tcpdump mailing list archives
Re: New libpcap API
From: "Mark Bednarczyk" <voytechs () yahoo com>
Date: Fri, 15 Jan 2010 18:31:46 -0500
Thank you for all your insight. I will bypass the bpf_* functions then from the API. The remainder I will include. Cheers, mark...
-----Original Message----- From: tcpdump-workers-owner () lists tcpdump org [mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of Guy Harris Sent: Friday, January 15, 2010 5:33 PM To: tcpdump-workers () lists tcpdump org Subject: Re: [tcpdump-workers] New libpcap API On Jan 15, 2010, at 8:17 AM, Mark Bednarczyk wrote:I'm the developer of a java libpcap wrapper jNetPcap. jNetPcap API currently provides comparible libpcap functions for almosteverythingprior to libpcap 0.9.8 version. I am planning outadditional functionsthat I think need to be added to the API. Does anyone know which functions were introduced in 1.0.0 from the list below? I checked in changelogs but couldn't find references to most of these functions. Lastly, if anyone could fill inthe few ???marks for function description I couldn't find manpages for. pcap_create - allocates memory for the pcaphandle (must befollowed by a corresponding pcap_activate) pcap_set_snaplen - set the snapshot length for anot-yet-activatedcapture handle pcap_set_promisc - set promiscuous mode for anot-yet-activated capturehandle pcap_can_set_rfmon - check whether monitor mode can be set for a not-yet-activated capture handle pcap_set_rfmon - set monitor mode for anot-yet-activated capturehandle pcap_set_timeout - set the read timeout for anot-yet-activated capturehandle pcap_set_buffer_size - set the buffer size for a not-yet-activated capture handleAll introduced in 1.0.0.pcap_setdirection - set the direction for which packetswill be captured Introduced in one of the 0.9.x releases.pcap_activate - actives the pcap handle and most ofthe abovefunctions may no longer be called on an active handle pcap_statustostr - convert a PCAP_ERROR_ orPCAP_WARNING_ value to astringIntroduced in 1.0.0.pcap_strerror - convert an errno value to a string(how is thisdifferent from pcap_geterr?)Has been there for a *long* time. It provides a wrapper around strerror() for the benefit of OSes that don't have strerror(). (libpcap is an *old* library, and dates back to an era when many UN*Xes people were using didn't have strerror().) pcap_geterr() returns an error string in the error buffer in a pcap_t, rather than an error string corresponding to a UN*X errno; to quote the man page: pcap_geterr() returns the error text pertaining to the last pcap library error. NOTE: the pointer it returns will no longer point to a valid error message string after the pcap_t passed to it is closed; you must use or copy the string before closing the pcap_t. pcap_perror() prints the text of the last pcap library error on stderr, prefixed by prefix.pcap_offline_filter - check whether a filter matches apacket. BPF VMengine in user landIntroduced in 1.0.0 as a wrapper around bpf_filter().pcap_datalink_ext - not sure ???Introduced in 1.0.0; the theory was that some linktype values in a savefile could give additional information, such as the number of bits of FCS. Currently, that's only used by the code to support DAG cards.pcap_set_datalink - set the link-layer header type tobe used by acapture device. pcap_list_datalinks - get a list of link-layer headertypes supported by acapture device pcap_free_datalinks - frees allocated memory inpcap_list_datalinkspcap_snapshot - get the snapshot length set withpcap_set_snaplen orpcap_open_liveAll introduced before 1.0.0.bpf_filter - ??? bpf_validate - ??? bpf_image - ??? bpf_dump - ???All introduced before 1.0.0; they're part of the userland BPF-filter code. bpf_filter() is the filter engine, around which the somewhat-inaccurately-named pcap_offline_filter() is a wrapper (it's inaccurately named because it can be used in a live capture as well - you might, for example, have an application that uses a BPF filter expression as a "start capturing" or "stop capturing" trigger, in which case your app would have to evaluate that in userland). bpf_validate() checks whether a BPF program is "safe". It's mainly of interest in the OS kernel, so that applications can't hand to the kernel a program that could loop or cause a zero-divide fault or reference arbitrary memory locations or.... bpf_image() is an routine that takes a BPF instruction and generates a "assembly-language" string for it. bpf_dump() is a routine that takes a BPF program and dumps out the instructions, perhaps as raw instruction fields or perhaps as "assembly-language" strings as generated by bpf_image(), depending on the second argument value. It's mainly used by tcpdump's "-d" option. None other than bpf_filter() are guaranteed to remain as they are in the future.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- New libpcap API Mark Bednarczyk (Jan 15)
- Re: New libpcap API Darren Reed (Jan 15)
- Re: New libpcap API Guy Harris (Jan 15)
- Re: New libpcap API Mark Bednarczyk (Jan 15)