptor for the capture device is in non-blocking mode and no
packets were available to be read) or if no more packets are available
in a
.Dq savefile .
A return of
.Li \-1
indicates an error in which case
.Fn pcap_perror
or
.Fn pcap_geterr
may be used to display the error text.
A return of
.Li \-2
indicates that the loop terminated due to a call to
.Fn pcap_breakloop
before any packets were processed.
.Bf Em
If your application uses pcap_breakloop(),
make sure that you explicitly check for
.Li \-1
and
.Li \-2 ,
rather than just
checking for a return value
\*(Lt
.Li 0 .
.Ef
.Pp
.Em NOTE :
when reading a live capture,
.Fn pcap_dispatch
will not necessarily return when the read times out; on some platforms,
the read timeout isn't supported, and, on other platforms, the timer
doesn't start until at least one packet arrives.
This means that the read timeout should
.Em not
be used in, for example, an interactive application, to allow the packet
capture loop to
.Dq poll for user input periodically, as there's no
guarantee that
.Fn pcap_dispatch
will return after the timeout expires.
.Pp
.Fn pcap_loop
is similar to
.Fn pcap_dispatch
except it keeps reading packets until
.Va cnt
packets are processed or an error occurs.
It does
.Em not
return when live read timeouts occur.
Rather, specifying a non-zero read timeout to
.Fn pcap_open_live
and then calling
.Fn pcap_dispatch
allows the reception and processing of any packets that arrive when the
timeout occurs.
A negative
.Va cnt
causes
.Fn pcap_loop
to loop forever (or at least until an error occurs).
.Li \-1
is returned on
an error;
.Li 0
is returned if
.Va cnt
is exhausted;
.Li \-2
is returned if the loop terminated due to a call to
.Fn pcap_breakloop
before any packets were processed.
.Bf Em
If your application uses
.Fn pcap_breakloop ,
make sure that you explicitly check for
.Li \-1
and
.Li \-2 ,
rather than just checking for a return value
\*(Lt
.Li 0 .
.Ef
.Pp
.Fn pcap_next
reads the next packet (by calling
.Fn pcap_dispatch
with a
.Va cnt
of 1) and returns a
.Vt u_char
pointer to the data in that packet.  (The
.Vt pcap_pkthdr
struct for that packet is not supplied.)
.Dv NULL
is returned if an error occured, or if no packets were read from a live
capture (if, for example, they were discarded because they didn't pass
the packet filter, or if, on platforms that support a read timeout that
starts before any packets arrive, the timeout expires before any packets
arrive, or if the file descriptor for the capture device is in
non-blocking mode and no packets were available to be read), or if no
more packets are available in a
.Dq savefile .
Unfortunately, there is no way to determine whether an error occured
or not.
.Pp
.Fn pcap_next_ex
reads the next packet and returns a success/failure indication:
.Bl -tag -width "\-1" -compact -offset indent
.It Li 1
the packet was read without problems
.It Li 0
packets are being read from a live capture, and the timeout expired
.It Li \-1
an error occurred while reading the packet
.It Li \-2
packets are being read from a
.Dq savefile ,
and there are no more
packets to read from the savefile.
.El
.Pp
If the packet was read without problems, the pointer pointed to by the
.Va pkt_header
argument is set to point to the
.Va pcap_pkthdr
struct for the packet, and the
pointer pointed to by the
.Va pkt_data
argument is set to point to the data in the packet.
.Pp
.Fn pcap_breakloop
sets a flag that will force
.Fn pcap_dispatch
or
.Fn pcap_loop
to return rather than looping; they will return the number of packets
that have been processed so far, or \-2 if no packets have been
processed so far.
.Pp
This routine is safe to use inside a signal handler on UNIX or a console
control handler on Windows, as it merely sets a flag that is checked
within the loop.
.Pp
The flag is checked in loops reading packets from the OS - a signal by
itself will not necessarily terminate those loops - as well as in loops
processing a set of packets returned by the OS.
.Bf Em
Note that if you are catching signals on UNIX systems that support
restarting system calls after a signal, and calling pcap_breakloop()
in the signal handler, you must specify, when catching those signals,
that system calls should NOT be restarted by that signal.  Otherwise,
if the signal interrupted a call reading packets in a live capture,
when your signal handler returns after calling pcap_breakloop(), the
call will be restarted, and the loop will not terminate until more
packets arrive and the call completes.
