Skip to content
Newer
Older
100644 350 lines (346 sloc) 29.6 KB
e1d3d85 @mjschultz Initial import for pcapy-0.10.5 from CORE Security Technologies
authored Aug 23, 2012
1 <html><head><meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"><title>Part I. Pcapy Reference</title><meta name="generator" content="DocBook XSL Stylesheets V1.40"><meta name="keywords" content="pcap, packet, capture, python"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="part" id="id2720626"><div class="titlepage"><div><h1 class="title"><a name="id2720626"></a>Pcapy Reference</h1></div><div><h3 class="corpauthor">CORE SECURITY TECHNOLOGIES</h3></div><div><p class="copyright">Copyright © 2003 CORE SECURITY TECHNOLOGIES</p></div><div><div class="revhistory"><table border="1" width="100%" summary="Revision history"><tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr><tr><td align="left">Revision $Revision: 1.2 $</td><td align="left">$Date: 2003/10/23 17:24:27 $</td><td align="left">$Author: jkohen $</td></tr><tr><td align="left" colspan="3">Initial revision</td></tr></table></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>I <a href="#id2720790">Pcapy Module Reference</a></dt><dd><dl><dt><a href="#id2720796">open_live</a></dt><dt><a href="#id2720974">open_offline</a></dt><dt><a href="#id2721096">lookupdev</a></dt><dt><a href="#id2716618">findalldevs</a></dt><dt><a href="#id2766688">compile</a></dt></dl></dd><dt>II <a href="#id2720711">Reader Object Reference</a></dt><dd><dl><dt><a href="#id2720717">dispatch</a></dt><dt><a href="#id2723103">next</a></dt><dt><a href="#id2723279">setfilter</a></dt><dt><a href="#id2723348">getnet</a></dt><dt><a href="#id2723448">datalink</a></dt><dt><a href="#id2718490">getnonblock</a></dt><dt><a href="#id2718128">dump_open</a></dt></dl></dd><dt>III <a href="#id2718727">Dumper Object Reference</a></dt><dd><dl><dt><a href="#id2718732">dump</a></dt></dl></dd><dt>IV <a href="#id2718829">Pkthdr Object Reference</a></dt><dd><dl><dt><a href="#id2718835">getts</a></dt></dl></dd><dt>V <a href="#id2781073">Bpf Object Reference</a></dt><dd><dl><dt><a href="#id2781080">filter</a></dt></dl></dd><dt><a href="#id2781178">Bibliography</a></dt></dl></div><div class="reference"><div class="titlepage"><div><h1 class="title"><a name="id2720790"></a>Pcapy Module Reference</h1></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2720796">open_live</a></dt><dt><a href="#id2720974">open_offline</a></dt><dt><a href="#id2721096">lookupdev</a></dt><dt><a href="#id2716618">findalldevs</a></dt><dt><a href="#id2766688">compile</a></dt></dl></div><div class="refentry"><h1 class="title"><a name="id2720796"></a>open_live</h1><div class="refnamediv"><a name="id2720799"></a><h2>Name</h2>open_live &#8212; Obtain a packet capture descriptor to look at packets on the network</div><div class="refsynopsisdiv"><a name="id2720813"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2720817"><a name="id2720817"></a><p><code><code class="funcdef">Reader <b class="fsfunc">open_live</b></code>(<var class="pdparam">device</var>, <var class="pdparam">snaplen</var>, <var class="pdparam">promisc</var>, <var class="pdparam">to_ms</var>);<br>string <var class="pdparam">device</var>;<br>int <var class="pdparam">snaplen</var>;<br>int <var class="pdparam">promisc</var>;<br>int <var class="pdparam">to_ms</var>;</code></p></div></div><div class="refsect1"><a name="id2720875"></a><h2><a name="id2720875"></a>DESCRIPTION</h2><p>
2 <tt>open_live</tt> is used to obtain a packet
3 capture descriptor to look at packets on the network.
