diff options
author | Treehugger Robot <treehugger-gerrit@google.com> | 2020-04-29 23:47:17 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-04-29 23:47:17 +0000 |
commit | 061669a9e338f41bd2a50ea1dbdbe272f4c21ef2 (patch) | |
tree | 2d55ffd6ce456590c7cad2034ce9e439dba499dc | |
parent | 74bc37f03680c65799a37403f3a7c4f0ea14091e (diff) | |
parent | 10a8728eaa497b558e8e649e9521be8af732a62e (diff) | |
download | libpcap-061669a9e338f41bd2a50ea1dbdbe272f4c21ef2.tar.gz |
Merge "Upgrade libpcap to libpcap-1.9.1" am: 10a8728eaaandroid-r-beta-3android-r-beta-2
Change-Id: I4d80ebabb689228840810e9fbb82e635748c7a6c
-rw-r--r-- | METADATA | 4 | ||||
-rwxr-xr-x | libpcap.pc | 18 | ||||
-rwxr-xr-x | libpcap.so.1.9.1 | bin | 1182344 -> 0 bytes | |||
-rwxr-xr-x | pcap-config | 94 | ||||
-rw-r--r-- | pcap-filter.manmisc | 1052 | ||||
-rw-r--r-- | pcap-linktype.manmisc | 48 | ||||
-rw-r--r-- | pcap-savefile.manfile | 133 | ||||
-rw-r--r-- | pcap-tstamp.manmisc | 168 | ||||
-rw-r--r-- | pcap.3pcap | 982 | ||||
-rw-r--r-- | pcap_compile.3pcap | 89 | ||||
-rw-r--r-- | pcap_datalink.3pcap | 68 | ||||
-rw-r--r-- | pcap_dump_open.3pcap | 103 | ||||
-rw-r--r-- | pcap_get_tstamp_precision.3pcap | 56 | ||||
-rw-r--r-- | pcap_list_datalinks.3pcap | 73 | ||||
-rw-r--r-- | pcap_list_tstamp_types.3pcap | 81 | ||||
-rw-r--r-- | pcap_open_dead.3pcap | 78 | ||||
-rw-r--r-- | pcap_open_offline.3pcap | 116 | ||||
-rw-r--r-- | pcap_set_immediate_mode.3pcap | 95 | ||||
-rw-r--r-- | pcap_set_tstamp_precision.3pcap | 66 | ||||
-rw-r--r-- | pcap_set_tstamp_type.3pcap | 70 |
20 files changed, 2 insertions, 3392 deletions
@@ -9,11 +9,11 @@ third_party { type: ARCHIVE value: "https://github.com/the-tcpdump-group/libpcap/archive/libpcap-1.9.1.tar.gz" } - version: "libcap-1.9.1" + version: "libpcap-1.9.1" license_type: RESTRICTED last_upgrade_date { year: 2020 month: 4 - day: 23 + day: 24 } } diff --git a/libpcap.pc b/libpcap.pc deleted file mode 100755 index e78cc997..00000000 --- a/libpcap.pc +++ /dev/null @@ -1,18 +0,0 @@ -# -# pkg-config file for libpcap. -# -# These variables come from the configure script, so includedir and -# libdir may be defined in terms of prefix and exec_prefix, so the -# latter must be defined as well. -# -prefix="/usr/local" -exec_prefix="${prefix}" -includedir="${prefix}/include" -libdir="${exec_prefix}/lib" - -Name: libpcap -Description: Platform-independent network traffic capture library -Version: 1.9.1 -Libs: -L${libdir} -lpcap -Libs.private: -Cflags: -I${includedir} diff --git a/libpcap.so.1.9.1 b/libpcap.so.1.9.1 Binary files differdeleted file mode 100755 index c80ec870..00000000 --- a/libpcap.so.1.9.1 +++ /dev/null diff --git a/pcap-config b/pcap-config deleted file mode 100755 index 29380c44..00000000 --- a/pcap-config +++ /dev/null @@ -1,94 +0,0 @@ -#! /bin/sh - -# -# Script to give the appropriate compiler flags and linker flags -# to use when building code that uses libpcap. -# -# These variables come from the configure script, so includedir and -# libdir may be defined in terms of prefix and exec_prefix, so the -# latter must be defined as well. -# -prefix="/usr/local" -exec_prefix="${prefix}" -includedir="${prefix}/include" -libdir="${exec_prefix}/lib" -V_RPATH_OPT="-Wl,-rpath," -LIBS="" -PACKAGE_NAME="pcap" - -static=0 -show_cflags=0 -show_libs=0 -while [ "$#" != 0 ] -do - case "$1" in - - --static) - static=1 - ;; - - --cflags) - show_cflags=1 - ;; - - --libs) - show_libs=1 - ;; - - --additional-libs) - show_additional_libs=1 - ;; - esac - shift -done -if [ "$V_RPATH_OPT" != "" ] -then - # - # If libdir isn't /usr/lib, add it to the run-time linker path. - # - if [ "$libdir" != "/usr/lib" ] - then - RPATH=$V_RPATH_OPT$libdir - fi -fi -if [ "$static" = 1 ] -then - # - # Include LIBS so that the flags include libraries containing - # routines that libpcap uses. - # - if [ "$show_cflags" = 1 -a "$show_libs" = 1 ] - then - echo "-I$includedir -L$libdir -lpcap $LIBS" - elif [ "$show_cflags" = 1 -a "$show_additional_libs" = 1 ] - then - echo "-I$includedir -L$libdir $LIBS" - elif [ "$show_cflags" = 1 ] - then - echo "-I$includedir" - elif [ "$show_libs" = 1 ] - then - echo "-L$libdir -lpcap $LIBS" - elif [ "$show_additional_libs" = 1 ] - then - echo "$LIBS" - fi -else - # - # Omit LIBS - libpcap is assumed to be linked with those - # libraries, so there's no need to do so explicitly. - # - if [ "$show_cflags" = 1 -a "$show_libs" = 1 ] - then - echo "-I$includedir -L$libdir $RPATH -l$PACKAGE_NAME" - elif [ "$show_cflags" = 1 -a "$show_additional_libs" = 1 ] - then - echo "-I$includedir" - elif [ "$show_cflags" = 1 ] - then - echo "-I$includedir" - elif [ "$show_libs" = 1 ] - then - echo "-L$libdir $RPATH -l$PACKAGE_NAME" - fi -fi diff --git a/pcap-filter.manmisc b/pcap-filter.manmisc deleted file mode 100644 index d8385f51..00000000 --- a/pcap-filter.manmisc +++ /dev/null @@ -1,1052 +0,0 @@ -.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP-FILTER 7 "5 November 2017" -.SH NAME -pcap-filter \- packet filter syntax -.br -.ad -.SH DESCRIPTION -.LP -.B pcap_compile() -is used to compile a string into a filter program. -The resulting filter program can then be applied to -some stream of packets to determine which packets will be supplied to -.BR pcap_loop(3PCAP) , -.BR pcap_dispatch(3PCAP) , -.BR pcap_next(3PCAP) , -or -.BR pcap_next_ex(3PCAP) . -.LP -The \fIfilter expression\fP consists of one or more -.IR primitives . -Primitives usually consist of an -.I id -(name or number) preceded by one or more qualifiers. -There are three -different kinds of qualifier: -.IP \fItype\fP -.I type -qualifiers say what kind of thing the id name or number refers to. -Possible types are -.BR host , -.B net , -.B port -and -.BR portrange . -E.g., `host foo', `net 128.3', `port 20', `portrange 6000-6008'. -If there is no type -qualifier, -.B host -is assumed. -.IP \fIdir\fP -.I dir -qualifiers specify a particular transfer direction to and/or from -.IR id . -Possible directions are -.BR src , -.BR dst , -.BR "src or dst" , -.BR "src and dst" , -.BR ra , -.BR ta , -.BR addr1 , -.BR addr2 , -.BR addr3 , -and -.BR addr4 . -E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. -If -there is no dir qualifier, -.B "src or dst" -is assumed. -The -.BR ra , -.BR ta , -.BR addr1 , -.BR addr2 , -.BR addr3 , -and -.B addr4 -qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. -.IP \fIproto\fP -.I proto -qualifiers restrict the match to a particular protocol. -Possible -protos are: -.BR ether , -.BR fddi , -.BR tr , -.BR wlan , -.BR ip , -.BR ip6 , -.BR arp , -.BR rarp , -.BR decnet , -.B tcp -and -.BR udp . -E.g., `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange -7000-7009', `wlan addr2 0:2:3:4:5:6'. -If there is -no proto qualifier, all protocols consistent with the type are -assumed. -E.g., `src foo' means `(ip or arp or rarp) src foo' -(except the latter is not legal syntax), `net bar' means `(ip or -arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'. -.LP -[`fddi' is actually an alias for `ether'; the parser treats them -identically as meaning ``the data link level used on the specified -network interface.'' FDDI headers contain Ethernet-like source -and destination addresses, and often contain Ethernet-like packet -types, so you can filter on these FDDI fields just as with the -analogous Ethernet fields. -FDDI headers also contain other fields, -but you cannot name them explicitly in a filter expression. -.LP -Similarly, `tr' and `wlan' are aliases for `ether'; the previous -paragraph's statements about FDDI headers also apply to Token Ring -and 802.11 wireless LAN headers. For 802.11 headers, the destination -address is the DA field and the source address is the SA field; the -BSSID, RA, and TA fields aren't tested.] -.LP -In addition to the above, there are some special `primitive' keywords -that don't follow the pattern: -.BR gateway , -.BR broadcast , -.BR less , -.B greater -and arithmetic expressions. -All of these are described below. -.LP -More complex filter expressions are built up by using the words -.BR and , -.B or -and -.B not -to combine primitives. -E.g., `host foo and not port ftp and not port ftp-data'. -To save typing, identical qualifier lists can be omitted. -E.g., -`tcp dst port ftp or ftp-data or domain' is exactly the same as -`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. -.LP -Allowable primitives are: -.IP "\fBdst host \fIhost\fR" -True if the IPv4/v6 destination field of the packet is \fIhost\fP, -which may be either an address or a name. -.IP "\fBsrc host \fIhost\fR" -True if the IPv4/v6 source field of the packet is \fIhost\fP. -.IP "\fBhost \fIhost\fP" -True if either the IPv4/v6 source or destination of the packet is \fIhost\fP. -.IP -Any of the above host expressions can be prepended with the keywords, -\fBip\fP, \fBarp\fP, \fBrarp\fP, or \fBip6\fP as in: -.in +.5i -.nf -\fBip host \fIhost\fR -.fi -.in -.5i -which is equivalent to: -.in +.5i -.nf -\fBether proto \fI\\ip\fB and host \fIhost\fR -.fi -.in -.5i -If \fIhost\fR is a name with multiple IP addresses, each address will -be checked for a match. -.IP "\fBether dst \fIehost\fP" -True if the Ethernet destination address is \fIehost\fP. -\fIEhost\fP -may be either a name from /etc/ethers or a numerical MAC address of the -form "xx:xx:xx:xx:xx:xx", "xx.xx.xx.xx.xx.xx", "xx-xx-xx-xx-xx-xx", -"xxxx.xxxx.xxxx", "xxxxxxxxxxxx", or various mixes of ':', '.', and '-', -where each "x" is a hex digit (0-9, a-f, or A-F). -.IP "\fBether src \fIehost\fP" -True if the Ethernet source address is \fIehost\fP. -.IP "\fBether host \fIehost\fP" -True if either the Ethernet source or destination address is \fIehost\fP. -.IP "\fBgateway\fP \fIhost\fP" -True if the packet used \fIhost\fP as a gateway. -I.e., the Ethernet -source or destination address was \fIhost\fP but neither the IP source -nor the IP destination was \fIhost\fP. -\fIHost\fP must be a name and -must be found both by the machine's host-name-to-IP-address resolution -mechanisms (host name file, DNS, NIS, etc.) and by the machine's -host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.). -(An equivalent expression is -.in +.5i -.nf -\fBether host \fIehost \fBand not host \fIhost\fR -.fi -.in -.5i -which can be used with either names or numbers for \fIhost / ehost\fP.) -This syntax does not work in IPv6-enabled configuration at this moment. -.IP "\fBdst net \fInet\fR" -True if the IPv4/v6 destination address of the packet has a network -number of \fInet\fP. -\fINet\fP may be either a name from the networks database -(/etc/networks, etc.) or a network number. -An IPv4 network number can be written as a dotted quad (e.g., 192.168.1.0), -dotted triple (e.g., 192.168.1), dotted pair (e.g, 172.16), or single -number (e.g., 10); the netmask is 255.255.255.255 for a dotted quad -(which means that it's really a host match), 255.255.255.0 for a dotted -triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for a single number. -An IPv6 network number must be written out fully; the netmask is -ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 "network" matches are really always -host matches, and a network match requires a netmask length. -.IP "\fBsrc net \fInet\fR" -True if the IPv4/v6 source address of the packet has a network -number of \fInet\fP. -.IP "\fBnet \fInet\fR" -True if either the IPv4/v6 source or destination address of the packet has a network -number of \fInet\fP. -.IP "\fBnet \fInet\fR \fBmask \fInetmask\fR" -True if the IPv4 address matches \fInet\fR with the specific \fInetmask\fR. -May be qualified with \fBsrc\fR or \fBdst\fR. -Note that this syntax is not valid for IPv6 \fInet\fR. -.IP "\fBnet \fInet\fR/\fIlen\fR" -True if the IPv4/v6 address matches \fInet\fR with a netmask \fIlen\fR -bits wide. -May be qualified with \fBsrc\fR or \fBdst\fR. -.IP "\fBdst port \fIport\fR" -True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a -destination port value of \fIport\fP. -The \fIport\fP can be a number or a name used in /etc/services (see -.IR tcp (4P) -and -.IR udp (4P)). -If a name is used, both the port -number and protocol are checked. -If a number or ambiguous name is used, -only the port number is checked (e.g., \fBdst port 513\fR will print both -tcp/login traffic and udp/who traffic, and \fBport domain\fR will print -both tcp/domain and udp/domain traffic). -.IP "\fBsrc port \fIport\fR" -True if the packet has a source port value of \fIport\fP. -.IP "\fBport \fIport\fR" -True if either the source or destination port of the packet is \fIport\fP. -.IP "\fBdst portrange \fIport1\fB-\fIport2\fR" -True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a -destination port value between \fIport1\fP and \fIport2\fP. -.I port1 -and -.I port2 -are interpreted in the same fashion as the -.I port -parameter for -.BR port . -.IP "\fBsrc portrange \fIport1\fB-\fIport2\fR" -True if the packet has a source port value between \fIport1\fP and -\fIport2\fP. -.IP "\fBportrange \fIport1\fB-\fIport2\fR" -True if either the source or destination port of