.Pp
Note also that, in a multi-threaded application, if one thread is
blocked in
.Fn pcap_dispatch ,
.Fn pcap_loop ,
.Fn pcap_next ,
or
.Fn pcap_next_ex ,
a call to
.Fn pcap_breakloop
in a different thread will not unblock that thread; you will need to use
whatever mechanism the OS provides for breaking a thread out of blocking
calls in order to unblock the thread, such as thread cancellation in
systems that support POSIX threads.
.Ef
.Pp
Note that
.Fn pcap_next
will, on some platforms, loop reading packets from the OS; that loop
will not necessarily be terminated by a signal, so
.Fn pcap_breakloop
should be used to terminate packet processing even if
.Fn pcap_next
is being used.
.Pp
.Fn pcap_breakloop
does not guarantee that no further packets will be processed by
.Fn pcap_dispatch
or
.Fn pcap_loop
after it is called; at most one more packet might be processed.
.Pp
If \-2 is returned from
.Fn pcap_dispatch
or
.Fn pcap_loop ,
the flag is cleared, so a subsequent call will resume reading packets.
If a positive number is returned, the flag is not cleared, so a
subsequent call will return \-2 and clear the flag.
.Pp
.Fn pcap_dump
outputs a packet to the
.Dq savefile
opened with
.Fn pcap_dump_open .
Note that its calling arguments are suitable for use with
.Fn pcap_dispatch
or
.Fn pcap_loop .
If called directly, the
.Fa user
parameter is of type
.Vt pcap_dumper_t
as returned by
.Fn pcap_dump_open .
.Pp
.Fn pcap_compile
is used to compile the string
.Fa str
into a filter program.
.Fa program
is a pointer to a
.Fa bpf_program
struct and is filled in by
.Fn pcap_compile .
.Fa optimize
controls whether optimization on the resulting code is performed.
.Fa netmask
specifies the IPv4 netmask of the network on which packets are being
captured; it is used only when checking for IPv4 broadcast addresses in
the filter program.
If the netmask of the network on which packets are
being captured isn't known to the program, or if packets are being
captured on the Linux "any" pseudo-interface that can capture on more
than one network, a value of 0 can be supplied; tests for IPv4 broadcast
addreses won't be done correctly, but all other tests in the filter
program will be OK.
A return of \-1 indicates an error in which case
.Fn pcap_geterr
may be used to display the error text.
.Pp
.Fn pcap_compile_nopcap
is similar to
.Fn pcap_compile
except that instead of passing a pcap structure, one passes the
snaplen and linktype explicitly.
It is intended to be used for
compiling filters for direct BPF usage, without necessarily having
called
.Fn pcap_open .
A return of \-1 indicates an error; the error text is unavailable.
.Fn ( pcap_compile_nopcap
is a wrapper around
.Fn pcap_open_dead ,
.Fn pcap_compile ,
and
.Fn pcap_close ;
the latter three routines can be used directly in order to get the error
text for a compilation error.)
.Pp
.Fn pcap_setfilter
is used to specify a filter program.
.Fa fp
is a pointer to an array of
.Fa bpf_program
struct, usually the result of a call to
.Fn pcap_compile .
.Em \-1
is returned on failure, in which case
.Fn pcap_geterr
may be used to display the error text;
.Em 0
is returned on success.
.Pp
.Fn pcap_freecode
is used to free up allocated memory pointed to by a
.Fa bpf_program
struct generated by
.Fn pcap_compile
when that BPF program is no longer needed, for example after it
has been made the filter program for a pcap structure by a call to
.Fn pcap_setfilter .
.Pp
.Fn pcap_datalink
returns the link layer type; link layer types it can return include:
.Pp
.Bl -tag -width "DLT_IEEE802_11" -compact -offset indent
.It Dv DLT_NULL
BSD loopback encapsulation; the link layer header is a 4-byte field, in
.Em host
byte order, containing a PF_ value from
.In sys/socket.h
for the network-layer protocol of the packet.
.Pp
Note that
.Dq host byte order
is the byte order of the machine on which the packets are captured,
and the PF_ values are for the OS of the machine on which the
packets are captured; if a live capture is being done,
.Dq host byte order
is the byte order of the machine capturing the packets, and the
PF_ values are those of the OS of the machine capturing the packets,
but if a
.Dq savefile
is being read, the byte order and PF_ values are
.Em not
necessarily those of the machine reading the capture file.
