Stack Overflow
Stack Overflow

Questions tagged [libpcap]

Libpcap, a portable C/C++ library for network traffic capture. Provides a common interface across various OS-specific backends like BPF, packet filter, netfilter, and NPF.

Libpcap was originally developed by the tcpdump developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked.

796 questions
7
votes
2 answers

Creating a pcap file

I need to save UDP packets to a file and would like to use the pcap format to reuse the various tools available (wireshark, tcpdump, ...). There are some information in this thread but I can't find how to write the global file header 'struct…
Robert Kubrick
  • 8,413
  • 13
  • 59
  • 91
6
votes
1 answer

How to write PCAP capture file header?

Without using libpcap I am trying to write a log file that adheres to the pcap file format (format). This file needs to be readable by WireShark. So far I've written this in C++: struct pcapFileHeader { uint32_t magic_number; /* magic number…
Scott
  • 61
  • 1
  • 2
6
votes
1 answer

Capturing packets on loopback

This code works perfectly fine on Ubuntu 16.04 and prints correct value (ETHERTYPE_IP) when I toss around UDP bytes via loopback interface: #include #include #include int main(int argc,char **argv) { char…
lstipakov
  • 3,138
  • 5
  • 31
  • 46
6
votes
1 answer

Why is there a long delay between pcap_loop() and getting a packet?

I'm writing a sniffer using libpcap. My problem is that there's a 7-10 second delay between calling pcap_loop() or pcap_next() and actually getting a packet(the callback function being called). However, if I use wireshark with the same filter on the…
Nick Zhang
  • 199
  • 2
  • 7
6
votes
1 answer

libpcap or PF_PACKET?

I understand this question has been discussed many times: Should I use libpcap or PF_PACKET (the data link socket) to capture packets? Based on my research, libpcap is suggested over PF_PACKET almost everywhere, mainly due to its…
user2975098
  • 115
  • 1
  • 7
6
votes
2 answers

Sniffing wifi using libpcap in monitor mode

Problem Statement Calling pcap_activate() results in PCAP_ERR_RFMON_NOTSUP error, i.e. RF monitor mode is not supported. Context I'm writing small C program whose job is to listen on my laptop's wifi card in monitor mode. The laptop is running…
user108879
  • 63
  • 1
  • 5
6
votes
2 answers

Capturing performance with pcap vs raw socket

When capturing network traffic for debugging, there seem to be two common approaches: Use a raw socket. Use libpcap. Performance-wise, is there much difference between these two approaches? libpcap seems a nice compatible way to listen to a real…
PeterM
  • 2,534
  • 6
  • 31
  • 38
6
votes
3 answers

Passing an argument on libpcap pcap_loop() callback

Because I would like to make some tests with the libpcap and a small C program, I am trying to pass a structure from main() to got_packet(). After reading the libpcap tutorial, I had found this: The prototype for pcap_loop() is below: int…
Denis
  • 223
  • 1
  • 7
  • 13
6
votes
1 answer

parse IP and TCP header (especially common tcp header options)of packets captured by libpcap

I want to use libpcap to capture IP packet, and the I want to parse the IP header and tcp header. ` there are IP header and TCP header structures in and IP header is relatively easier to parse, but for TCP…
user1944267
  • 1,557
  • 5
  • 20
  • 27
6
votes
3 answers

pcap files and endianness

Running the file command against a pcap file will print out something along the lines of - $ file pcap.pcap pcap.pcap: tcpdump capture file (little-endian) - version 2.4 .... I've been looking for a way to create a big-endian capture file, or…
RyPeck
  • 7,830
  • 3
  • 38
  • 58
5
votes
0 answers

Decode PCM audio data with g722 codec

I'm developing a call recorder for VoIP audio, the audio is encoded by using a g722 codec in a CISCO environment. Well, I have extracted the data from the RTPs frames and I have decoded this pcm data as follow: unsigned int payloadSize =…
Miguel Angel
  • 630
  • 7
  • 18
5
votes
1 answer

FreeBSD: Questions about NIC ring buffers, mbufs, and bpf buffers

I've been going through many technical documents on packet capture/processing and host stacks trying to understand it all, there's a few areas where I'm troubled, hopefully someone can help. Assuming you're running tcpdump: After a packet gets…
jon
  • 51
  • 3
5
votes
1 answer

Wireshark with Libpcap (or WinPcap) portable (without Admin rights

The portable version of wireshark from: https://www.wireshark.org/download.html works fine on my windows 10, but doesn't include portable capturing triber Libpcap or WinPcap. On the Npcap page https://nmap.org/npcap/ it is written: "Libpcap API:…
pep44
  • 51
  • 1
  • 3
5
votes
2 answers

How to Find TCP Retransmissions while sniffing packets in C

I've written a simple source file that can read pcap files using the libpcap library in C. I can parse the packets one by one and analyze them up to a point. I want to be able to deduce whether a TCP packet I parsed is a TCP retransmission or not.…
Konstantinos Zafeiris
  • 141
  • 2
  • 11
5
votes
2 answers

How can I parse an ethernet packet using libpcap?

I'm using libpcap in C++ for reading packets from pcap files, e.g.: rc = pcap_next_ex((pcap_t*)handle, &header, (const unsigned char**)packet); I would like to parse the packets header (without the payload). For example, how can I parse a given…
user515766
  • 349
  • 2
  • 5
  • 7
1 2
3
53 54