the packet is between -\fIport1\fP and \fIport2\fP. -.IP -Any of the above port or port range expressions can be prepended with -the keywords, \fBtcp\fP or \fBudp\fP, as in: -.in +.5i -.nf -\fBtcp src port \fIport\fR -.fi -.in -.5i -which matches only tcp packets whose source port is \fIport\fP. -.IP "\fBless \fIlength\fR" -True if the packet has a length less than or equal to \fIlength\fP. -This is equivalent to: -.in +.5i -.nf -\fBlen <= \fIlength\fP. -.fi -.in -.5i -.IP "\fBgreater \fIlength\fR" -True if the packet has a length greater than or equal to \fIlength\fP. -This is equivalent to: -.in +.5i -.nf -\fBlen >= \fIlength\fP. -.fi -.in -.5i -.IP "\fBip proto \fIprotocol\fR" -True if the packet is an IPv4 packet (see -.IR ip (4P)) -of protocol type \fIprotocol\fP. -\fIProtocol\fP can be a number or one of the names -\fBicmp\fP, \fBicmp6\fP, \fBigmp\fP, \fBigrp\fP, \fBpim\fP, \fBah\fP, -\fBesp\fP, \fBvrrp\fP, \fBudp\fP, or \fBtcp\fP. -Note that the identifiers \fBtcp\fP, \fBudp\fP, and \fBicmp\fP are also -keywords and must be escaped via backslash (\\). -Note that this primitive does not chase the protocol header chain. -.IP "\fBip6 proto \fIprotocol\fR" -True if the packet is an IPv6 packet of protocol type \fIprotocol\fP. -Note that this primitive does not chase the protocol header chain. -.IP "\fBproto \fIprotocol\fR" -True if the packet is an IPv4 or IPv6 packet of protocol type -\fIprotocol\fP. Note that this primitive does not chase the protocol -header chain. -.IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR" -Abbreviations for: -.in +.5i -.nf -\fBproto \fIp\fR\fB -.fi -.in -.5i -where \fIp\fR is one of the above protocols. -.IP "\fBip6 protochain \fIprotocol\fR" -True if the packet is IPv6 packet, -and contains protocol header with type \fIprotocol\fR -in its protocol header chain. -For example, -.in +.5i -.nf -\fBip6 protochain 6\fR -.fi -.in -.5i -matches any IPv6 packet with TCP protocol header in the protocol header chain. -The packet may contain, for example, -authentication header, routing header, or hop-by-hop option header, -between IPv6 header and TCP header. -The BPF code emitted by this primitive is complex and -cannot be optimized by the BPF optimizer code, and is not supported by -filter engines in the kernel, so this can be somewhat slow, and may -cause more packets to be dropped. -.IP "\fBip protochain \fIprotocol\fR" -Equivalent to \fBip6 protochain \fIprotocol\fR, but this is for IPv4. -.IP "\fBprotochain \fIprotocol\fR" -True if the packet is an IPv4 or IPv6 packet of protocol type -\fIprotocol\fP. Note that this primitive chases the protocol -header chain. -.IP "\fBether broadcast\fR" -True if the packet is an Ethernet broadcast packet. -The \fIether\fP -keyword is optional. -.IP "\fBip broadcast\fR" -True if the packet is an IPv4 broadcast packet. -It checks for both the all-zeroes and all-ones broadcast conventions, -and looks up the subnet mask on the interface on which the capture is -being done. -.IP -If the subnet mask of the interface on which the capture is being done -is not available, either because the interface on which capture is being -done has no netmask or because the capture is being done on the Linux -"any" interface, which can capture on more than one interface, this -check will not work correctly. -.IP "\fBether multicast\fR" -True if the packet is an Ethernet multicast packet. -The \fBether\fP -keyword is optional. -This is shorthand for `\fBether[0] & 1 != 0\fP'. -.IP "\fBip multicast\fR" -True if the packet is an IPv4 multicast packet. -.IP "\fBip6 multicast\fR" -True if the packet is an IPv6 multicast packet. -.IP "\fBether proto \fIprotocol\fR" -True if the packet is of ether type \fIprotocol\fR. -\fIProtocol\fP can be a number or one of the names -\fBip\fP, \fBip6\fP, \fBarp\fP, \fBrarp\fP, \fBatalk\fP, \fBaarp\fP, -\fBdecnet\fP, \fBsca\fP, \fBlat\fP, \fBmopdl\fP, \fBmoprc\fP, -\fBiso\fP, \fBstp\fP, \fBipx\fP, or \fBnetbeui\fP. -Note these identifiers are also keywords -and must be escaped via backslash (\\). -.IP -[In the case of FDDI (e.g., `\fBfddi proto arp\fR'), Token Ring -(e.g., `\fBtr proto arp\fR'), and IEEE 802.11 wireless LANS (e.g., -`\fBwlan proto arp\fR'), for most of those protocols, the -protocol identification comes from the 802.2 Logical Link Control (LLC) -header, which is usually layered on top of the FDDI, Token Ring, or -802.11 header. -.IP -When filtering for most protocol identifiers on FDDI, Token Ring, or -802.11, the filter checks only the protocol ID field of an LLC header -in so-called SNAP format with an Organizational Unit Identifier (OUI) of -0x000000, for encapsulated Ethernet; it doesn't check whether the packet -is in SNAP format with an OUI of 0x000000. -The exceptions are: -.RS -.TP -\fBiso\fP -the filter checks the DSAP (Destination Service Access Point) and -SSAP (Source Service Access Point) fields of the LLC header; -.TP -\fBstp\fP and \fBnetbeui\fP -the filter checks the DSAP of the LLC header; -.TP -\fBatalk\fP -the filter checks for a SNAP-format packet with an OUI of 0x080007 -and the AppleTalk etype. -.RE -.IP -In the case of Ethernet, the filter checks the Ethernet type field -for most of those protocols. The exceptions are: -.RS -.TP -\fBiso\fP, \fBstp\fP, and \fBnetbeui\fP -the filter checks for an 802.3 frame and then checks the LLC header as -it does for FDDI, Token Ring, and 802.11; -.TP -\fBatalk\fP -the filter checks both for the AppleTalk etype in an Ethernet frame and -for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11; -.TP -\fBaarp\fP -the filter checks for the AppleTalk ARP etype in either an Ethernet -frame or an 802.2 SNAP frame with an OUI of 0x000000; -.TP -\fBipx\fP -the filter checks for the IPX etype in an Ethernet frame, the IPX -DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of -IPX, and the IPX etype in a SNAP frame. -.RE -.IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fBnetbeui\fP" -Abbreviations for: -.in +.5i -.nf -\fBether proto \fIp\fR -.fi -.in -.5i -where \fIp\fR is one of the above protocols. -.IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR" -Abbreviations for: -.in +.5i -.nf -\fBether proto \fIp\fR -.fi -.in -.5i -where \fIp\fR is one of the above protocols. -Note that not all applications using -.BR pcap (3PCAP) -currently know how to parse these protocols. -.IP "\fBdecnet src \fIhost\fR" -True if the DECNET source address is -.IR host , -which may be an address of the form ``10.123'', or a DECNET host -name. -[DECNET host name support is only available on ULTRIX systems -that are configured to run DECNET.] -.IP "\fBdecnet dst \fIhost\fR" -True if the DECNET destination address is -.IR host . -.IP "\fBdecnet host \fIhost\fR" -True if either the DECNET source or destination address is -.IR host . -.IP \fBllc\fP -True if the packet has an 802.2 LLC header. This includes: -.IP -Ethernet packets with a length field rather than a type field that -aren't raw NetWare-over-802.3 packets; -.IP -IEEE 802.11 data packets; -.IP -Token Ring packets (no check is done for LLC frames); -.IP -FDDI packets (no check is done for LLC frames); -.IP -LLC-encapsulated ATM packets, for SunATM on Solaris. -.IP "\fBllc\fP \Fitype\fR" -True if the packet has an 802.2 LLC header and has the specified -.IR type . -.I type -can be one of: -.RS -.TP -\fBi\fR -Information (I) PDUs -.TP -\fBs\fR -Supervisory (S) PDUs -.TP -\fBu\fR -Unnumbered (U) PDUs -.TP -\fBrr\fR -Receiver Ready (RR) S PDUs -.TP -\fBrnr\fR -Receiver Not Ready (RNR) S PDUs -.TP -\fBrej\fR -Reject (REJ) S PDUs -.TP -\fBui\fR -Unnumbered Information (UI) U PDUs -.TP -\fBua\fR -Unnumbered Acknowledgment (UA) U PDUs -.TP -\fBdisc\fR -Disconnect (DISC) U PDUs -.TP -\fBsabme\fR -Set Asynchronous Balanced Mode Extended (SABME) U PDUs -.TP -\fBtest\fR -Test (TEST) U PDUs -.TP -\fBxid\fR -Exchange Identification (XID) U PDUs -.TP -\fBfrmr\fR -Frame Reject (FRMR) U PDUs -.RE -.IP \fBinbound\fP -Packet was received by the host performing the capture rather than being -sent by that host. This is only supported for certain link-layer types, -such as SLIP and the ``cooked'' Linux capture mode -used for the ``any'' device and for some other device types. -.IP \fBoutbound\fP -Packet was sent by the host performing the capture rather than being -received by that host. This is only supported for certain link-layer types, -such as SLIP and the ``cooked'' Linux capture mode -used for the ``any'' device and for some other device types. -.IP "\fBifname \fIinterface\fR" -True if the packet was logged as coming from the specified interface (applies -only to packets logged by OpenBSD's or FreeBSD's -.BR pf (4)). -.IP "\fBon \fIinterface\fR" -Synonymous with the -.B ifname -modifier. -.IP "\fBrnr \fInum\fR" -True if the packet was logged as matching the specified PF rule number -(applies only to packets logged by OpenBSD's or FreeBSD's -.BR pf (4)). -.IP "\fBrulenum \fInum\fR" -Synonymous with the -.B rnr -modifier. -.IP "\fBreason \fIcode\fR" -True if the packet was logged with the specified PF reason code. The known -codes are: -.BR match , -.BR bad-offset , -.BR fragment , -.BR short , -.BR normalize , -and -.B memory -(applies only to packets logged by OpenBSD's or FreeBSD's -.BR pf (4)). -.IP "\fBrset \fIname\fR" -True if the packet was logged as matching the specified PF ruleset -name of an anchored ruleset (applies only to packets logged by OpenBSD's -or FreeBSD's -.BR pf (4)). -.IP "\fBruleset \fIname\fR" -Synonymous with the -.B rset -modifier. -.IP "\fBsrnr \fInum\fR" -True if the packet was logged as matching the specified PF rule number -of an anchored ruleset (applies only to packets logged by OpenBSD's or -FreeBSD's -.BR pf (4)). -.IP "\fBsubrulenum \fInum\fR" -Synonymous with the -.B srnr -modifier. -.IP "\fBaction \fIact\fR" -True if PF took the specified action when the packet was logged. Known actions -are: -.B pass -and -.B block -and, with later versions of -.BR pf (4), -.BR nat , -.BR rdr , -.B binat -and -.B scrub -(applies only to packets logged by OpenBSD's or FreeBSD's -.BR pf (4)). -.IP "\fBwlan ra \fIehost\fR" -True if the IEEE 802.11 RA is -.IR ehost . -The RA field is used in all frames except for management frames. -.IP "\fBwlan ta \fIehost\fR" -True if the IEEE 802.11 TA is -.IR ehost . -The TA field is used in all frames except for management frames and -CTS (Clear To Send) and ACK (Acknowledgment) control frames. -.IP "\fBwlan addr1 \fIehost\fR" -True if the first IEEE 802.11 address is -.IR ehost . -.IP "\fBwlan addr2 \fIehost\fR" -True if the second IEEE 802.11 address, if present, is -.IR ehost . -The second address field is used in all frames except for CTS (Clear To -Send) and ACK (Acknowledgment) control frames. -.IP "\fBwlan addr3 \fIehost\fR" -True if the third IEEE 802.11 address, if present, is -.IR ehost . -The third address field is used in management and data frames, but not -in control frames. -.IP "\fBwlan addr4 \fIehost\fR" -True if the fourth IEEE 802.11 address, if present, is -.IR ehost . -The fourth address field is only used for -WDS (Wireless Distribution System) frames. -.IP "\fBtype \fIwlan_type\fR" -True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR. -Valid \fIwlan_type\fRs are: -\fBmgt\fP, -\fBctl\fP -and \fBdata\fP. -.IP "\fBtype \fIwlan_type \fBsubtype \fIwlan_subtype\fR" -True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR -and frame subtype matches the specified \fIwlan_subtype\fR. -.IP -If the specified \fIwlan_type\fR is \fBmgt\fP, -then valid \fIwlan_subtype\fRs are: -\fBassoc-req\fP, -\fBassoc-resp\fP, -\fBreassoc-req\fP, -\fBreassoc-resp\fP, -\fBprobe-req\fP, -\fBprobe-resp\fP, -\fBbeacon\fP, -\fBatim\fP, -\fBdisassoc\fP, -\fBauth\fP and -\fBdeauth\fP. -.IP -If the specified \fIwlan_type\fR is \fBctl\fP, -then valid \fIwlan_subtype\fRs are: -\fBps-poll\fP, -\fBrts\fP, -\fBcts\fP, -\fBack\fP, -\fBcf-end\fP and -\fBcf-end-ack\fP. -.IP -If the specified \fIwlan_type\fR is \fBdata\fP, -then valid \fIwlan_subtype\fRs are: -\fBdata\fP, -\fBdata-cf-ack\fP, -\fBdata-cf-poll\fP, -\fBdata-cf-ack-poll\fP, -\fBnull\fP, -\fBcf-ack\fP, -\fBcf-poll\fP, -\fBcf-ack-poll\fP, -\fBqos-data\fP, -\fBqos-data-cf-ack\fP, -\fBqos-data-cf-poll\fP, -\fBqos-data-cf-ack-poll\fP, -\fBqos\fP, -\fBqos-cf-poll\fP and -\fBqos-cf-ack-poll\fP. -.IP "\fBsubtype \fIwlan_subtype\fR" -True if the IEEE 802.11 frame subtype matches the specified \fIwlan_subtype\fR -and frame has the type to which the specified \fIwlan_subtype\fR belongs. -.IP "\fBdir \fIdir\fR" -True if the IEEE 802.11 frame direction matches the specified -.IR dir . -Valid directions are: -.BR nods , -.BR tods , -.BR fromds , -.BR dstods , -or a numeric value. -.IP "\fBvlan \fI[vlan_id]\fR" -True if the packet is an IEEE 802.1Q VLAN packet. -If \fI[vlan_id]\fR is specified, only true if the packet has the specified -\fIvlan_id\fR. -Note that the first \fBvlan\fR keyword encountered in \fIexpression\fR -changes the decoding offsets for the remainder of \fIexpression\fR on -the assumption that the