.Pp
.It Dv DLT_EN10MB
Ethernet (10Mb, 100Mb, 1000Mb, and up)
.Pp
.It Dv DLT_IEEE802
IEEE 802.5 Token Ring
.Pp
.It Dv DLT_ARCNET
ARCNET
.Pp
.It Dv DLT_SLIP
SLIP; the link layer header contains, in order:
.Bd -ragged -offset indent -compact
.Pp
a 1-byte flag, which is 0 for packets received by the machine and 1 for
packets sent by the machine;
.Pp
a 1-byte field, the upper 4 bits of which indicate the type of packet,
as per RFC 1144:
.Bl -tag -width "0xNN" -offset indent
.It Li 0x40
an unmodified IP datagram (TYPE_IP);
.It Li 0x70
an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being
the first byte of the raw IP header on the wire, containing the
connection number in the protocol field;
.It Li 0x80
a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the
first byte of the compressed TCP/IP datagram header;
.El
.Pp
for UNCOMPRESSED_TCP, the rest of the modified IP header, and for
COMPRESSED_TCP, the compressed TCP/IP datagram header;
.Ed
.Pp
for a total of 16 bytes; the uncompressed IP datagram follows the header.
.Pp
.It Dv DLT_PPP
PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like
framing, with the PPP header following those two bytes, otherwise it's
PPP without framing, and the packet begins with the PPP header.
.Pp
.It Dv DLT_FDDI
FDDI
.Pp
.It Dv DLT_ATM_RFC1483
RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2
LLC header.
.Pp
.It Dv DLT_RAW
raw IP; the packet begins with an IP header.
.Pp
.It Dv DLT_PPP_SERIAL
PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC
framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF
for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP
with HDLC framing.
.Pp
.It Dv DLT_PPP_ETHER
PPPoE; the packet begins with a PPPoE header, as per RFC 2516.
.Pp
.It Dv DLT_C_HDLC
Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.
.Pp
.It Dv DLT_IEEE802_11
IEEE 802.11 wireless LAN
.Pp
.It Dv DLT_FRELAY
Frame Relay
.Pp
.It Dv DLT_LOOP
.Ox
loopback encapsulation; the link layer header is a 4-byte field, in
.Em network
byte order, containing a PF_ value from
.Ox Ns 's
.In sys/socket.h
for the network-layer protocol of the packet.
.Pp
Note that, if a
.Dq savefile
is being read, those PF_ values are
.Em not
necessarily those of the machine reading the capture file.
.Pp
.It Dv DLT_LINUX_SLL
Linux "cooked" capture encapsulation; the link layer header contains, in
order:
.Bd -ragged -offset indent -compact
.Pp
a 2-byte "packet type", in network byte order, which is one of:
.Bl -tag -width "10" -compact -offset indent
.Pp
.It Li 0
packet was sent to us by somebody else
.It Li 1
packet was broadcast by somebody else
.It Li 2
packet was multicast, but not broadcast, by somebody else
.It Li 3
packet was sent by somebody else to somebody else
.It Li 4
packet was sent by us
.El
.Pp
a 2-byte field, in network byte order, containing a Linux ARPHRD_ value
for the link layer device type;
.Pp
a 2-byte field, in network byte order, containing the length of the
link layer address of the sender of the packet (which could be 0);
.Pp
an 8-byte field containing that number of bytes of the link layer header
(if there are more than 8 bytes, only the first 8 are present);
.Pp
a 2-byte field containing an Ethernet protocol type, in network byte
order, or containing 1 for Novell 802.3 frames without an 802.2 LLC
header or 4 for frames beginning with an 802.2 LLC header.
.Ed
.Pp
.It Dv DLT_LTALK
Apple LocalTalk; the packet begins with an AppleTalk LLAP header.