4 <i><tt>device</tt></i> is a string that specifies the
5 network device to open; on Linux systems with 2.2 or later
6 kernels, a device argument of <tt>any</tt> or
7 <tt>NULL</tt> can be used to capture packets
8 from all interfaces. <i><tt>snaplen</tt></i>
9 specifies the maximum number of bytes to capture.
10 <i><tt>promisc</tt></i> specifies if the interface is
11 to be put into promiscuous mode. (Note that even if this
12 parameter is false, the interface could well be in
13 promiscuous mode for some other reason.) For now, this
14 doesn't work on the <tt>any</tt> device; if an
15 argument of <tt>any</tt> or
16 <tt>NULL</tt> is supplied, the
17 <i><tt>promisc</tt></i> flag is ignored.
18 <i><tt>to_ms</tt></i> specifies the read timeout in
19 milliseconds. The read timeout is used to arrange that the
20 read not necessarily return immediately when a packet is
21 seen, but that it wait for some amount of time to allow more
22 packets to arrive and to read multiple packets from the OS
23 kernel in one operation. Not all platforms support a read
24 timeout; on platforms that don't, the read timeout is
25 ignored.
26 </p></div></div><div class="refentry"><h1 class="title"><a name="id2720974"></a>open_offline</h1><div class="refnamediv"><a name="id2720977"></a><h2>Name</h2>open_offline &#8212; Obtain a packet capture descriptor to look at packets on a <i>savefile</i></div><div class="refsynopsisdiv"><a name="id2720994"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2720997"><a name="id2720997"></a><p><code><code class="funcdef">Reader <b class="fsfunc">open_offline</b></code>(<var class="pdparam">filename</var>);<br>string <var class="pdparam">filename</var>;</code></p></div></div><div class="refsect1"><a name="id2721028"></a><h2><a name="id2721028"></a>DESCRIPTION</h2><p>
27 <tt>open_offline</tt> is called to open a
28 <i>savefile</i> for reading. <i><tt>filename</tt></i>
29 specifies the name of the file to open. The file has the
30 same format as those used by
31 tcpdump(8) and
32 tcpslice(8). The name
33 <tt>-</tt> is a synonym for
34 <tt>stdin</tt>.
35 </p></div></div><div class="refentry"><h1 class="title"><a name="id2721096"></a>lookupdev</h1><div class="refnamediv"><a name="id2721099"></a><h2>Name</h2>lookupdev &#8212; Return a network device suitable for use with
36 <tt>open_live</tt></div><div class="refsynopsisdiv"><a name="id2721118"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2721121"><a name="id2721121"></a><p><code><code class="funcdef">string <b class="fsfunc">lookupdev</b></code>();</code></p></div></div><div class="refsect1"><a name="id2721144"></a><h2><a name="id2721144"></a>DESCRIPTION</h2><p>
37 <tt>lookupdev</tt> returns the name of a network
38 device suitable for use with <tt>open_live</tt>.
39 </p></div></div><div class="refentry"><h1 class="title"><a name="id2716618"></a>findalldevs</h1><div class="refnamediv"><a name="id2766659"></a><h2>Name</h2>findalldevs &#8212; Obtain the list of available network devices</div><div class="refsynopsisdiv"><a name="id2780797"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2780800"><a name="id2780800"></a><p><code><code class="funcdef">string[] <b class="fsfunc">findalldevs</b></code>();</code></p></div></div><div class="refsect1"><a name="id2766782"></a><h2><a name="id2766782"></a>DESCRIPTION</h2><p>
40 <tt>findalldevs</tt> constructs a list of
41 network devices that can be opened with
42 <tt>open_live</tt>. (Note that there may be
43 network devices that cannot be opened with
44 <tt>open_live</tt>, because, for example, that
45 process might not have sufficient privileges to open them
46 for capturing; if so, those devices will not appear on the
47 list.)