packet is a VLAN packet. The \fBvlan -\fI[vlan_id]\fR expression may be used more than once, to filter on VLAN -hierarchies. Each use of that expression increments the filter offsets -by 4. -.IP -For example: -.in +.5i -.nf -\fBvlan 100 && vlan 200\fR -.fi -.in -.5i -filters on VLAN 200 encapsulated within VLAN 100, and -.in +.5i -.nf -\fBvlan && vlan 300 && ip\fR -.fi -.in -.5i -filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any -higher order VLAN. -.IP "\fBmpls \fI[label_num]\fR" -True if the packet is an MPLS packet. -If \fI[label_num]\fR is specified, only true is the packet has the specified -\fIlabel_num\fR. -Note that the first \fBmpls\fR keyword encountered in \fIexpression\fR -changes the decoding offsets for the remainder of \fIexpression\fR on -the assumption that the packet is a MPLS-encapsulated IP packet. The -\fBmpls \fI[label_num]\fR expression may be used more than once, to -filter on MPLS hierarchies. Each use of that expression increments the -filter offsets by 4. -.IP -For example: -.in +.5i -.nf -\fBmpls 100000 && mpls 1024\fR -.fi -.in -.5i -filters packets with an outer label of 100000 and an inner label of -1024, and -.in +.5i -.nf -\fBmpls && mpls 1024 && host 192.9.200.1\fR -.fi -.in -.5i -filters packets to or from 192.9.200.1 with an inner label of 1024 and -any outer label. -.IP \fBpppoed\fP -True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet -type 0x8863). -.IP "\fBpppoes \fI[session_id]\fR" -True if the packet is a PPP-over-Ethernet Session packet (Ethernet -type 0x8864). -If \fI[session_id]\fR is specified, only true if the packet has the specified -\fIsession_id\fR. -Note that the first \fBpppoes\fR keyword encountered in \fIexpression\fR -changes the decoding offsets for the remainder of \fIexpression\fR on -the assumption that the packet is a PPPoE session packet. -.IP -For example: -.in +.5i -.nf -\fBpppoes 0x27 && ip\fR -.fi -.in -.5i -filters IPv4 protocols encapsulated in PPPoE session id 0x27. -.IP "\fBgeneve \fI[vni]\fR" -True if the packet is a Geneve packet (UDP port 6081). If \fI[vni]\fR -is specified, only true if the packet has the specified \fIvni\fR. -Note that when the \fBgeneve\fR keyword is encountered in -\fIexpression\fR, it changes the decoding offsets for the remainder of -\fIexpression\fR on the assumption that the packet is a Geneve packet. -.IP -For example: -.in +.5i -.nf -\fBgeneve 0xb && ip\fR -.fi -.in -.5i -filters IPv4 protocols encapsulated in Geneve with VNI 0xb. This will -match both IP directly encapsulated in Geneve as well as IP contained -inside an Ethernet frame. -.IP "\fBiso proto \fIprotocol\fR" -True if the packet is an OSI packet of protocol type \fIprotocol\fP. -\fIProtocol\fP can be a number or one of the names -\fBclnp\fP, \fBesis\fP, or \fBisis\fP. -.IP "\fBclnp\fR, \fBesis\fR, \fBisis\fR" -Abbreviations for: -.in +.5i -.nf -\fBiso proto \fIp\fR -.fi -.in -.5i -where \fIp\fR is one of the above protocols. -.IP "\fBl1\fR, \fBl2\fR, \fBiih\fR, \fBlsp\fR, \fBsnp\fR, \fBcsnp\fR, \fBpsnp\fR" -Abbreviations for IS-IS PDU types. -.IP "\fBvpi\fP \fIn\fR" -True if the packet is an ATM packet, for SunATM on Solaris, with a -virtual path identifier of -.IR n . -.IP "\fBvci\fP \fIn\fR" -True if the packet is an ATM packet, for SunATM on Solaris, with a -virtual channel identifier of -.IR n . -.IP \fBlane\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -an ATM LANE packet. -Note that the first \fBlane\fR keyword encountered in \fIexpression\fR -changes the tests done in the remainder of \fIexpression\fR -on the assumption that the packet is either a LANE emulated Ethernet -packet or a LANE LE Control packet. If \fBlane\fR isn't specified, the -tests are done under the assumption that the packet is an -LLC-encapsulated packet. -.IP \fBoamf4s\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -a segment OAM F4 flow cell (VPI=0 & VCI=3). -.IP \fBoamf4e\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -an end-to-end OAM F4 flow cell (VPI=0 & VCI=4). -.IP \fBoamf4\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)). -.IP \fBoam\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)). -.IP \fBmetac\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -on a meta signaling circuit (VPI=0 & VCI=1). -.IP \fBbcc\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -on a broadcast signaling circuit (VPI=0 & VCI=2). -.IP \fBsc\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -on a signaling circuit (VPI=0 & VCI=5). -.IP \fBilmic\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -on an ILMI circuit (VPI=0 & VCI=16). -.IP \fBconnectmsg\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, -Connect Ack, Release, or Release Done message. -.IP \fBmetaconnect\fP -True if the packet is an ATM packet, for SunATM on Solaris, and is -on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, -Release, or Release Done message. -.IP "\fIexpr relop expr\fR" -True if the relation holds, where \fIrelop\fR is one of >, <, >=, <=, =, -!=, and \fIexpr\fR is an arithmetic expression composed of integer -constants (expressed in standard C syntax), the normal binary operators -[+, -, *, /, %, &, |, ^, <<, >>], a length operator, and special packet data -accessors. Note that all comparisons are unsigned, so that, for example, -0x80000000 and 0xffffffff are > 0. -.IP -The % and ^ operators are currently only supported for filtering in the -kernel on Linux with 3.7 and later kernels; on all other systems, if -those operators are used, filtering will be done in user mode, which -will increase the overhead of capturing packets and may cause more -packets to be dropped. -.IP -To access data inside the packet, use the following syntax: -.in +.5i -.nf -\fIproto\fB [ \fIexpr\fB : \fIsize\fB ]\fR -.fi -.in -.5i -\fIProto\fR is one of \fBether, fddi, tr, wlan, ppp, slip, link, -ip, arp, rarp, tcp, udp, icmp, ip6\fR or \fBradio\fR, and -indicates the protocol layer for the index operation. -(\fBether, fddi, wlan, tr, ppp, slip\fR and \fBlink\fR all refer to the -link layer. \fBradio\fR refers to the "radio header" added to some -802.11 captures.) -Note that \fItcp, udp\fR and other upper-layer protocol types only -apply to IPv4, not IPv6 (this will be fixed in the future). -The byte offset, relative to the indicated protocol layer, is -given by \fIexpr\fR. -\fISize\fR is optional and indicates the number of bytes in the -field of interest; it can be either one, two, or four, and defaults to one. -The length operator, indicated by the keyword \fBlen\fP, gives the -length of the packet. - -For example, `\fBether[0] & 1 != 0\fP' catches all multicast traffic. -The expression `\fBip[0] & 0xf != 5\fP' -catches all IPv4 packets with options. -The expression -`\fBip[6:2] & 0x1fff = 0\fP' -catches only unfragmented IPv4 datagrams and frag zero of fragmented -IPv4 datagrams. -This check is implicitly applied to the \fBtcp\fP and \fBudp\fP -index operations. -For instance, \fBtcp[0]\fP always means the first -byte of the TCP \fIheader\fP, and never means the first byte of an -intervening fragment. - -Some offsets and field values may be expressed as names rather than -as numeric values. -The following protocol header field offsets are -available: \fBicmptype\fP (ICMP type field), \fBicmp6type (ICMP v6 type field) -\fBicmpcode\fP (ICMP code field), \fBicmp6code\fP (ICMP v6 code field), and -\fBtcpflags\fP (TCP flags field). - -The following ICMP type field values are available: \fBicmp-echoreply\fP, -\fBicmp-unreach\fP, \fBicmp-sourcequench\fP, \fBicmp-redirect\fP, -\fBicmp-echo\fP, \fBicmp-routeradvert\fP, \fBicmp-routersolicit\fP, -\fBicmp-timxceed\fP, \fBicmp-paramprob\fP, \fBicmp-tstamp\fP, -\fBicmp-tstampreply\fP, \fBicmp-ireq\fP, \fBicmp-ireqreply\fP, -\fBicmp-maskreq\fP, \fBicmp-maskreply\fP. - -The following ICMPv6 type fields are available: \fBicmp6-echo\fP, -\fBicmp6-echoreply\fP, \fBicmp6-multicastlistenerquery\fP, -\fBicmp6-multicastlistenerreportv1\fP, \fBicmp6-multicastlistenerdone\fP, -\fBicmp6-routersolicit\fP, \fBicmp6-routeradvert\fP, -\fBicmp6-neighborsolicit\fP, \fBicmp6-neighboradvert\fP, \fBicmp6-redirect\fP, -\fBicmp6-routerrenum\fP, \fBicmp6-nodeinformationquery\fP, -\fBicmp6-nodeinformationresponse\fP, \fBicmp6-ineighbordiscoverysolicit\fP, -\fBicmp6-ineighbordiscoveryadvert\fP, \fBicmp6-multicastlistenerreportv2\fP, -\fBicmp6-homeagentdiscoveryrequest\fP, \fBicmp6-homeagentdiscoveryreply\fP, -\fBicmp6-mobileprefixsolicit\fP, \fBicmp6-mobileprefixadvert\fP, -\fBicmp6-certpathsolicit\fP, \fBicmp6-certpathadvert\fP, -\fBicmp6-multicastrouteradvert\fP, \fBicmp6-multicastroutersolicit\fP, -\fBicmp6-multicastrouterterm\fP. - -The following TCP flags field values are available: \fBtcp-fin\fP, -\fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP, -\fBtcp-ack\fP, \fBtcp-urg\fP, \fBtcp-ece\fP, -\fBtcp-cwr\fP. -.LP -Primitives may be combined using: -.IP -A parenthesized group of primitives and operators. -.IP -Negation (`\fB!\fP' or `\fBnot\fP'). -.IP -Concatenation (`\fB&&\fP' or `\fBand\fP'). -.IP -Alternation (`\fB||\fP' or `\fBor\fP'). -.LP -Negation has highest precedence. -Alternation and concatenation have equal precedence and associate -left to right. -Note that explicit \fBand\fR tokens, not juxtaposition, -are now required for concatenation. -.LP -If an identifier is given without a keyword, the most recent keyword -is assumed. -For example, -.in +.5i -.nf -\fBnot host vs and ace\fR -.fi -.in -.5i -is short for -.in +.5i -.nf -\fBnot host vs and host ace\fR -.fi -.in -.5i -which should not be confused with -.in +.5i -.nf -\fBnot ( host vs or ace )\fR -.fi -.in -.5i -.SH EXAMPLES -.LP -To select all packets arriving at or departing from \fIsundown\fP: -.RS -.nf -\fBhost sundown\fP -.fi -.RE -.LP -To select traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR: -.RS -.nf -\fBhost helios and \\( hot or ace \\)\fP -.fi -.RE -.LP -To select all IP packets between \fIace\fR and any host except \fIhelios\fR: -.RS -.nf -\fBip host ace and not helios\fP -.fi -.RE -.LP -To select all traffic between local hosts and hosts at Berkeley: -.RS -.nf -.B -net ucb-ether -.fi -.RE -.LP -To select all ftp traffic through internet gateway \fIsnup\fP: -.RS -.nf -.B -gateway snup and (port ftp or ftp-data) -.fi -.RE -.LP -To select traffic neither sourced from nor destined for local hosts -(if you gateway to one other net, this stuff should never make it -onto your local net). -.RS -.nf -.B -ip and not net \fIlocalnet\fP -.fi -.RE -.LP -To select the start and end packets (the SYN and FIN packets) of each -TCP conversation that involves a non-local host. -.RS -.nf -.B -tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP -.fi -.RE -.LP -To select all IPv4 HTTP packets to and from port 80, i.e. print only -packets that contain data, not, for example, SYN and FIN packets and -ACK-only packets. (IPv6 is left as an exercise for the reader.) -.RS -.nf -.B -tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) -.fi -.RE -.LP -To select IP packets longer than 576 bytes sent through gateway \fIsnup\fP: -.RS -.nf -.B -gateway snup and ip[2:2] > 576 -.fi -.RE -.LP -To select IP broadcast or multicast packets that were -.I not -sent via Ethernet broadcast or multicast: -.RS -.nf -.B -ether[0] & 1 = 0 and ip[16] >= 224 -.fi -.RE -.LP -To select all ICMP packets that are not echo requests/replies (i.e., not -ping packets): -.RS -.nf -.B -icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply -.fi -.RE -.SH "SEE ALSO" -pcap(3PCAP) -.SH BUGS -To report a security issue please send an e-mail to security@tcpdump.org. -.LP -To report bugs and other problems, contribute patches, request a -feature, provide generic feedback etc please see the file -.I CONTRIBUTING -in the libpcap source tree root. -.LP -Filter expressions on fields other than those in Token Ring headers will -not correctly handle source-routed Token Ring packets. -.LP -Filter expressions on fields other than those in 802.11 headers will not -correctly handle 802.11 data packets with both To DS and From DS set. -.LP -.BR "ip6 proto" -should chase header chain, but at this moment it does not. -.BR "ip6 protochain" -is supplied for this behavior. -.LP -Arithmetic expression against transport layer headers, like \fBtcp[0]\fP, -does not work against IPv6 packets. -It only looks at IPv4 packets. diff --git a/pcap-linktype.manmisc b/pcap-linktype.manmisc deleted file mode 100644 index a0dc1676..00000000 --- a/pcap-linktype.manmisc +++ /dev/null @@ -1,48 +0,0 @@ -.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP-LINKTYPE 7 "7 April 2014" -.SH NAME -pcap-linktype \- link-layer header types supported by libpcap -.SH DESCRIPTION -For a live capture or ``savefile'', libpcap supplies, as the return -value of the -.BR pcap_datalink (3PCAP) -routine, a value that indicates the type of link-layer header at the -beginning of the packets it provides. This is not necessarily the type -of link-layer header that the packets being captured have on the network -from which they're being captured; for example, packets from an IEEE -802.11 network might be provided by libpcap with Ethernet headers that -the network adapter or the network adapter driver generates from the -802.11 headers. The names for those values begin with -.BR DLT_ , -so they are sometimes called "DLT_ values". -.PP -The values stored in the link-layer header type field in the savefile -header are, in most but not all cases, the same as the values returned -by -.BR pcap_datalink() . -The names for those values begin with -.BR LINKTYPE_ . -.PP -The link-layer header types supported by libpcap are described at -https://www.tcpdump.org/linktypes.html. -.SH SEE ALSO -pcap(3PCAP) diff --git a/pcap-savefile.manfile b/pcap-savefile.manfile deleted file mode 100644 index c2de543f..00000000 --- a/pcap-savefile.manfile +++ /dev/null @@ -1,133 +0,0 @@ -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP-SAVEFILE 5 "8 March 2015" -.SH NAME -pcap-savefile \- libpcap savefile format -.SH DESCRIPTION -NOTE: applications and libraries should, if possible, use libpcap to -read savefiles, rather than having their own code to read savefiles. -If, in the future, a new file format is supported by libpcap, -applications and libraries using libpcap to read savefiles will be able -to read the new format of savefiles, but applications and libraries -using their own code to read savefiles will have to be changed to -support the new file format. -.PP -``Savefiles'' read and written by libpcap and applications using libpcap -start with a per-file header. The format of the per-file header is: -.RS -.TS -box; -c s -c | c -c s. -Magic number -_ -Major version Minor version -_ -Time zone offset -_ -Time stamp accuracy -_ -Snapshot length -_ -Link-layer header type -.TE -.RE -.PP -All fields in the per-file header are in the byte order of the host -writing the file. Normally, the first field in the per-file header is a -4-byte magic number, with the value 0xa1b2c3d4. The magic number, when -read by a host with the same byte order as the host that wrote the file, -will have the value 0xa1b2c3d4, and, when read by a host with the -opposite byte order as the host that wrote the file, will have the value -0xd4c3b2a1. That allows software reading the file to determine whether -the byte order of the host that wrote the file is the same as the byte -order of the host on which the file is being read, and thus whether the -values in the per-file and per-packet headers need to be byte-swapped. -.PP -If the magic number has the value 0xa1b23c4d (with the two nibbles of -the two lower-order bytes of the magic number swapped), which would be -read as 0xa1b23c4d by a host with the same byte order as the host that -wrote the file and as 0x4d3cb2a1 by a host with the opposite byte order -as the host that wrote the file, the file format is the same as for -regular files, except that the time stamps for packets are given in -seconds and nanoseconds rather than seconds and microseconds. -.PP -Following this are: -.IP -A 2-byte file format major version number; the current version number is -2. -.IP -A 2-byte file format minor version number; the current version number is -4. -.IP -A 4-byte time zone offset; this is always 0. -.IP -A 4-byte number giving the accuracy of time stamps in the file; this is -always 0. -.IP -A 4-byte number giving the "snapshot length" of the capture; packets -longer than the snapshot length are truncated to the snapshot length, so -that, if the snapshot length is -.IR N , -only the first -.I N -bytes of a packet longer than -.I N -bytes will be saved in the capture. -.IP -a 4-byte number giving the link-layer header type for packets in the -capture; see -.BR pcap-linktype (7) -for the -.B LINKTYPE_ -values that can appear in this field. -.PP -Following the per-file header are zero or more packets; each packet -begins with a per-packet header, which is immediately followed by the -raw packet data. The format of the per-packet header is: -.RS -.TS -box; -c. -Time stamp, seconds value -_ -Time stamp, microseconds or nanoseconds value -_ -Length of captured packet data -_ -Un-truncated length of the packet data -.TE -.RE -.PP -All fields in the per-packet header are in the byte order of the host -writing the file. The per-packet header begins with a time stamp giving -the approximate time the packet was captured; the time stamp consists of -a 4-byte value, giving the time in seconds since January 1, 1970, -00:00:00 UTC, followed by a 4-byte value, giving the time in -microseconds or nanoseconds since that second, depending on the magic -number in the file header. Following that are a 4-byte value giving the -number of bytes of captured data that follow the per-packet header and a -4-byte value giving the number of bytes that would have been present had -the packet not been truncated by the snapshot length. The two lengths -will be equal if the number of bytes of packet data are less than or -equal to the snapshot length. -.SH SEE ALSO -pcap(3PCAP) diff --git a/pcap-tstamp.manmisc b/pcap-tstamp.manmisc deleted file mode 100644 index 22e0317f..00000000 --- a/pcap-tstamp.manmisc +++ /dev/null @@ -1,168 +0,0 @@ -.\" -.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP-TSTAMP 7 "8 March 2015" -.SH NAME -pcap-tstamp \- packet time stamps in libpcap -.SH DESCRIPTION -When capturing traffic, each packet is given a time stamp representing, -for incoming packets, the arrival time of the packet and, for outgoing -packets, the transmission time of the packet. This time is an -approximation of the arrival or transmission time. If it is supplied by -the operating system running on the host on which the capture is being -done, there are several reasons why it might not precisely represent the -arrival or transmission time: -.IP -if the time stamp is applied to the packet when the networking stack -receives the packet, the networking stack might not see the packet until -an interrupt is delivered for the packet or a timer event causes the -networking device driver to poll for packets, and the time stamp might -not be applied until the packet has had some processing done by other -code in the networking stack, so there might be a significant delay -between the time when the last bit of the packet is received by the -capture device and when the networking stack time-stamps the packet; -.IP -the timer used to generate the time stamps might have low resolution, -for example, it might be a timer updated once per host operating system -timer tick, with the host operating system timer ticking once every few -milliseconds; -.IP -a high-resolution timer might use a counter that runs at a rate -dependent on the processor clock speed, and that clock speed might be -adjusted upwards or downwards over time and the timer might not be able -to compensate for all those adjustments; -.IP -the host operating system's clock might be adjusted over time to match a -time standard to which the host is being synchronized, which might be -done by temporarily slowing down or speeding up the clock or by making a -single adjustment; -.IP -different CPU cores on a multi-core or multi-processor system might be -running at different speeds, or might not have time counters all -synchronized, so packets time-stamped by different cores might not have -consistent time stamps. -.LP -In addition, packets time-stamped by different cores might be -time-stamped in one order and added to the queue of packets for libpcap -to read in another order, so time stamps might not be monotonically -increasing. -.LP -Some capture devices on some platforms can provide time stamps for -packets; those time stamps are usually high-resolution time stamps, and -are usually applied to the packet when the first or last bit of the -packet arrives, and are thus more accurate than time stamps provided by -the host operating system. Those time stamps might not, however, be -synchronized with the host operating system's clock, so that, for -example, the time stamp of a packet might not correspond to the time -stamp of an event on the host triggered by the arrival of that packet. -.LP -Depending on the capture device and the software on the host, libpcap -might allow different types of time stamp to be used. The -.BR pcap_list_tstamp_types (3PCAP) -routine provides, for a packet capture handle created by -.BR pcap_create (3PCAP) -but not yet activated by -.BR pcap_activate (3PCAP), -a list of time stamp types supported by the capture device for that -handle. -The list might be empty, in which case no choice of time stamp type is -offered for that capture device. If the list is not empty, the -.BR pcap_set_tstamp_type (3PCAP) -routine can be used after a -.B pcap_create() -call and before a -.B pcap_activate() -call to specify the type of time stamp to be used on the device. -The time stamp types are listed here; the first value is the #define to -use in code, the second value is the value returned by -.B pcap_tstamp_type_val_to_name(3PCAP) -and accepted by -.BR pcap_tstamp_type_name_to_val(3PCAP) . -.RS 5 -.TP 5 -.BR PCAP_TSTAMP_HOST " - " host -Time stamp provided by the host on which the capture is being done. The -precision of this time stamp is unspecified; it might or might not be -synchronized with the host operating system's clock. -.TP 5 -.BR PCAP_TSTAMP_HOST_LOWPREC " - " host_lowprec -Time stamp provided by the host on which the capture is being done. -This is a low-precision time stamp, synchronized with the host operating -system's clock. -.TP 5 -.BR PCAP_TSTAMP_HOST_HIPREC " - " host_hiprec -Time stamp provided by the host on which the capture is being done. -This is a high-precision time stamp; it might or might not be -synchronized with the host operating system's clock. It might be more -expensive to fetch than -.BR PCAP_TSTAMP_HOST_LOWPREC . -.TP 5 -.BR PCAP_TSTAMP_ADAPTER " - " adapter -Time stamp provided by the network adapter on which the capture is being -done. This is a high-precision time stamp, synchronized with the host -operating system's clock. -.TP 5 -.BR PCAP_TSTAMP_ADAPTER_UNSYNCED " - " adapter_unsynced -Time stamp provided by the network adapter on which the capture is being -done. This is a high-precision time stamp; it is not synchronized with -the host operating system's clock. -.RE -.LP -By default, when performing a live capture or reading from a savefile, -time stamps are supplied as seconds since January 1, 1970, 00:00:00 UTC, -and microseconds since that seconds value, even if higher-resolution -time stamps are available from the capture device or in the savefile. -If, when reading a savefile, the time stamps in the file have a higher -resolution than one microsecond, the additional digits of resolution are -discarded. -.LP -The -.BR pcap_set_tstamp_precision (3PCAP) -routine can be used after a -.B pcap_create() -call and after a -.B pcap_activate() -call to specify the resolution of the time stamps to get for the device. -If the hardware or software cannot supply a higher-resolution time -stamp, the -.B pcap_set_tstamp_precision() -call will fail, and the time stamps supplied after the -.B pcap_activate() -call will have microsecond resolution. -.LP -When opening a savefile, the -.BR \%pcap_open_offline_with_tstamp_precision (3PCAP) -and -.BR \%pcap_fopen_offline_with_tstamp_precision (3PCAP) -routines can be used to specify the resolution of time stamps to be read -from the file; if the time stamps in the file have a lower resolution, -the fraction-of-a-second portion of the time stamps will be scaled to -the specified resolution. -.LP -The -.BR pcap_get_tstamp_precision (3PCAP) -routine returns the resolution of time stamps that will be supplied; -when capturing packets, this does not reflect the actual precision of -the time stamp supplied by the hardware or operating system and, when -reading a savefile, this does not indicate the actual precision of time -stamps in the file. -.SH SEE ALSO -pcap(3PCAP) diff --git a/pcap.3pcap b/pcap.3pcap deleted file mode 100644 index 238f7d38..00000000 --- a/pcap.3pcap +++ /dev/null @@ -1,982 +0,0 @@ -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP 3PCAP "25 July 2018" -.SH NAME -pcap \- Packet Capture library -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.LP -.ft B -.ft -.fi -.SH DESCRIPTION -The Packet Capture library -provides a high level interface to packet capture systems. All packets -on the network, even those destined for other hosts, are accessible -through this mechanism. -It also supports saving captured packets to a ``savefile'', and reading -packets from a ``savefile''. -.SS Opening a capture handle for reading -To open a handle for a live capture, given the name of the network or -other interface on which the capture should be done, call -.BR pcap_create (), -set the appropriate options on the handle, and then activate it with -.BR pcap_activate (). -.PP -To obtain a list of devices that can be opened for a live capture, call -.BR pcap_findalldevs (); -to free the list returned by -.BR pcap_findalldevs (), -call -.BR pcap_freealldevs (). -.BR pcap_lookupdev () -will return the first device on that list that is not a ``loopback`` -network interface. -.PP -To open a handle for a ``savefile'' from which to read packets, given the -pathname of the ``savefile'', call -.BR pcap_open_offline (); -to set up a handle for a ``savefile'', given a -.B "FILE\ *" -referring to a file already opened for reading, call -.BR pcap_fopen_offline (). -.PP -In order to get a ``fake'' -.B pcap_t -for use in routines that require a -.B pcap_t -as an argument, such as routines to open a ``savefile'' for writing and -to compile a filter expression, call -.BR pcap_open_dead (). -.PP -.BR pcap_create (), -.BR pcap_open_offline (), -.BR pcap_fopen_offline (), -and -.BR pcap_open_dead () -return a pointer to a -.BR pcap_t , -which is the handle used for reading packets from the capture stream or -the ``savefile'', and for finding out information about the capture -stream or ``savefile''. -To close a handle, use -.BR pcap_close (). -.PP -The options that can be set on a capture handle include -.IP "snapshot length" -If, when capturing, you capture the entire contents of the packet, that -requires more CPU time to copy the packet to your application, more disk -and possibly network bandwidth to write the packet data to a file, and -more disk space to save the packet. If you don't need the entire -contents of the packet - for example, if you are only interested in the -TCP headers of packets - you can set the "snapshot length" for the -capture to an appropriate value. If the snapshot length is set to -.IR snaplen , -and -.I snaplen -is less -than the size of a packet that is captured, only the first -.I snaplen -bytes of that packet will be captured and provided as packet data. -.IP -A snapshot length of 65535 should be sufficient, on most if not all -networks, to capture all the data available from the packet. -.IP -The snapshot length is set with -.BR pcap_set_snaplen (). -.IP "promiscuous mode" -On broadcast LANs such as Ethernet, if the network isn't switched, or if -the adapter is connected to a "mirror port" on a switch to which all -packets passing through the switch are sent, a network adapter receives -all packets on the LAN, including unicast or multicast packets not sent -to a network address that the network adapter isn't configured to -recognize. -.IP -Normally, the adapter will discard those packets; however, many network -adapters support "promiscuous mode", which is a mode in which all -packets, even if they are not sent to an address that the adapter -recognizes, are provided to the host. This is useful for passively -capturing traffic between two or more other hosts for analysis. -.IP -Note that even if an application does not set promiscuous mode, the -adapter could well be in promiscuous mode for some other reason. -.IP -For now, this doesn't work on the "any" device; if an argument of "any" -or NULL is supplied, the setting of promiscuous mode is ignored. -.IP -Promiscuous mode is set with -.BR pcap_set_promisc (). -.IP "monitor mode" -On IEEE 802.11 wireless LANs, even if an adapter is in promiscuous mode, -it will supply to the host only frames for the network with which it's -associated. It might also supply only data frames, not management or -control frames, and might not provide the 802.11 header or radio -information pseudo-header for those frames. -.IP -In "monitor mode", sometimes also called "rfmon mode" (for "Radio -Frequency MONitor"), the adapter will supply all frames that it -receives, with 802.11 headers, and might supply a pseudo-header with -radio information about the frame as well. -.IP -Note that in monitor mode the adapter might disassociate from the -network with which it's associated, so that you will not be able to use -any wireless networks with that adapter. This could prevent accessing -files on a network server, or resolving host names or network addresses, -if you are capturing in monitor mode and are not connected to another -network with another adapter. -.IP -Monitor mode is set with -.BR pcap_set_rfmon (), -and -.BR pcap_can_set_rfmon () -can be used to determine whether an adapter can be put into monitor -mode. -.IP "packet buffer timeout" -If, when capturing, packets are delivered as soon as they arrive, the -application capturing the packets will be woken up for each packet as it -arrives, and might have to make one or more calls to the operating -system to fetch each packet. -.IP -If, instead, packets are not delivered as soon as they arrive, but are -delivered after a short delay (called a "packet buffer timeout"), more -than one packet can be accumulated before the packets are delivered, so -that a single wakeup would be done for multiple packets, and each set of -calls made to the operating system would supply multiple packets, rather -than a single packet. This reduces the per-packet CPU overhead if -packets are arriving at a high rate, increasing the number of packets -per second that can be captured. -.IP -The packet buffer timeout is required so that an application won't wait -for the operating system's capture buffer to fill up before packets are -delivered; if packets are arriving slowly, that wait could take an -arbitrarily long period of time. -.IP -Not all platforms support a packet buffer timeout; on platforms that -don't, the packet buffer timeout is ignored. A zero value for the -timeout, on platforms that support a packet buffer timeout, will cause a -read to wait forever to allow enough packets to arrive, with no timeout. -A negative value is invalid; the result of setting the timeout to a -negative value is unpredictable. -.IP -.BR NOTE : -the packet buffer timeout cannot be used to cause calls that read -packets to return within a limited period of time, because, on some -platforms, the packet buffer timeout isn't supported, and, on other -platforms, the timer doesn't start until at least one packet arrives. -This means that the packet buffer timeout should -.B NOT -be used, for example, in an interactive application to allow the packet -capture loop to ``poll'' for user input periodically, as there's no -guarantee that a call reading packets will return after the timeout -expires even if no packets have arrived. -.IP -The packet buffer timeout is set with -.BR pcap_set_timeout (). -.IP "immediate mode" -In immediate mode, packets are always delivered as soon as they arrive, -with no buffering. Immediate mode is set with -.BR pcap_set_immediate_mode (). -.IP "buffer size" -Packets that arrive for a capture are stored in a buffer, so that they -do not have to be read by the application as soon as they arrive. On -some platforms, the buffer's size can be set; a size that's too small -could mean that, if too many packets are being captured and the snapshot -length doesn't limit the amount of data that's buffered, packets could -be dropped if the buffer fills up before the application can read -packets from it, while a size that's too large could use more -non-pageable operating system memory than is necessary to prevent -packets from being dropped. -.IP -The buffer size is set with -.BR pcap_set_buffer_size (). -.IP "timestamp type" -On some platforms, the time stamp given to packets on live captures can -come from different sources that can have different resolutions or that -can have different relationships to the time values for the current time -supplied by routines on the native operating system. See -.BR pcap-tstamp (7) -for a list of time stamp types. -.IP -The time stamp type is set with -.BR pcap_set_tstamp_type (). -.PP -Reading packets from a network interface may require that you have -special privileges: -.TP -.B Under SunOS 3.x or 4.x with NIT or BPF: -You must have read access to -.I /dev/nit -or -.IR /dev/bpf* . -.TP -.B Under Solaris with DLPI: -You must have read/write access to the network pseudo device, e.g. -.IR /dev/le . -On at least some versions of Solaris, however, this is not sufficient to -allow -.I tcpdump -to capture in promiscuous mode; on those versions of Solaris, you must -be root, or the application capturing packets -must be installed setuid to root, in order to capture in promiscuous -mode. Note that, on many (perhaps all) interfaces, if you don't capture -in promiscuous mode, you will not see any outgoing packets, so a capture -not done in promiscuous mode may not be very useful. -.IP -In newer versions of Solaris, you must have been given the -.B net_rawaccess -privilege; this is both necessary and sufficient to give you access to the -network pseudo-device - there is no need to change the privileges on -that device. A user can be given that privilege by, for example, adding -that privilege to the user's -.B defaultpriv -key with the -.B usermod (8) -command. -.TP -.B Under HP-UX with DLPI: -You must be root or the application capturing packets must be installed -setuid to root. -.TP -.B Under IRIX with snoop: -You must be root or the application capturing packets must be installed -setuid to root. -.TP -.B Under Linux: -You must be root or the application capturing packets must be installed -setuid to root (unless your distribution has a kernel -that supports capability bits such as CAP_NET_RAW and code to allow -those capability bits to be given to particular accounts and to cause -those bits to be set on a user's initial processes when they log in, in -which case you must have CAP_NET_RAW in order to capture and -CAP_NET_ADMIN to enumerate network devices with, for example, the -.B \-D -flag). -.TP -.B Under ULTRIX and Digital UNIX/Tru64 UNIX: -Any user may capture network traffic. -However, no user (not even the super-user) can capture in promiscuous -mode on an interface unless the super-user has enabled promiscuous-mode -operation on that interface using -.IR pfconfig (8), -and no user (not even the super-user) can capture unicast traffic -received by or sent by the machine on an interface unless the super-user -has enabled copy-all-mode operation on that interface using -.IR pfconfig , -so -.I useful -packet capture on an interface probably requires that either -promiscuous-mode or copy-all-mode operation, or both modes of -operation, be enabled on that interface. -.TP -.B Under BSD (this includes macOS): -You must have read access to -.I /dev/bpf* -on systems that don't have a cloning BPF device, or to -.I /dev/bpf -on systems that do. -On BSDs with a devfs (this includes macOS), this might involve more -than just having somebody with super-user access setting the ownership -or permissions on the BPF devices - it might involve configuring devfs -to set the ownership or permissions every time the system is booted, -if the system even supports that; if it doesn't support that, you might -have to find some other way to make that happen at boot time. -.PP -Reading a saved packet file doesn't require special privileges. -.PP -The packets read from the handle may include a ``pseudo-header'' -containing various forms of packet meta-data, and probably includes a -link-layer header whose contents can differ for different network -interfaces. To determine the format of the packets supplied by the -handle, call -.BR pcap_datalink (); -.I https://www.tcpdump.org/linktypes.html -lists the values it returns and describes the packet formats that -correspond to those values. -.PP -Do -.B NOT -assume that the packets for a given capture or ``savefile`` will have -any given link-layer header type, such as -.B DLT_EN10MB -for Ethernet. For example, the "any" device on Linux will have a -link-layer header type of -.B DLT_LINUX_SLL -even if all devices on the system at the time the "any" device is opened -have some other data link type, such as -.B DLT_EN10MB -for Ethernet. -.PP -To obtain the -.B "FILE\ *" -corresponding to a -.B pcap_t -opened for a ``savefile'', call -.BR pcap_file (). -.TP -.B Routines -.RS -.TP -.BR pcap_create (3PCAP) -get a -.B pcap_t -for live capture -.TP -.BR pcap_activate (3PCAP) -activate a -.B pcap_t -for live capture -.TP -.BR pcap_findalldevs (3PCAP) -get a list of devices that can be opened for a live capture -.TP -.BR pcap_freealldevs (3PCAP) -free list of devices -.TP -.BR pcap_lookupdev (3PCAP) -get first non-loopback device on that list -.TP -.BR pcap_open_offline (3PCAP) -open a -.B pcap_t -for a ``savefile'', given a pathname -.TP -.BR pcap_open_offline_with_tstamp_precision (3PCAP) -open a -.B pcap_t -for a ``savefile'', given a pathname, and specify the precision to -provide for packet time stamps -.TP -.BR pcap_fopen_offline (3PCAP) -open a -.B pcap_t -for a ``savefile'', given a -.B "FILE\ *" -.TP -.BR pcap_fopen_offline_with_tstamp_precision (3PCAP) -open a -.B pcap_t -for a ``savefile'', given a -.BR "FILE\ *" , -and specify the precision to provide for packet time stamps -.TP -.BR pcap_open_dead (3PCAP) -create a ``fake'' -.B pcap_t -.TP -.BR pcap_close (3PCAP) -close a -.B pcap_t -.TP -.BR pcap_set_snaplen (3PCAP) -set the snapshot length for a not-yet-activated -.B