.Pp
.It Dv DLT_PFLOG
.Ox
pflog; the link layer header contains, in order:
.Bd -ragged -offset indent -compact
.Pp
a 1-byte header length, in host byte order;
.Pp
a 4-byte PF_ value, in host byte order;
.Pp
a 2-byte action code, in network byte order, which is one of:
.Bl -tag -width "10" -compact -offset indent
.Pp
.It Li 0
passed
.It Li 1
dropped
.It Li 2
scrubbed
.El
.Pp
a 2-byte reason code, in network byte order, which is one of:
.Bl -tag -width "10" -compact -offset indent
.Pp
.It Li 0
match
.It Li 1
bad offset
.It Li 2
fragment
.It Li 3
short
.It Li 4
normalize
.It Li 5
memory
.El
.Pp
a 16-character interface name;
.Pp
a 16-character ruleset name (only meaningful if subrule is set);
.Pp
a 4-byte rule number, in network byte order;
.Pp
a 4-byte subrule number, in network byte order;
.Pp
a 1-byte direction, in network byte order, which is one of:
.Bl -tag -width "10" -compact -offset indent
.Pp
.It Li 0
incoming or outgoing
.It Li 1
incoming
.It Li 2
outgoing
.El
.Ed
.Pp
.It Dv DLT_PRISM_HEADER
Prism monitor mode information followed by an 802.11 header.
.Pp
.It Dv DLT_IP_OVER_FC
RFC 2625 IP-over-Fibre Channel, with the link-layer header being the
Network_Header as described in that RFC.
.Pp
.It Dv DLT_SUNATM
SunATM devices; the link layer header contains, in order:
.Bd -ragged -offset indent -compact
.Pp
a 1-byte flag field, containing a direction flag in the uppermost bit,
which is set for packets transmitted by the machine and clear for
packets received by the machine, and a 4-byte traffic type in the
low-order 4 bits, which is one of:
.Bl -tag -width "10" -offset indent
.It Li 0
raw traffic
.It Li 1
LANE traffic
.It Li 2
LLC-encapsulated traffic
.It Li 3
MARS traffic
.It Li 4
IFMP traffic
.It Li 5
ILMI traffic
.It Li 6
Q.2931 traffic
.El
.Pp
a 1-byte VPI value;
.Pp
a 2-byte VCI field, in network byte order.
.Ed
.Pp
.It Dv DLT_IEEE802_11_RADIO
.Xr radiotap 9
information followed by an 802.11 header.
.Pp
.It Dv DLT_ARCNET_LINUX
ARCNET, with no exception frames, reassembled packets rather than raw
frames, and an extra 16-bit offset field between the destination host
and type bytes.
.Pp
.It Dv DLT_LINUX_IRDA
Linux-IrDA packets, with a
.Dv DLT_LINUX_SLL
header followed by the IrLAP header.
.El
.Pp
.Fn pcap_list_datalinks
is used to get a list of the supported data link types of the interface
associated with the pcap descriptor.
.Fn pcap_list_datalinks
allocates an array to hold the list and sets
.Fa *dlt_buf .
The caller is responsible for freeing the array.
.Li \-1
is returned on failure;
otherwise, the number of data link types in the array is returned.
.Pp
.Fn pcap_set_datalink
is used to set the current data link type of the pcap descriptor
to the type specified by
.Fa dlt .
This operation is supported only of the interface associated with
the pcap descriptor supports multiple data link types.
.Li \-1
is returned on failure;
.Em 0
is returned on success.
.Pp
.Fn pcap_loop
is similar to
.Fn pcap_dispatch
except it keeps reading packets until
.Fa cnt
packets are processed or an error occurs.
A negative
.Fa cnt
causes
.Fn pcap_loop
to loop forever (or at least until an error occurs).
.Pp
.Fn pcap_next
returns a
.Vt u_char
pointer to the next packet.
.Pp
.Fn pcap_datalink_name_to_val
translates a data link type name, which is a
.Dv DLT_
name with the
.Dv DLT_
removed, to the corresponding data link type value.  The translation
is case-insensitive.
.Li \-1
is returned on failure.
.Pp
.Fn pcap_datalink_val_to_name
translates a data link type value to the corresponding data link type
name.
.Dv NULL
is returned on failure.
.Pp
.Fn pcap_datalink_val_to_description
translates a data link type value to a short description of that data
link type.
.Dv NULL
is returned on failure.
.Pp
.Fn pcap_snapshot
returns the snapshot length specified when
.Fn pcap_open_live
was called.
.Pp
.Fn pcap_is_swapped
returns true if the current
.Dq savefile
uses a different byte order than the current system.
.Pp
.Fn pcap_major_version
returns the major number of the file format of the savefile;
.Fn pcap_minor_version
returns the minor number of the file format of the savefile.  The
version number is stored in the header of the savefile.
.Pp
.Fn pcap_file
returns the standard I/O stream of the
.Dq savefile ,
if a
.Dq savefile
was opened with
.Fn pcap_open_offline ,
or NULL, if a network device was opened with
.Fn pcap_open_live .
.Pp
.Fn pcap_stats
returns 0 and fills in a
.Vt pcap_stat
struct.
The values represent packet statistics from the start of the
run to the time of the call. If there is an error or the underlying
packet capture doesn't support packet statistics, -1 is returned and
the error text can be obtained with
.Fn pcap_perror
or
.Fn pcap_geterr .
.Fn pcap_stats
is supported only on live captures, not on
.Dq savefiles ;
no statistics are stored in
.Dq savefiles ,
so no statistics are available when reading
from a
.Dq savefile .
.Pp
.Fn pcap_fileno
returns the file descriptor number from which captured packets are read
if a network device was opened with
.Fn pcap_open_live ,
or \-1, if a
.Dq savefile
was opened with
.Fn pcap_open_offline .
.Fn pcap_get_selectable_fd
returns, on UNIX, a file descriptor number for a file descriptor on
which one can
do a
.Fn select
or
.Fn poll
to wait for it to be possible to read packets without blocking, if such
a descriptor exists, or \-1, if no such descriptor exists.  Some network
devices opened with
.Fn pcap_open_live
do not support
.Fn select
or
.Fn poll
(for example, regular network devices on
.Fx 4.3
and 4.4, and Endace
DAG devices), so \-1 is returned for those devices.
.Pp
Note that on most versions of most BSDs (including Mac OS X)
.Fn select
and
.Fn poll
do not work correctly on BPF devices;
.Fn pcap_get_selectable_fd
will return a file descriptor on most of those versions (the exceptions
being
.Fx 4.3
and 4.4), a simple
.Fn select
or
.Fn poll
will not return even after a timeout specified in
.Fn pcap_open_live
expires.  To work around this, an application that uses
.Fn select
or
.Fn poll
to wait for packets to arrive must put the
.Vt pcap_t
in non-blocking mode, and must arrange that the
.Fn select
or
.Fn poll
have a timeout less than or equal to the timeout specified in
.Fn pcap_open_live ,
and must try to read packets after that timeout expires, regardless of
whether
.Fn select
or
.Fn poll
indicated that the file descriptor for the
.Vt pcap_t
is ready to be read or not.
(That workaround will not work in
.Fx 4.3
and later; however, in
.Fx 4.6
and later,
.Fn select
and
.Fn poll
work correctly on BPF devices, so the workaround isn't necessary,
although it does no harm.)
.Pp
.Fn pcap_get_selectable_fd
is not available on Windows.
.Pp
.Fn pcap_perror
prints the text of the last pcap library error on
.Va stderr ,
prefixed by
.Va prefix .
.Pp
.Fn pcap_geterr
returns the error text pertaining to the last pcap library error.
.Em NOTE :
the pointer it returns will no longer point to a valid error message
string after the
.Vt pcap_t
passed to it is closed; you must use or copy the string before closing
the
.Vt pcap_t .
.Pp
.Fn pcap_strerror
is provided in case
.Xr strerror 3
isn't available.
.Pp
.Fn pcap_lib_version
returns a pointer to a string giving information about the version of
the libpcap library being used; note that it contains more information
than just a version number.
.Pp
.Fn pcap_close
closes the files associated with
.Fa p
and deallocates resources.
.Pp
.Fn pcap_dump_file
returns the standard I/O stream of the
.Dq savefile
opened by
.Fn pcap_dump_open .
.Pp
.Fn pcap_dump_flush
flushes the output buffer to the
.Dq savefile ,
so that any packets written with
.Fn pcap_dump
but not yet written to the
.Dq savefile
will be written.
-1 is returned on error, 0 on success.
.Pp
.Fn pcap_dump_close
closes the
.Dq savefile .
.Sh SEE ALSO
.Xr tcpdump 8
.Sh AUTHORS
The original authors are:
.Lp
Van Jacobson,
Craig Leres and
Steven McCanne, all of the
Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
.\" .Lp
.\" The current version is available from "The Tcpdump Group"'s Web site at
.\" .Lp
.\" .RS
.\" .Em http://www.tcpdump.org/
.\" .RE
.\" .Sh BUGS
.\" Please send problems, bugs, questions, desirable enhancements, etc. to:
.\" .Lp
.\" .RS
.\" tcpdump-workers@tcpdump.org
.\" .RE
.\" .Lp
.\" Please send source code contributions, etc. to:
.\" .Lp
.\" .RS
.\" patches@tcpdump.org
.\" .RE