48 </p></div></div><div class="refentry"><h1 class="title"><a name="id2766688"></a>compile</h1><div class="refnamediv"><a name="id2766691"></a><h2>Name</h2>compile &#8212; Compile a BPF filter</div><div class="refsynopsisdiv"><a name="id2766704"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2766707"><a name="id2766707"></a><p><code><code class="funcdef">Bpf <b class="fsfunc">compile</b></code>(<var class="pdparam">linktype</var>, <var class="pdparam">snaplen</var>, <var class="pdparam">filter</var>, <var class="pdparam">optimize</var>, <var class="pdparam">netmask</var>);<br>int <var class="pdparam">linktype</var>;<br>int <var class="pdparam">snaplen</var>;<br>string <var class="pdparam">filter</var>;<br>int <var class="pdparam">optimize</var>;<br>int32 <var class="pdparam">netmask</var>;</code></p></div></div><div class="refsect1"><a name="id2720660"></a><h2><a name="id2720660"></a>DESCRIPTION</h2><p>
49 <tt>compile</tt> is used to compile the
50 <i><tt>filter</tt></i> into a filter program.
51 <tt>snaplen</tt> specifies the maximum number of
52 bytes to capture. <i><tt>optimize</tt></i> controls
53 whether optimization on the resulting code is performed.
54 <i><tt>netmask</tt></i> specifies the netmask of the
55 local network.
56 </p></div></div></div><div class="reference"><div class="titlepage"><div><h1 class="title"><a name="id2720711"></a>Reader Object Reference</h1></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2720717">dispatch</a></dt><dt><a href="#id2723103">next</a></dt><dt><a href="#id2723279">setfilter</a></dt><dt><a href="#id2723348">getnet</a></dt><dt><a href="#id2723448">datalink</a></dt><dt><a href="#id2718490">getnonblock</a></dt><dt><a href="#id2718128">dump_open</a></dt></dl></div><div class="refentry"><h1 class="title"><a name="id2720717"></a>dispatch</h1><div class="refnamediv"><a name="id2720720"></a><h2>Name</h2>dispatch, loop &#8212; Collect and process packets</div><div class="refsynopsisdiv"><a name="id2718931"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2718935"><a name="id2718935"></a><p><code><code class="funcdef">int <b class="fsfunc">dispatch</b></code>(<var class="pdparam">maxcant</var>, <var class="pdparam">(* callback)</var>);<br>int <var class="pdparam">maxcant</var>;<br>void <var class="pdparam">(* callback)</var>
57 (Pkthdr, string);</code></p><p><code><code class="funcdef">int <b class="fsfunc">loop</b></code>(<var class="pdparam">maxcant</var>, <var class="pdparam">(* callback)</var>);<br>int <var class="pdparam">maxcant</var>;<br>void <var class="pdparam">(* callback)</var>
58 (Pkthdr, string);</code></p></div></div><div class="refsect1"><a name="id2719017"></a><h2><a name="id2719017"></a>DESCRIPTION</h2><p>
59 <tt>dispatch</tt> is used to collect and process
60 packets. <i><tt>maxcant</tt></i> specifies the
61 maximum number of packets to process before returning. This
62 is not a minimum number; when reading a live capture, only
63 one bufferful of packets is read at a time, so fewer than
64 <i><tt>maxcant</tt></i> packets may be processed. A
65 <i><tt>cnt</tt></i> of <tt>-1</tt>
66 processes all the packets received in one buffer when
67 reading a live capture, or all the packets in the file when
68 reading a <i>savefile</i>. <i><tt>callback</tt></i>
69 specifies a routine to be called with two arguments: a
70 <tt>Pkthdr</tt> instance describing the data
71 passed and the data itself.
72 </p><p>
73 The number of packets read is returned.
74 0 is returned if no packets were
75 read from a live capture (if, for example, they were
76 discarded because they didn't pass the packet filter, or if,
77 on platforms that support a read timeout that starts before
78 any packets arrive, the timeout expires before any packets
79 arrive, or if the file descriptor for the capture device is
80 in non&#8211;blocking mode and no packets were available to be
81 read) or if no more packets are available in a <i>savefile</i>.
82 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="id2723188"></a>Note</h3><p>
83 When reading a live capture, <tt>dispatch</tt>
84 will not necessarily return when the read times out; on
85 some platforms, the read timeout isn't supported, and, on
86 other platforms, the timer doesn't start until at least
87 one packet arrives. This means that the read timeout
88 should <i>not</i> be used in, for example,
89 an interactive application, to allow the packet capture
90 loop to poll for user input periodically, as there's no
91 guarantee that <tt>dispatch</tt> will return
92 after the timeout expires.
93 </p></div><p>
94 <tt>loop</tt> is similar to
95 <tt>dispatch</tt> except it keeps reading
96 packets until <i><tt>maxcant</tt></i> packets are
97 processed or an error occurs. It does
98 <i>not</i> return when live read timeouts
99 occur. Rather, specifying a non&#8211;zero read timeout to
100 <tt>open_live</tt> and then calling
101 <tt>dispatch</tt> allows the reception and
102 processing of any packets that arrive when the timeout
103 occurs. A negative <i><tt>maxcant</tt></i> causes
104 <tt>loop</tt> to loop forever (or at least until
105 an error occurs). 0 is returned
106 if <i><tt>maxcant</tt></i> is exhausted.
107 </p></div></div><div class="refentry"><h1 class="title"><a name="id2723103"></a>next</h1><div class="refnamediv"><a name="id2723106"></a><h2>Name</h2>next &#8212; Collect the next packet</div><div class="refsynopsisdiv"><a name="id2723120"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2723123"><a name="id2723123"></a><p><code><code class="funcdef">(Pkthdr, string) <b class="fsfunc">next</b></code>();</code></p></div></div><div class="refsect1"><a name="id2723147"></a><h2><a name="id2723147"></a>DESCRIPTION</h2><p>
108 <tt>next</tt> reads the next packet (by calling
109 <tt>dispatch</tt> with a
110 <i><tt>maxcant</tt></i> of <tt>1</tt>)
111 and returns a tuple (header, data) where
112 <i><tt>header</tt></i> is a
113 <tt>Pkthdr</tt> instance describing the data
114 passed and <i><tt>data</tt></i> is the data itself.
115 </p></div></div><div class="refentry"><h1 class="title"><a name="id2723279"></a>setfilter</h1><div class="refnamediv"><a name="id2723282"></a><h2>Name</h2>setfilter &#8212; Specify a filter</div><div class="refsynopsisdiv"><a name="id2723294"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2723298"><a name="id2723298"></a><p><code><code class="funcdef"><b class="fsfunc">setfilter</b></code>(<var class="pdparam">filter</var>);<br>string <var class="pdparam">filter</var>;</code></p></div></div><div class="refsect1"><a name="id2723327"></a><h2><a name="id2723327"></a>DESCRIPTION</h2><p>
116 <tt>setfilter</tt> is used to specify a filter
117 for this object.
118 </p></div></div><div class="refentry"><h1 class="title"><a name="id2723348"></a>getnet</h1><div class="refnamediv"><a name="id2723351"></a><h2>Name</h2>getnet, getmask &#8212; Get the associated network number and mask</div><div class="refsynopsisdiv"><a name="id2723367"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2723370"><a name="id2723370"></a><p><code><code class="funcdef">int32 <b class="fsfunc">getnet</b></code>();</code></p></div><div class="funcsynopsis" id="id2723392"><a name="id2723392"></a><p><code><code class="funcdef">int32 <b class="fsfunc">getmask</b></code>();</code></p></div></div><div class="refsect1"><a name="id2723415"></a><h2><a name="id2723415"></a>DESCRIPTION</h2><p>
119 <tt>getnet</tt> and <tt>getmask</tt>
120 are used to determine the network number and mask associated
121 with the network device attached to this
122 <tt>Reader</tt>.
123 </p></div></div><div class="refentry"><h1 class="title"><a name="id2723448"></a>datalink</h1><div class="refnamediv"><a name="id2723451"></a><h2>Name</h2>datalink &#8212; Obtain the link layer type</div><div class="refsynopsisdiv"><a name="id2723463"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2723466"><a name="id2723466"></a><p><code><code class="funcdef">int <b class="fsfunc">datalink</b></code>();</code></p></div></div><div class="refsect1"><a name="id2723489"></a><h2><a name="id2723489"></a>DESCRIPTION</h2><p>
124 <tt>datalink</tt> returns the link layer type; link layer types it can return include:
125 <div class="variablelist"><dl><dt><a name="id2723510"></a><span class="term"><tt>DLT_NULL</tt></span></dt><dd><p>
126 BSD loopback encapsulation; the
127 link layer header is a 4&#8211;byte field, in host
128 byte order, containing a <tt>PF_</tt>
129 value from <tt>socket.h</tt> for the
130 network&#8211;layer protocol of the packet.
131 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="id2723550"></a>Note</h3><p>
132 &#8220;host byte order&#8221; is the byte order
133 of the machine on which the packets are captured,
134 and the <tt>PF_</tt> values are for
135 the OS of the machine on which
136 the packets are captured; if a live capture is
137 being done, &#8220;host byte order&#8221; is the
138 byte order of the machine capturing the packets,
139 and the <tt>PF_</tt> values are those
140 of the OS of the machine
141 capturing the packets, but if a <i>savefile</i> is being
142 read, the byte order and <tt>PF_</tt>
143 values are <i>not</i> necessarily
144 those of the machine reading the capture file.
145 </p></div></dd><dt><a name="id2723606"></a><span class="term"><tt>DLT_EN10MB</tt></span></dt><dd><p>Ethernet (10Mb, 100Mb, 1000Mb, and up)</p></dd><dt><a name="id2723624"></a><span class="term"><tt>DLT_IEEE802</tt></span></dt><dd><p>IEEE 802.5 Token Ring</p></dd><dt><a name="id2723645"></a><span class="term"><tt>DLT_ARCNET</tt></span></dt><dd><p>ARCNET</p></dd><dt><a name="id2723536"></a><span class="term"><tt>DLT_SLIP</tt></span></dt><dd><p><a name="id2717681"></a>
146 SLIP; the link layer header contains, in order:
147 <div class="itemizedlist"><ul><li><a name="id2717695"></a><p>
148 a 1&#8211;byte flag, which is
149 <tt>0</tt> for packets received by
150 the machine and <tt>1</tt> for
151 packets sent by the machine.
152 </p></li><li><p><a name="id2717721"></a>
153 a 1&#8211;byte field, the upper 4 bits of which indicate the type of packet, as per RFC 1144:
154
155 <div class="itemizedlist"><ul><li><a name="id2717736"></a><p>
156 <tt>0x40</tt>; an unmodified
157 IP datagram
158 (<tt>TYPE_IP</tt>)
159 </p></li><li><a name="id2717760"></a><p>
160 <tt>0x70</tt>; an
161 uncompressed&#8211;TCP/IP
162 datagram
163 (<tt>UNCOMPRESSED_TCP</tt>),
164 with that byte being the first byte of
165 the raw IP header on
166 the wire, containing the connection
167 number in the protocol field
168 </p></li><li><a name="id2717791"></a><p>
169 <tt>0x80</tt>; a
170 compressed&#8211;TCP/IP
171 datagram
172 (<tt>COMPRESSED_TCP</tt>),
173 with that byte being the first byte of
174 the compressed TCP/IP
175 datagram header
176 </p></li></ul></div>
177 </p></li><li><a name="id2717824"></a><p>
178 for <tt>UNCOMPRESSED_TCP</tt>, the
179 rest of the modified IP
180 header, and for
181 <tt>COMPRESSED_TCP</tt>, the
182 compressed TCP/IP datagram
183 header
184 </p></li></ul></div>
185 for a total of 16 bytes; the uncompressed IP datagram follows the header.
186 </p></dd><dt><a name="id2717860"></a><span class="term"><tt>DLT_PPP</tt></span></dt><dd><p>
187 PPP; if the first 2 bytes are
188 <tt>0xff</tt> and <tt>0x03</tt>,
189 it's PPP in
190 HDLC&#8211;like framing, with the
191 PPP header following those two
192 bytes, otherwise it's PPP without
193 framing, and the packet begins with the
194 PPP header.
195 </p></dd><dt><a name="id2717919"></a><span class="term"><tt>DLT_FDDI</tt></span></dt><dd><p>FDDI</p></dd><dt><a name="id2717938"></a><span class="term"><tt>DLT_ATM_RFC1483</tt></span></dt><dd><p>
196 RFC 1483
197 LLC/SNAP&#8211;encapsulated
198 ATM; the packet begins with an
199 IEEE 802.2 LLC
200 header.
201 </p></dd><dt><a name="id2717976"></a><span class="term"><tt>DLT_RAW</tt></span></dt><dd><p>
202 Raw IP; the packet begins with an
203 IP header.
204 </p></dd><dt><a name="id2718002"></a><span class="term"><tt>DLT_PPP_SERIAL</tt></span></dt><dd><p>
205 PPP in
206 HDLC&#8211;like framing, as per
207 RFC 1662, or Cisco
208 PPP with HDLC
209 framing, as per section §4.3.1 of
210 RFC 1547; the first byte will be
211 <tt>0xFF</tt> for PPP
212 in HDLC&#8211;like framing, and
213 will be <tt>0x0F</tt> or
214 <tt>0x8F</tt> for Cisco
215 PPP with HDLC
216 framing.
217 </p></dd><dt><a name="id2718179"></a><span class="term"><tt>DLT_PPP_ETHER</tt></span></dt><dd><p>
218 PPPoE; the packet begins with a
219 PPPoE header, as per
220 RFC 2516.
221 </p></dd><dt><a name="id2718208"></a><span class="term"><tt>DLT_C_HDLC</tt></span></dt><dd><p>
222 Cisco PPP with
223 HDLC framing, as per section
224 § 4.3.1 of RFC 1547.
225 </p></dd><dt><a name="id2718045"></a><span class="term"><tt>DLT_IEEE802_11</tt></span></dt><dd><p>
226 IEEE 802.11 wireless
227 LAN.
228 </p></dd><dt><a name="id2718071"></a><span class="term"><tt>DLT_LOOP</tt></span></dt><dd><p>
229 OpenBSD loopback encapsulation; the link layer
230 header is a 4&#8211;byte field, in network byte
231 order, containing a <tt>PF_</tt> value
232 from OpenBSD's <tt>socket.h</tt> for the
233 network&#8211;layer protocol of the packet.
234 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="id2718249"></a>Note</h3><p>
235 Note that, if a <i>savefile</i> is being read, those
236 <tt>PF_</tt> values are
237 <i>not</i> necessarily those of the
238 machine reading the capture file.
239 </p></div></dd><dt><a name="id2718273"></a><span class="term"><tt>DLT_LINUX_SLL</tt></span></dt><dd><p><a name="id2718281"></a>
240 Linux cooked capture encapsulation; the link layer
241 header contains, in order:
242
243 <div class="itemizedlist"><ul><li><p><a name="id2718292"></a>
244 a 2&#8211;byte &quot;packet type&quot;, in network
245 byte order, which is one of:
246
247 <div class="itemizedlist"><ul><li><a name="id2718303"></a><p>
248 <tt>0</tt>; packet was sent to
249 us by somebody else.
250 </p></li><li><a name="id2718320"></a><p>
251 <tt>1</tt>; packet was
252 broadcast by somebody else.
253 </p></li><li><a name="id2718336"></a><p>
254 <tt>2</tt>; packet was
255 multicast, but not broadcast, by
256 somebody else.
257 </p></li><li><a name="id2718353"></a><p>
258 <tt>3</tt>; packet was sent by
259 somebody else to somebody else.
260 </p></li><li><a name="id2718369"></a><p>
261 <tt>4</tt>; packet was sent by
262 us.
263 </p></li></ul></div>
264 </p></li><li><a name="id2718388"></a><p>
265 a 2&#8211;byte field, in network byte order,
266 containing a Linux
267 <tt>ARPHRD_</tt> value for the
268 link layer device type.