pcap_t -for live capture -.TP -.BR pcap_snapshot (3PCAP) -get the snapshot length for a -.B pcap_t -.TP -.BR pcap_set_promisc (3PCAP) -set promiscuous mode for a not-yet-activated -.B pcap_t -for live capture -.TP -.BR pcap_set_protocol_linux (3PCAP) -set capture protocol for a not-yet-activated -.B pcap_t -for live capture (Linux only) -.TP -.BR pcap_set_rfmon (3PCAP) -set monitor mode for a not-yet-activated -.B pcap_t -for live capture -.TP -.BR pcap_can_set_rfmon (3PCAP) -determine whether monitor mode can be set for a -.B pcap_t -for live capture -.TP -.BR pcap_set_timeout (3PCAP) -set packet buffer timeout for a not-yet-activated -.B pcap_t -for live capture -.TP -.BR pcap_set_immediate_mode (3PCAP) -set immediate mode for a not-yet-activated -.B pcap_t -for live capture -.TP -.BR pcap_set_buffer_size (3PCAP) -set buffer size for a not-yet-activated -.B pcap_t -for live capture -.TP -.BR pcap_set_tstamp_type (3PCAP) -set time stamp type for a not-yet-activated -.B pcap_t -for live capture -.TP -.BR pcap_list_tstamp_types (3PCAP) -get list of available time stamp types for a not-yet-activated -.B pcap_t -for live capture -.TP -.BR pcap_free_tstamp_types (3PCAP) -free list of available time stamp types -.TP -.BR pcap_tstamp_type_val_to_name (3PCAP) -get name for a time stamp type -.TP -.BR pcap_tstamp_type_val_to_description (3PCAP) -get description for a time stamp type -.TP -.BR pcap_tstamp_type_name_to_val (3PCAP) -get time stamp type corresponding to a name -.TP -.BR pcap_set_tstamp_precision (3PCAP) -set time stamp precision for a not-yet-activated -.B pcap_t -for live capture -.TP -.BR pcap_get_tstamp_precision (3PCAP) -get the time stamp precision of a -.B pcap_t -for live capture -.TP -.BR pcap_datalink (3PCAP) -get link-layer header type for a -.B pcap_t -.TP -.BR pcap_file (3PCAP) -get the -.B "FILE\ *" -for a -.B pcap_t -opened for a ``savefile'' -.TP -.BR pcap_is_swapped (3PCAP) -determine whether a ``savefile'' being read came from a machine with the -opposite byte order -.TP -.BR pcap_major_version (3PCAP) -.PD 0 -.TP -.BR pcap_minor_version (3PCAP) -get the major and minor version of the file format version for a -``savefile'' -.PD -.RE -.SS Selecting a link-layer header type for a live capture -Some devices may provide more than one link-layer header type. To -obtain a list of all link-layer header types provided by a device, call -.BR pcap_list_datalinks () -on an activated -.B pcap_t -for the device. -To free a list of link-layer header types, call -.BR pcap_free_datalinks (). -To set the link-layer header type for a device, call -.BR pcap_set_datalink (). -This should be done after the device has been activated but before any -packets are read and before any filters are compiled or installed. -.TP -.B Routines -.RS -.TP -.BR pcap_list_datalinks (3PCAP) -get a list of link-layer header types for a device -.TP -.BR pcap_free_datalinks (3PCAP) -free list of link-layer header types -.TP -.BR pcap_set_datalink (3PCAP) -set link-layer header type for a device -.TP -.BR pcap_datalink_val_to_name (3PCAP) -get name for a link-layer header type -.TP -.BR pcap_datalink_val_to_description (3PCAP) -get description for a link-layer header type -.TP -.BR pcap_datalink_name_to_val (3PCAP) -get link-layer header type corresponding to a name -.RE -.SS Reading packets -Packets are read with -.BR pcap_dispatch () -or -.BR pcap_loop (), -which process one or more packets, calling a callback routine for each -packet, or with -.BR pcap_next () -or -.BR pcap_next_ex (), -which return the next packet. -The callback for -.BR pcap_dispatch () -and -.BR pcap_loop () -is supplied a pointer to a -.IR "struct pcap_pkthdr" , -which includes the following members: -.RS -.TP -.B ts -a -.I struct timeval -containing the time when the packet was captured -.TP -.B caplen -a -.I bpf_u_int32 -giving the number of bytes of the packet that are available from the -capture -.TP -.B len -a -.I bpf_u_int32 -giving the length of the packet, in bytes (which might be more than the -number of bytes available from the capture, if the length of the packet -is larger than the maximum number of bytes to capture). -.RE -.PP -The callback is also supplied a -.I const u_char -pointer to the first -.B caplen -(as given in the -.I struct pcap_pkthdr -mentioned above) -bytes of data from the packet. This won't necessarily be the entire -packet; to capture the entire packet, you will have to provide a value -for -.I snaplen -in your call to -.BR pcap_set_snaplen () -that is sufficiently large to get all of the packet's data - a value of -65535 should be sufficient on most if not all networks). When reading -from a ``savefile'', the snapshot length specified when the capture was -performed will limit the amount of packet data available. -.PP -.BR pcap_next () -is passed an argument that points to a -.I struct pcap_pkthdr -structure, and fills it in with the time stamp and length values for the -packet. It returns a -.I const u_char -to the first -.B caplen -bytes of the packet on success, and NULL on error. -.PP -.BR pcap_next_ex () -is passed two pointer arguments, one of which points to a -.IR struct pcap_pkthdr * -and one of which points to a -.IR "const u_char" *. -It sets the first pointer to point to a -.I struct pcap_pkthdr -structure with the time stamp and length values for the packet, and sets -the second pointer to point to the first -.B caplen -bytes of the packet. -.PP -To force the loop in -.BR pcap_dispatch () -or -.BR pcap_loop () -to terminate, call -.BR pcap_breakloop (). -.PP -By default, when reading packets from an interface opened for a live -capture, -.BR pcap_dispatch (), -.BR pcap_next (), -and -.BR pcap_next_ex () -will, if no packets are currently available to be read, block waiting -for packets to become available. On some, but -.I not -all, platforms, if a packet buffer timeout was specified, the wait will -terminate after the packet buffer timeout expires; applications should -be prepared for this, as it happens on some platforms, but should not -rely on it, as it does not happen on other platforms. Note that the -wait might, or might not, terminate even if no packets are available; -applications should be prepared for this to happen, but must not rely on -it happening. -.PP -A handle can be put into ``non-blocking mode'', so that those routines -will, rather than blocking, return an indication that no packets are -available to read. Call -.BR pcap_setnonblock () -to put a handle into non-blocking mode or to take it out of non-blocking -mode; call -.BR pcap_getnonblock () -to determine whether a handle is in non-blocking mode. Note that -non-blocking mode does not work correctly in Mac OS X 10.6. -.PP -Non-blocking mode is often combined with routines such as -.BR select (2) -or -.BR poll (2) -or other routines a platform offers to wait for any of a set of -descriptors to be ready to read. To obtain, for a handle, a descriptor -that can be used in those routines, call -.BR pcap_get_selectable_fd (). -If the routine indicates that data is -available to read on the descriptor, an attempt should be made to read -from the device. -.PP -Not all handles have such a descriptor available; -.BR pcap_get_selectable_fd () -will return -.B PCAP_ERROR -if no such descriptor is available. If no such -descriptor is available, this may be because the device must be polled -periodically for packets; in that case, -.BR pcap_get_required_select_timeout () -will return a pointer to a -.B struct timeval -whose value can be used as a timeout in those routines. When the -routine returns, an attmept should be made to read packets from the -device. If -.BR pcap_get_required_select_timeout () -returns NULL, no such timeout is available, and those routines cannot be -used with the device. -.PP -In addition, for various -reasons, one or more of those routines will not work properly with the -descriptor; the documentation for -.BR pcap_get_selectable_fd () -gives details. Note that, just as an attempt to read packets from a -.B pcap_t -may not return any packets if the packet buffer timeout expires, a -.BR select (), -.BR poll (), -or other such call may, if the packet buffer timeout expires, indicate -that a descriptor is ready to read even if there are no packets -available to read. -.TP -.B Routines -.RS -.TP -.BR pcap_dispatch (3PCAP) -read a bufferful of packets from a -.B pcap_t -open for a live capture or the full set of packets from a -.B pcap_t -open for a ``savefile'' -.TP -.BR pcap_loop (3PCAP) -read packets from a -.B pcap_t -until an interrupt or error occurs -.TP -.BR pcap_next (3PCAP) -read the next packet from a -.B pcap_t -without an indication whether an error occurred -.TP -.BR pcap_next_ex (3PCAP) -read the next packet from a -.B pcap_t -with an error indication on an error -.TP -.BR pcap_breakloop (3PCAP) -prematurely terminate the loop in -.BR pcap_dispatch () -or -.BR pcap_loop () -.TP -.BR pcap_setnonblock (3PCAP) -set or clear non-blocking mode on a -.B pcap_t -.TP -.BR pcap_getnonblock (3PCAP) -get the state of non-blocking mode for a -.B pcap_t -.TP -.BR pcap_get_selectable_fd (3PCAP) -attempt to get a descriptor for a -.B pcap_t -that can be used in calls such as -.BR select (2) -and -.BR poll (2) -.TP -.BR pcap_get_required_select_timeout (3PCAP) -if no descriptor usable with -.BR select (2) -and -.BR poll (2) -is available for the -.BR pcap_t , -attempt to get a timeout usable with those routines -.RE -.SS Filters -In order to cause only certain packets to be returned when reading -packets, a filter can be set on a handle. For a live capture, the -filtering will be performed in kernel mode, if possible, to avoid -copying ``uninteresting'' packets from the kernel to user mode. -.PP -A filter can be specified as a text string; the syntax and semantics of -the string are as described by -.BR pcap-filter (7). -A filter string is compiled into a program in a pseudo-machine-language -by -.BR pcap_compile () -and the resulting program can be made a filter for a handle with -.BR pcap_setfilter (). -The result of -.BR pcap_compile () -can be freed with a call to -.BR pcap_freecode (). -.BR pcap_compile () -may require a network mask for certain expressions in the filter string; -.BR pcap_lookupnet () -can be used to find the network address and network mask for a given -capture device. -.PP -A compiled filter can also be applied directly to a packet that has been -read using -.BR pcap_offline_filter (). -.TP -.B Routines -.RS -.TP -.BR pcap_compile (3PCAP) -compile filter expression to a pseudo-machine-language code program -.TP -.BR pcap_freecode (3PCAP) -free a filter program -.TP -.BR pcap_setfilter (3PCAP) -set filter for a -.B pcap_t -.TP -.BR pcap_lookupnet (3PCAP) -get network address and network mask for a capture device -.TP -.BR pcap_offline_filter (3PCAP) -apply a filter program to a packet -.RE -.SS Incoming and outgoing packets -By default, libpcap will attempt to capture both packets sent by the -machine and packets received by the machine. To limit it to capturing -only packets received by the machine or, if possible, only packets sent -by the machine, call -.BR pcap_setdirection (). -.TP -.BR Routines -.RS -.TP -.BR pcap_setdirection (3PCAP) -specify whether to capture incoming packets, outgoing packets, or both -.RE -.SS Capture statistics -To get statistics about packets received and dropped in a live capture, -call -.BR pcap_stats (). -.TP -.B Routines -.RS -.TP -.BR pcap_stats (3PCAP) -get capture statistics -.RE -.SS Opening a handle for writing captured packets -To open a ``savefile`` to which to write packets, given the pathname the -``savefile'' should have, call -.BR pcap_dump_open (). -To open a ``savefile`` to which to write packets, given the pathname the -``savefile'' should have, call -.BR pcap_dump_open (); -to set up a handle for a ``savefile'', given a -.B "FILE\ *" -referring to a file already opened for writing, call -.BR pcap_dump_fopen (). -They each return pointers to a -.BR pcap_dumper_t , -which is the handle used for writing packets to the ``savefile''. If it -succeeds, it will have created the file if it doesn't exist and -truncated the file if it does exist. -To close a -.BR pcap_dumper_t , -call -.BR pcap_dump_close (). -.TP -.B Routines -.RS -.TP -.BR pcap_dump_open (3PCAP) -open a -.B pcap_dumper_t -for a ``savefile``, given a pathname -.TP -.BR pcap_dump_fopen (3PCAP) -open a -.B pcap_dumper_t -for a ``savefile``, given a -.B "FILE\ *" -.TP -.BR pcap_dump_close (3PCAP) -close a -.B pcap_dumper_t -.TP -.BR pcap_dump_file (3PCAP) -get the -.B "FILE\ *" -for a -.B pcap_dumper_t -opened for a ``savefile'' -.RE -.SS Writing packets -To write a packet to a -.BR pcap_dumper_t , -call -.BR pcap_dump (). -Packets written with -.BR pcap_dump () -may be buffered, rather than being immediately written to the -``savefile''. Closing the -.B pcap_dumper_t -will cause all buffered-but-not-yet-written packets to be written to the -``savefile''. -To force all packets written to