UnderstandingPCAPFilesandPacketCapture-StudyGuide
UnderstandingPCAPFilesandPacketCapture-StudyGuide
libpcap Library
Overview: Provides a high-level interface to network packet capture systems.
History: Created in the 1990s by McCanne, Leres, and Jacobson at the Lawrence Berkeley
National Laboratory.
Objective: To create a platform-independent API, eliminating the need for system-dependent
packet capture modules in each application.
Languages: Designed to be used from C and C++, but wrappers exist for Perl, Python, Java,
C#, Ruby.
Operating Systems: Runs on most UNIX-like operating systems (Linux, Solaris, BSD, HP-UX)
and Windows (WinPcap/NPCAP).
Maintenance: Maintained by the Tcpdump Group.
Resources: Full documentation and source code are available at https://www.tcpdump.org
and https://www.winpcap.org (for WinPcap).
char *pcap_lookupdev(char *errbuf): Returns a pointer to a string containing the name of the
first suitable network device for packet capture. If a specific network interface is not specified
by the end user, pcap_lookupdev will find one to listen on.
errbuf: A user-supplied buffer to store an error message if something goes wrong. Must be at
least PCAP_ERRBUF_SIZE (currently 256) bytes.
pcap_t *pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf):
Opens a network interface for packet capture.
const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h): Returns the first packet that
arrives on the network interface.
device: Name of the network interface.
snaplen: Maximum number of bytes to capture. A value of 65535 should be enough to
hold any packet from any network.
promisc: Whether to put the network interface in promiscuous mode (accepting packets
not destined for it). Specify 1 for promiscuous and 0 for non-promiscuous.
to_ms: Kernel wait time (in milliseconds) before copying captured information from kernel
space to user space.
errbuf: Error buffer.
int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user): Collects packets and
processes them using a user-defined function (callback). Returns when cnt packets have
been captured (negative cnt returns only on error). The user argument is passed to the
callback function.
int pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user): Similar to
pcap_loop, but returns when the to_ms timeout specified in pcap_open_live elapses.
void function_name(u_char *user, const struct pcap_pkthdr *pkthdr, const u_char *packet):
This is the prototype for the callback function used with pcap_loop and pcap_dispatch.
struct pcap_pkthdr {
struct timeval ts; // Timestamp of capture
bpf_u_int32 caplen; // Number of bytes that were stored
bpf_u_int32 len; // Total length of the packet
};
For Ethernet networks, the ethertype field in the Ethernet header specifies the next protocol.
Common values:
If the network layer is IPv4, the protocol field in the IPv4 header indicates the transport layer
protocol. In IPv6 it is the next header field.
0x0800: IPv4
0x86DD: IPv6
0x0806: ARP
Common values:
Application layer protocols are harder to distinguish. TCP port numbers can provide clues
(e.g., port 80 for HTTP).
1. Malformed Packets:
Filtering Packets
Kernel-Level Filtering: The system's packet filter is used to reduce the amount of data copied
from kernel space to user space.
BSD Packet Filter (BPF): libpcap provides support for BPF-based packet filters.
Steps to Set a Filter: