Stack Overflow
Stack Overflow

Questions tagged [libpcap]

Libpcap, a portable C/C++ library for network traffic capture. Provides a common interface across various OS-specific backends like BPF, packet filter, netfilter, and NPF.

Libpcap was originally developed by the tcpdump developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked.

796 questions
2
votes
2 answers

How to use wireshark dissectors in own application without wireshark at all?

Im using libpcap and want to be able to analyze packets but without wireshark at all. However, I want to use the wireshark dissectors. Has anybody done this and can give me an explanation for the needed steps?
Fabian Knapp
  • 1,342
  • 13
  • 27
2
votes
2 answers

how to implement tcpdump -i interface arp with libpcap

I want to implement command tcpdump -i eth0 arp to observe arp packets on interface eth0 on my ubuntu. I use libpcap, but the return value of function pcap_next_ex is always 0. With tcpdump -i eth0 arp in the same time , it can observe arp…
hel
  • 581
  • 10
  • 26
2
votes
1 answer

x86_64-pc-cygwin/bin/ld: cannot find -lwpcap

The problem message is the following: /usr/lib/gcc/x86_64-pc-cygwin/4.9.3/../../../../x86_64-pc-cygwin/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-pc-cygwin/4.9.3/../../../../lib/libwpcap.a when searching for…
Pong
  • 63
  • 1
  • 6
2
votes
3 answers

String search in a packet

Assume we capture packets with the C API of libpcap. Is it efficient to parse some payload strings with string search strstr() in line speed (e.g. Mbps/Gbps)? For example strstr(payload,"User-Agent"); Would it be more efficient to do it with a…
Ioannis Pappas
  • 807
  • 12
  • 22
2
votes
1 answer

why does libpcap/tcpdump add/pad '0x00' bytes at the end of IP/TCP packets?

I use both Tcpdump and libpcap(a program which uses libpcap) to capture TCP packets. And I notice there are some packets which are padded/added with additional 0x00 bytes at the end. For example, while the IP length indicated in the IP header says…
lily
  • 515
  • 7
  • 20
2
votes
1 answer

how the difference between libevent version 1.4 and 2.0 influence libpcap events?

I'm using libpcap and libevent in a program. the related source codes are: const u_int16_t RELAY_PORT = 8000; pcap_t *create_pcap(const void *dev, pcap_style_t style) { pcap_t *handle; /* Session handle */ struct bpf_program…
lily
  • 515
  • 7
  • 20
2
votes
4 answers

Smartest way to compare IP addresses quickly?

I have a list of IP addresses, stored like this: char IP_addresses_list[] = { "157.55.130", /* 157.55.130.0/24 */ "157.56.52", /* 157.56.52.0/24 */ "157.12.53", /* 157.12.53.0/24 */ ... }; I get the IP address from the sniffed…
elmazzun
  • 1,066
  • 2
  • 18
  • 44
2
votes
1 answer

Why redeclare TCP and IP headers in a libpcap program?

In a tutorial program of libpcap I see the following structures: /* IP header */ struct sniff_ip { u_char ip_vhl; u_char ip_tos; u_short ip_len; u_short ip_id; …
elmazzun
  • 1,066
  • 2
  • 18
  • 44
2
votes
1 answer

How to use 802.11 headers with libpcap

I'm attempting to capture a probe request using libpcap. To my understanding a probe request is a management frame. I can capture these with the filter type mgt subtype probe-req. But within pcap_next() what struct do I need to pass in? Do I need to…
James Jeffery
  • 12,093
  • 19
  • 74
  • 108
2
votes
1 answer

Are Berkeley Packet Filter opcode values implementation defined?

Are Berkeley Packet Filter opcode values implementation defined? I always thought of tcpdump/libpcap as authoritative in the BPF arena. I noticed that the linux kernel and tcpdump read BPF filters differently. The BPF mnemonics and behavior is the…
Crazy Chenz
  • 12,650
  • 12
  • 50
  • 62
2
votes
0 answers

LibPCap & Packet Drops - Linux

My app uses libpcap to capture UDP packets from various sources. Occasionally the app has to do some heavy computational work (ballpark ~2 seconds)... during this time the app is not 'reading' from libpcap. This is leading to packet drops, but I'm…
user3513346
  • 117
  • 8
2
votes
2 answers

Python and libpcap. find source mac address of packet

I'm writing python program to build mac-address cache using pcap. But pcap module for python has no good documentation. I have found this page http://pylibpcap.sourceforge.net/ with code example and it works fine. Can anybody modify this example to…
Shamanu4
  • 5,296
  • 2
  • 27
  • 31
2
votes
1 answer

Negative TCP Sequence Numbers (C, LibPcap, TCP)

I'm working with libpcap and having trouble accessing the sequence number variable from this struct. To get the TCP sequence number i'm now using ntohl(tcp->th_seq) and it gives me some sequence numbers in the positive and they seem to be valid (in…
Crizly
  • 971
  • 1
  • 12
  • 33
2
votes
1 answer

Lost in libpcap - how to use setnonblock() / should I use pcap_dispatch() or pcap_next_ex() for realtime?

I'm building a network sniffer that will run on a PFSense for monitoring an IPsec VPN. I'm compiling under FreeBSD 8.4. I've chosen to use libpcap in C for the packet capture engine and Redis as the storage system. There will be hundreds of packets…
bdelphin
  • 76
  • 8
2
votes
2 answers

Does libpcap get a copy of the packet?

Does libpcap get a copy of the packet or the actual packet? By copy, I mean: the application using libpcap gets packet A, and the kernel also gets packet A. By actual, I mean: only the application using libpcap gets packet A, but the kernel didn't…
sivabudh
  • 31,807
  • 63
  • 162
  • 228
1 2 3
53 54