the -.BR pcap_dumper_t , -and not yet written to the ``savefile'' because they're buffered by the -.BR pcap_dumper_t , -to be written to the ``savefile'', without closing the -.BR pcap_dumper_t , -call -.BR pcap_dump_flush (). -.TP -.B Routines -.RS -.TP -.BR pcap_dump (3PCAP) -write packet to a -.B pcap_dumper_t -.TP -.BR pcap_dump_flush (3PCAP) -flush buffered packets written to a -.B pcap_dumper_t -to the ``savefile'' -.TP -.BR pcap_dump_ftell (3PCAP) -get current file position for a -.B pcap_dumper_t -.RE -.SS Injecting packets -If you have the required privileges, you can inject packets onto a -network with a -.B pcap_t -for a live capture, using -.BR pcap_inject () -or -.BR pcap_sendpacket (). -(The two routines exist for compatibility with both OpenBSD and WinPcap; -they perform the same function, but have different return values.) -.TP -.B Routines -.RS -.TP -.BR pcap_inject (3PCAP) -.PD 0 -.TP -.BR pcap_sendpacket (3PCAP) -transmit a packet -.PD -.RE -.SS Reporting errors -Some routines return error or warning status codes; to convert them to a -string, use -.BR pcap_statustostr (). -.TP -.B Routines -.RS -.TP -.BR pcap_statustostr (3PCAP) -get a string for an error or warning status code -.RE -.SS Getting library version information -To get a string giving version information about libpcap, call -.BR pcap_lib_version (). -.TP -.B Routines -.RS -.TP -.BR pcap_lib_version (3PCAP) -get library version string -.RE -.SH BACKWARD COMPATIBILITY -.PP -In versions of libpcap prior to 1.0, the -.B pcap.h -header file was not in a -.B pcap -directory on most platforms; if you are writing an application that must -work on versions of libpcap prior to 1.0, include -.BR <pcap.h> , -which will include -.B <pcap/pcap.h> -for you, rather than including -.BR <pcap/pcap.h> . -.PP -.BR pcap_create () -and -.BR pcap_activate () -were not available in versions of libpcap prior to 1.0; if you are -writing an application that must work on versions of libpcap prior to -1.0, either use -.BR pcap_open_live () -to get a handle for a live capture or, if you want to be able to use the -additional capabilities offered by using -.BR pcap_create () -and -.BR pcap_activate (), -use an -.BR autoconf (1) -script or some other configuration script to check whether the libpcap -1.0 APIs are available and use them only if they are. -.SH SEE ALSO -autoconf(1), tcpdump(1), tcpslice(1), pcap-filter(7), pfconfig(8), -usermod(8) -.SH AUTHORS -The original authors of libpcap are: -.LP -Van Jacobson, -Craig Leres and -Steven McCanne, all of the -Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. -.LP -The current version is available from "The Tcpdump Group"'s Web site at -.LP -.RS -.I https://www.tcpdump.org/ -.RE -.SH BUGS -To report a security issue please send an e-mail to security@tcpdump.org. -.LP -To report bugs and other problems, contribute patches, request a -feature, provide generic feedback etc please see the file -.I CONTRIBUTING -in the libpcap source tree root. diff --git a/pcap_compile.3pcap b/pcap_compile.3pcap deleted file mode 100644 index 1f1e44ef..00000000 --- a/pcap_compile.3pcap +++ /dev/null @@ -1,89 +0,0 @@ -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP_COMPILE 3PCAP "22 August 2018" -.SH NAME -pcap_compile \- compile a filter expression -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.LP -.ft B -int pcap_compile(pcap_t *p, struct bpf_program *fp, -.ti +8 -const char *str, int optimize, bpf_u_int32 netmask); -.ft -.fi -.SH DESCRIPTION -.B pcap_compile() -is used to compile the string -.I str -into a filter program. See -.BR pcap-filter (7) -for the syntax of that string. -.I program -is a pointer to a -.I bpf_program -struct and is filled in by -.BR pcap_compile() . -.I optimize -controls whether optimization on the resulting code is performed. -.I netmask -specifies the IPv4 netmask of the network on which packets are being -captured; it is used only when checking for IPv4 broadcast addresses in -the filter program. If the netmask of the network on which packets are -being captured isn't known to the program, or if packets are being -captured on the Linux "any" pseudo-interface that can capture on more -than one network, a value of -.B PCAP_NETMASK_UNKNOWN -can be supplied; tests -for IPv4 broadcast addresses will fail to compile, but all other tests in -the filter program will be OK. -.LP -NOTE: in libpcap 1.8.0 and later, -.B pcap_compile() -can be used in multiple threads within a single process. However, in -earlier versions of libpcap, it is -.I not -safe to use -.B pcap_compile() -in multiple threads in a single process without some form of mutual -exclusion allowing only one thread to call it at any given time. -.SH RETURN VALUE -.B pcap_compile() -returns 0 on success and -.B PCAP_ERROR -on failure. If -.B PCAP_ERROR -is returned, -.B pcap_geterr(3PCAP) -or -.B pcap_perror(3PCAP) -may be called with -.I p -as an argument to fetch or display the error text. -.SH BACKWARD COMPATIBILITY -.PP -The -.B PCAP_NETMASK_UNKNOWN -constant became available in libpcap release 1.1.0. -.SH SEE ALSO -pcap(3PCAP), pcap_setfilter(3PCAP), pcap_freecode(3PCAP), diff --git a/pcap_datalink.3pcap b/pcap_datalink.3pcap deleted file mode 100644 index 9e8477e8..00000000 --- a/pcap_datalink.3pcap +++ /dev/null @@ -1,68 +0,0 @@ -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP_DATALINK 3PCAP "7 April 2014" -.SH NAME -pcap_datalink \- get the link-layer header type -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.LP -.ft B -int pcap_datalink(pcap_t *p); -.ft -.fi -.SH DESCRIPTION -.B pcap_datalink() -returns the link-layer header type for the live capture or ``savefile'' -specified by -.IR p . -.PP -It must not be called on a pcap descriptor created by -.B \%pcap_create(3PCAP) -that has not yet been activated by -.BR \%pcap_activate(3PCAP) . -.PP -.I https://www.tcpdump.org/linktypes.html -lists the values -.B pcap_datalink() -can return and describes the packet formats that -correspond to those values. -.PP -Do -.B NOT -assume that the packets for a given capture or ``savefile`` will have -any given link-layer header type, such as -.B DLT_EN10MB -for Ethernet. For example, the "any" device on Linux will have a -link-layer header type of -.B DLT_LINUX_SLL -even if all devices on the system at the time the "any" device is opened -have some other data link type, such as -.B DLT_EN10MB -for Ethernet. -.SH RETURN VALUE -.B pcap_datalink() -returns the link-layer header type on success and -.B PCAP_ERROR_NOT_ACTIVATED -if called on a capture handle that has been created but not activated. -.SH SEE ALSO -pcap(3PCAP), pcap-linktype(7) diff --git a/pcap_dump_open.3pcap b/pcap_dump_open.3pcap deleted file mode 100644 index 67e77151..00000000 --- a/pcap_dump_open.3pcap +++ /dev/null @@ -1,103 +0,0 @@ -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP_DUMP_OPEN 3PCAP "22 August 2018" -.SH NAME -pcap_dump_open, pcap_dump_fopen \- open a file to which to write packets -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.nf -.LP -.ft B -pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname); -pcap_dumper_t *pcap_dump_open_append(pcap_t *p, const char *fname); -pcap_dumper_t *pcap_dump_fopen(pcap_t *p, FILE *fp); -.ft -.fi -.SH DESCRIPTION -.B pcap_dump_open() -is called to open a ``savefile'' for writing. -.I fname -specifies the name of the file to open. The file will have -the same format as those used by -.BR tcpdump (1) -and -.BR tcpslice (1). -The name "-" is a synonym -for -.BR stdout . -.PP -.B pcap_dump_fopen() -is called to write data to an existing open stream -.IR fp ; -this stream will be closed by a subsequent call to -.BR pcap_dump_close(3PCAP) . -Note that on Windows, that stream should be opened in binary mode. -.PP -.I p -is a capture or ``savefile'' handle returned by an earlier call to -.B pcap_create(3PCAP) -and activated by an earlier call to -.BR \%pcap_activate(3PCAP) , -or returned by an earlier call to -.BR \%pcap_open_offline(3PCAP) , -.BR pcap_open_live(3PCAP) , -or -.BR pcap_open_dead(3PCAP) . -The time stamp precision, link-layer type, and snapshot length from -.I p -are used as the link-layer type and snapshot length of the output file. -.PP -.B pcap_dump_open_append() -is like -.B pcap_dump_open() -but does not create the file if it does not exist and, if it does -already exist, and is a pcap file with the same byte order as the host -opening the file, and has the same time stamp precision, link-layer -header type, and snapshot length as -.IR p , -it will write new packets at the end of the file. -.SH RETURN VALUES -A pointer to a -.B pcap_dumper_t -structure to use in subsequent -.B pcap_dump(3PCAP) -and -.B pcap_dump_close(3PCAP) -calls is returned on success. -.B NULL -is returned on failure. -If -.B NULL -is returned, -.B pcap_geterr(3PCAP) -can be used to get the error text. -.SH BACKWARD COMPATIBILITY -.PP -The -.B pcap_dump_open_append() -function became available in libpcap release 1.7.2. In previous -releases, there is no support for appending packets to an existing -savefile. -.SH SEE ALSO -pcap(3PCAP), -\%pcap-savefile(5) diff --git a/pcap_get_tstamp_precision.3pcap b/pcap_get_tstamp_precision.3pcap deleted file mode 100644 index 9388a69a..00000000 --- a/pcap_get_tstamp_precision.3pcap +++ /dev/null @@ -1,56 +0,0 @@ -.\"Copyright (c) 2013, Michal Sekletar -.\"All rights reserved. -.\" -.\"Redistribution and use in source and binary forms, with or without -.\"modification, are permitted provided that the following conditions -.\"are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" 3. The names of the authors may not be used to endorse or promote -.\" products derived from this software without specific prior -.\" written permission. -.\" -.\"THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -.\"IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -.\"WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - -.TH PCAP_GET_TSTAMP_PRECISION 3PCAP "18 December 2013" -.SH NAME -pcap_get_tstamp_precision \- get the time stamp precision returned in -captures -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.LP -.ft B -int pcap_get_tstamp_precision(pcap_t *p); -.ft -.fi -.SH DESCRIPTION -.B pcap_get_tstamp_precision() -returns the precision of the time stamp returned in packet captures on the pcap -descriptor. -.SH RETURN VALUE -.B pcap_get_tstamp_precision() -returns -.B PCAP_TSTAMP_PRECISION_MICRO -or -.BR PCAP_TSTAMP_PRECISION_NANO , -which indicates -that pcap captures contains time stamps in microseconds or nanoseconds -respectively. -.SH BACKWARD COMPATIBILITY -This function became available in libpcap release 1.5.1. In previous -releases, time stamps from a capture device or savefile are always given -in seconds and microseconds. -.SH SEE ALSO -pcap(3PCAP), -pcap_set_tstamp_precision(3PCAP), -pcap-tstamp(7) diff --git a/pcap_list_datalinks.3pcap b/pcap_list_datalinks.3pcap deleted file mode 100644 index c73c1d4f..00000000 --- a/pcap_list_datalinks.3pcap +++ /dev/null @@ -1,73 +0,0 @@ -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP_LIST_DATALINKS 3PCAP "25 July 2018" -.SH NAME -pcap_list_datalinks, pcap_free_datalinks \- get a list of link-layer header -types supported by a capture device, and free that list -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.LP -.ft B -int pcap_list_datalinks(pcap_t *p, int **dlt_buf); -void pcap_free_datalinks(int *dlt_list); -.ft -.fi -.SH DESCRIPTION -.B pcap_list_datalinks() -is used to get a list of the supported link-layer header types of the -interface associated with the pcap descriptor. -.B pcap_list_datalinks() -allocates an array to hold the list and sets -.IR *dlt_buf -to point to that array. -.LP -The caller is responsible for freeing the array with -.BR pcap_free_datalinks() , -which frees the list of link-layer header types pointed to by -.IR dlt_list . -.LP -It must not be called on a pcap descriptor created by -.B \%pcap_create(3PCAP) -that has not yet been activated by -.BR \%pcap_activate(3PCAP) . -.SH RETURN VALUE -.B pcap_list_datalinks() -returns the number of link-layer header types in the array on success, -.B PCAP_ERROR_NOT_ACTIVATED -if called on a capture handle that has been created but not activated, -and -.B PCAP_ERROR -on other errors. -If -.B PCAP_ERROR -is returned, -.B pcap_geterr(3PCAP) -or -.B \%pcap_perror(3PCAP) -may be called with -.I p -as an argument to fetch or display the error text. -.SH SEE ALSO -pcap(3PCAP), -pcap_datalink_val_to_name(3PCAP), -pcap-linktype(7) diff --git a/pcap_list_tstamp_types.3pcap b/pcap_list_tstamp_types.3pcap deleted file mode 100644 index 1d3fc9ae..00000000 --- a/pcap_list_tstamp_types.3pcap +++ /dev/null @@ -1,81 +0,0 @@ -.\" -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP_LIST_TSTAMP_TYPES 3PCAP "22 August 2018" -.SH NAME -pcap_list_tstamp_types, pcap_free_tstamp_types \- get a list of time -stamp types supported by a capture device, and free that list -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.LP -.ft B -int pcap_list_tstamp_types(pcap_t *p, int **tstamp_typesp); -void pcap_free_tstamp_types(int *tstamp_types); -.ft -.fi -.SH DESCRIPTION -.B pcap_list_tstamp_types() -is used to get a list of the supported time stamp types of the interface -associated with the pcap descriptor. -.B pcap_list_tstamp_types() -allocates an array to hold the list and sets -.I *tstamp_typesp -to point to the array. -See -.BR pcap-tstamp (7) -for a list of all the time stamp types. -.PP -The caller is responsible for freeing the array with -.BR pcap_free_tstamp_types() , -which frees the list pointed to by -.IR tstamp_types . -.SH RETURN VALUE -.B pcap_list_tstamp_types() -returns the number of time stamp types in the array on success and -.B PCAP_ERROR -on failure. -A return value of one means that the only time stamp type supported is -the one in the list, which is the capture device's default time stamp -type. A return value of zero means that the only time stamp type -supported is -.BR PCAP_TSTAMP_HOST , -which is the capture device's default time stamp type (only older -versions of libpcap will return that; newer versions will always return -one or more types). -If -.B PCAP_ERROR -is returned, -.B pcap_geterr(3PCAP) -or -.B pcap_perror(3PCAP) -may be called with -.I p -as an argument to fetch or display the error text. -.SH BACKWARD COMPATIBILITY -.PP -These functions became available in libpcap release 1.2.1. In previous -releases, the time stamp type cannot be set; only the default time stamp -type offered by a capture source is available. -.SH SEE ALSO -pcap(3PCAP), pcap_tstamp_type_val_to_name(3PCAP), -pcap-tstamp(7) diff --git a/pcap_open_dead.3pcap b/pcap_open_dead.3pcap deleted file mode 100644 index 8522a2c6..00000000 --- a/pcap_open_dead.3pcap +++ /dev/null @@ -1,78 +0,0 @@ -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP_OPEN_DEAD 3PCAP "3 January 2014" -.SH NAME -pcap_open_dead, pcap_open_dead_with_tstamp_precision \- open a fake -pcap_t for compiling filters or opening a capture for output -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.LP -.ft B -pcap_t *pcap_open_dead(int linktype, int snaplen); -pcap_t *pcap_open_dead_with_tstamp_precision(int linktype, int snaplen, - u_int precision); -.ft -.fi -.SH DESCRIPTION -.PP -.B pcap_open_dead() -and -.B pcap_open_dead_with_tstamp_precision() -are used for creating a -.B pcap_t -structure to use when calling the other functions in libpcap. It is -typically used when just using libpcap for compiling BPF code; it can -also be used if using -.BR pcap_dump_open(3PCAP) , -.BR pcap_dump(3PCAP) , -and -.B pcap_dump_close(3PCAP) -to write a savefile if there is no -.B pcap_t -that supplies the packets to be written. -.PP -.I linktype -specifies the link-layer type for the -.BR pcap_t . -.PP -.I snaplen -specifies the snapshot length for the -.BR pcap_t . -.PP -When -.BR pcap_open_dead_with_tstamp_precision() , -is used to create a -.B pcap_t -for use with -.BR pcap_dump_open() , -.I precision -specifies the time stamp precision for packets; -.B PCAP_TSTAMP_PRECISION_MICRO -should be specified if the packets to be written have time stamps in -seconds and microseconds, and -.B PCAP_TSTAMP_PRECISION_NANO -should be specified if the packets to be written have time stamps in -seconds and nanoseconds. Its value does not affect -.BR pcap_compile(3PCAP) . -.SH SEE ALSO -pcap(3PCAP), \%pcap-linktype(7) diff --git a/pcap_open_offline.3pcap b/pcap_open_offline.3pcap deleted file mode 100644 index b50cea4e..00000000 --- a/pcap_open_offline.3pcap +++ /dev/null @@ -1,116 +0,0 @@ -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP_OPEN_OFFLINE 3PCAP "8 January 2018 " -.SH NAME -pcap_open_offline, pcap_open_offline_with_tstamp_precision, -pcap_fopen_offline, pcap_fopen_offline_with_tstamp_precision \- open a saved capture file for reading -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.LP -.nf -.ft B -char errbuf[PCAP_ERRBUF_SIZE]; -.ft -.LP -.ft B -pcap_t *pcap_open_offline(const char *fname, char *errbuf); -pcap_t *pcap_open_offline_with_tstamp_precision(const char *fname, - u_int precision, char *errbuf); -pcap_t *pcap_fopen_offline(FILE *fp, char *errbuf); -pcap_t *pcap_fopen_offline_with_tstamp_precision(FILE *fp, - u_int precision, char *errbuf); -.ft -.fi -.SH DESCRIPTION -.B pcap_open_offline() -and -.B pcap_open_offline_with_tstamp_precision() -are called to open a ``savefile'' for reading. -.PP -.I fname -specifies the name of the file to open. The file can have the pcap file -format as described in -.BR pcap-savefile (5), -which is the file format used by, among other programs, -.BR tcpdump (1) -and -.BR tcpslice (1), -or can have the pcapng file format, although not all pcapng files can -be read. -The name "-" is a synonym for -.BR stdin . -.PP -.B pcap_open_offline_with_tstamp_precision() -takes an additional -.I precision -argument specifying the time stamp precision desired; -if -.B PCAP_TSTAMP_PRECISION_MICRO -is specified, packet time stamps will be supplied in seconds and -microseconds, -and if -.B PCAP_TSTAMP_PRECISION_NANO -is specified, packet time stamps will be supplied in seconds and -nanoseconds. If the time stamps in the file do not have the same -precision as the requested precision, they will be scaled up or down as -necessary before being supplied. -.PP -Alternatively, you may call -.B pcap_fopen_offline() -or -.B pcap_fopen_offline_with_tstamp_precision() -to read dumped data from an existing open stream -.IR fp . -.B pcap_fopen_offline_with_tstamp_precision() -takes an additional -.I precision -argument as described above. -Note that on Windows, that stream should be opened in binary mode. -.SH RETURN VALUE -.BR pcap_open_offline() , -.BR pcap_open_offline_with_tstamp_precision() , -.BR pcap_fopen_offline() , -and -.B pcap_fopen_offline_with_tstamp_precision() -return a -.I pcap_t * -on success and -.B NULL -on failure. -If -.B NULL -is returned, -.I errbuf -is filled in with an appropriate error message. -.I errbuf -is assumed to be able to hold at least -.B PCAP_ERRBUF_SIZE -chars. -.SH BACKWARD COMPATIBILITY -.B pcap_open_offline_with_tstamp_precision -and -.B pcap_fopen_offline_with_tstamp_precision -became available in libpcap release 1.5.1. In previous releases, time -stamps from a savefile are always given in seconds and microseconds. -.SH SEE ALSO -pcap(3PCAP), pcap-savefile(5) diff --git a/pcap_set_immediate_mode.3pcap b/pcap_set_immediate_mode.3pcap deleted file mode 100644 index 93a27971..00000000 --- a/pcap_set_immediate_mode.3pcap +++ /dev/null @@ -1,95 +0,0 @@ -.\" -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP_SET_IMMEDIATE_MODE 3PCAP "22 August 2018" -.SH NAME -pcap_set_immediate_mode \- set immediate mode for a not-yet-activated capture -handle -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.LP -.ft B -int pcap_set_immediate_mode(pcap_t *p, int immediate_mode); -.ft -.fi -.SH DESCRIPTION -.B pcap_set_immediate_mode() -sets whether immediate mode should be set on a capture handle when -the handle is activated. In immediate mode, packets are always -delivered as soon as they arrive, with no buffering. -If -.I immediate_mode -is non-zero, immediate mode will be set, otherwise it will not be set. -.SH RETURN VALUE -.B pcap_set_immediate_mode() -returns 0 on success or -.B PCAP_ERROR_ACTIVATED -if called on a capture handle that has been activated. -.SH BACKWARD COMPATIBILITY -.PP -This function became available in libpcap release 1.5.0. In previous -releases, if immediate delivery of packets is required: -.IP -on FreeBSD, NetBSD, OpenBSD, DragonFly BSD, macOS, and Solaris 11, -immediate mode must be turned on with a -.B BIOCIMMEDIATE -.BR ioctl (2), -as documented in -.BR bpf(4) , -on the descriptor returned by -.B pcap_fileno(3PCAP), -after -.BR pcap_activate(3PCAP) -is called; -.IP -on Solaris 10 and earlier versions of Solaris, immediate mode must be -turned on by using a read timeout of 0 when opening the device (this -will not provide immediate delivery of packets on other platforms, so -don't assume it's sufficient); -.IP -on Digital UNIX/Tru64 UNIX, immediate mode must be turned on by doing a -.B BIOCMBIC -.BR ioctl , -as documented in -.BR packetfilter(7) , -to clear the -.B ENBATCH -flag on the descriptor returned by -.B pcap_fileno(3PCAP), -after -.BR pcap_activate(3PCAP) -is called; -.IP -on Windows, immediate mode must be turned on by calling -.B pcap_setmintocopy() -with a size of 0. -.PP -On Linux, with previous releases of libpcap, capture devices are always -in immediate mode; however, in 1.5.0 and later, they are, by default, -.B not -in immediate mode, so if -.B pcap_set_immediate_mode() -is available, it should be used. -.PP -On other platforms, capture devices are always in immediate mode. -.SH SEE ALSO -pcap(3PCAP), pcap_create(3PCAP), pcap_activate(3PCAP) diff --git a/pcap_set_tstamp_precision.3pcap b/pcap_set_tstamp_precision.3pcap deleted file mode 100644 index 06003546..00000000 --- a/pcap_set_tstamp_precision.3pcap +++ /dev/null @@ -1,66 +0,0 @@ -.\"Copyright (c) 2013, Michal Sekletar -.\"All rights reserved. -.\" -.\"Redistribution and use in source and binary forms, with or without -.\"modification, are permitted provided that the following conditions -.\"are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" 3. The names of the authors may not be used to endorse or promote -.\" products derived from this software without specific prior -.\" written permission. -.\" -.\"THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -.\"IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -.\"WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - -.TH PCAP_SET_TSTAMP_PRECISION 3PCAP "5 February 2015" -.SH NAME -pcap_set_tstamp_precision \- set the time stamp precision returned in -captures -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.LP -.ft B -int pcap_set_tstamp_precision(pcap_t *p, int tstamp_precision); -.ft -.fi -.SH DESCRIPTION -.B pcap_set_tstamp_precision() -sets the precision of the time stamp desired for packets captured on the pcap -descriptor to the type specified by -.IR tstamp_precision . -It must be called on a pcap descriptor created by -.B pcap_create(3PCAP) -that has not yet been activated by -.BR pcap_activate(3PCAP) . -Two time stamp precisions are supported, microseconds and nanoseconds. One can -use options -.B PCAP_TSTAMP_PRECISION_MICRO and -.B PCAP_TSTAMP_PRECISION_NANO -to request desired precision. By default, time stamps are in microseconds. -.SH RETURN VALUE -.B pcap_set_tstamp_precision() -returns 0 on success if the specified time stamp precision is expected to be -supported by the capture device, -.B PCAP_ERROR_TSTAMP_PRECISION_NOTSUP -if the capture device does not support the requested time stamp -precision, -.B PCAP_ERROR_ACTIVATED -if called on a capture handle that has been activated. -.SH BACKWARD COMPATIBILITY -This function became available in libpcap release 1.5.1. In previous -releases, time stamps from a capture device or savefile are always given -in seconds and microseconds. -.SH SEE ALSO -pcap(3PCAP), -pcap_get_tstamp_precision(3PCAP), -pcap-tstamp(7) diff --git a/pcap_set_tstamp_type.3pcap b/pcap_set_tstamp_type.3pcap deleted file mode 100644 index 4754278b..00000000 --- a/pcap_set_tstamp_type.3pcap +++ /dev/null @@ -1,70 +0,0 @@ -.\" -.\" Copyright (c) 1994, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP_SET_TSTAMP_TYPE 3PCAP "22 August 2018" -.SH NAME -pcap_set_tstamp_type \- set the time stamp type to be used by a -capture device -.SH SYNOPSIS -.nf -.ft B -#include <pcap/pcap.h> -.ft -.LP -.ft B -int pcap_set_tstamp_type(pcap_t *p, int tstamp_type); -.ft -.fi -.SH DESCRIPTION -.B pcap_set_tstamp_type() -sets the type of time stamp desired for packets captured on the pcap -descriptor to the type specified by -.IR tstamp_type . -It must be called on a pcap descriptor created by -.B pcap_create(3PCAP) -that has not yet been activated by -.BR pcap_activate(3PCAP) . -.B pcap_list_tstamp_types(3PCAP) -will give a list of the time stamp types supported by a given capture -device. -See -.BR pcap-tstamp (7) -for a list of all the time stamp types. -.SH RETURN VALUE -.B pcap_set_tstamp_type() -returns 0 on success if the specified time stamp type is expected to be -supported by the capture device, -.B PCAP_WARNING_TSTAMP_TYPE_NOTSUP -if the specified time stamp type is not supported by the -capture device, -.B PCAP_ERROR_ACTIVATED -if called on a capture handle that has been activated, and -.B PCAP_ERROR_CANTSET_TSTAMP_TYPE -if the capture device doesn't support setting the time stamp type (only -older versions of libpcap will return that; newer versions will always -allow the time stamp type to be set to the default type). -.SH BACKWARD COMPATIBILITY -.PP -This function became available in libpcap release 1.2.1. In previous -releases, the time stamp type cannot be set; only the default time stamp -type offered by a capture source is available. -.SH SEE ALSO -pcap(3PCAP), -pcap_tstamp_type_name_to_val(3PCAP) |