269 </p></li><li><a name="id2718403"></a><p>
270 a 2&#8211;byte field, in network byte order,
271 containing the length of the link layer
272 address of the sender of the packet (which
273 could be 0).
274 </p></li><li><a name="id2718414"></a><p>
275 an 8&#8211;byte field containing that number
276 of bytes of the link layer header (if there
277 are more than 8 bytes, only the first 8 are
278 present).
279 </p></li><li><a name="id2718426"></a><p>
280 a 2&#8211;byte field containing an Ethernet
281 protocol type, in network byte order, or
282 containing <tt>1</tt> for Novell
283 802.3 frames without an 802.2
284 LLC header or
285 <tt>4</tt> for frames beginning with
286 an 802.2 LLC header.
287 </p></li></ul></div>
288 </p></dd><dt><a name="id2718463"></a><span class="term"><tt>DLT_LTALK</tt></span></dt><dd><p>
289 Apple LocalTalk; the packet begins with an AppleTalk
290 LLAP header.
291 </p></dd></dl></div>
292 </p></div></div><div class="refentry"><h1 class="title"><a name="id2718490"></a>getnonblock</h1><div class="refnamediv"><a name="id2718494"></a><h2>Name</h2>getnonblock, setnonblock &#8212; Manipulate the
293 <i>non&#8211;blocking</i> flag</div><div class="refsynopsisdiv"><a name="id2718514"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2718516"><a name="id2718516"></a><p><code><code class="funcdef">int <b class="fsfunc">getnonblock</b></code>();</code></p></div><div class="funcsynopsis" id="id2718538"><a name="id2718538"></a><p><code><code class="funcdef"><b class="fsfunc">setnonblock</b></code>(<var class="pdparam">state</var>);<br>int <var class="pdparam">state</var>;</code></p></div></div><div class="refsect1"><a name="id2718567"></a><h2><a name="id2718567"></a>DESCRIPTION</h2><p>
294 <tt>getnonblock</tt> returns the current
295 non&#8211;blocking state of the capture descriptor; it
296 always returns 0 on <i>savefile</i>s.
297 </p></div><div class="refsect1"><a name="id2718596"></a><h2><a name="id2718596"></a>DESCRIPTION</h2><p>
298 <tt>setnonblock</tt> puts a capture descriptor,
299 opened with <tt>open_live</tt>, into
300 non&#8211;blocking mode, or takes it out of
301 non&#8211;blocking mode, depending on whether the
302 <i><tt>state</tt></i> argument is non&#8211;zero or
303 zero. It has no effect on <i>savefile</i>s. In non&#8211;blocking
304 mode, an attempt to read from the capture descriptor with
305 <tt>dispatch</tt> will, if no packets are
306 currently available to be read, return
307 0 immediately rather than
308 blocking waiting for packets to arrive.
309 <tt>loop</tt> and <tt>next</tt> will
310 not work in non&#8211;blocking mode.
311 </p></div></div><div class="refentry"><h1 class="title"><a name="id2718128"></a>dump_open</h1><div class="refnamediv"><a name="id2718622"></a><h2>Name</h2>dump_open &#8212; Create a Dumper object</div><div class="refsynopsisdiv"><a name="id2718635"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2718639"><a name="id2718639"></a><p><code><code class="funcdef">Dumper <b class="fsfunc">dump_open</b></code>(<var class="pdparam">filename</var>);<br>string <var class="pdparam">filename</var>;</code></p></div></div><div class="refsect1"><a name="id2718669"></a><h2><a name="id2718669"></a>DESCRIPTION</h2><p>
312 <tt>dump_open</tt> is called to open a <i>savefile</i>
313 for writing and associate it to a newly created
314 <tt>Dumper</tt> instance. The name
315 <tt>-</tt> is a synonym for <tt>stdout</tt>.
316 <i><tt>filename</tt></i> specifies the name of the
317 file to open.
318 </p></div></div></div><div class="reference"><div class="titlepage"><div><h1 class="title"><a name="id2718727"></a>Dumper Object Reference</h1></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2718732">dump</a></dt></dl></div><div class="refentry"><h1 class="title"><a name="id2718732"></a>dump</h1><div class="refnamediv"><a name="id2718735"></a><h2>Name</h2>dump &#8212; Dump a packet to a <i>savefile</i></div><div class="refsynopsisdiv"><a name="id2718751"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2718755"><a name="id2718755"></a><p><code><code class="funcdef"><b class="fsfunc">dump</b></code>(<var class="pdparam">header</var>, <var class="pdparam">data</var>);<br>Pkthdr <var class="pdparam">header</var>;<br>string <var class="pdparam">data</var>;</code></p></div></div><div class="refsect1"><a name="id2718793"></a><h2><a name="id2718793"></a>DESCRIPTION</h2><p>
319 <tt>dump</tt> outputs a packet to the <i>savefile</i>
320 opened with <tt>dump_open</tt> from type
321 <tt>Reader</tt>.
322 </p></div></div></div><div class="reference"><div class="titlepage"><div><h1 class="title"><a name="id2718829"></a>Pkthdr Object Reference</h1></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2718835">getts</a></dt></dl></div><div class="refentry"><h1 class="title"><a name="id2718835"></a>getts</h1><div class="refnamediv"><a name="id2718838"></a><h2>Name</h2>getts, getcaplen, getlen &#8212; Obtain packet header information</div><div class="refsynopsisdiv"><a name="id2780956"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2780959"><a name="id2780959"></a><p><code><code class="funcdef">(long, long) <b class="fsfunc">getts</b></code>();</code></p></div><div class="funcsynopsis" id="id2780980"><a name="id2780980"></a><p><code><code class="funcdef">long <b class="fsfunc">getcaplen</b></code>();</code></p></div><div class="funcsynopsis" id="id2781001"><a name="id2781001"></a><p><code><code class="funcdef">long <b class="fsfunc">getlen</b></code>();</code></p></div></div><div class="refsect1"><a name="id2781024"></a><h2><a name="id2781024"></a>DESCRIPTION</h2><p>
323 <tt>getts</tt>, <tt>getcaplen</tt>
324 and <tt>getlen</tt> return the timestamp,
325 capture length and total length fields of the packet header,
326 respectively.
327 </p><p>
328 Timestamp is a tuple with two elements: the number of
329 seconds since the Epoch, and the amount of microseconds past
330 the current second. The capture length is the number of
331 bytes of the packet that are available from the capture.
332 Finally, total length gives the length of the packet, in
333 bytes (which might be more than the number of bytes
334 available from the capture, if the length of the packet is
335 larger than the maximum number of bytes to capture).
336 </p></div></div></div><div class="reference"><div class="titlepage"><div><h1 class="title"><a name="id2781073"></a>Bpf Object Reference</h1></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2781080">filter</a></dt></dl></div><div class="refentry"><h1 class="title"><a name="id2781080"></a>filter</h1><div class="refnamediv"><a name="id2781083"></a><h2>Name</h2>filter &#8212; Test a packet against a compiled filter</div><div class="refsynopsisdiv"><a name="id2781096"></a><h2>Synopsis</h2><div class="funcsynopsis" id="id2781099"><a name="id2781099"></a><p><code><code class="funcdef">int <b class="fsfunc">filter</b></code>(<var class="pdparam">packet</var>);<br>string <var class="pdparam">packet</var>;</code></p></div></div><div class="refsect1"><a name="id2781129"></a><h2><a name="id2781129"></a>DESCRIPTION</h2><p>
337 <tt>filter</tt> tests a packet against a
338 compiled filter as returned by
339 <tt>pcapy</tt>'s <tt>compile</tt>.
340 If the packet is allowed to pass through
341 -1 is returned, otherwise
342 <tt>filter</tt> returns
343 0.
344 </p></div></div></div><div id="id2781178" class="bibliography"><div class="titlepage"><div><h2 class="title"><a name="id2781178"></a>Bibliography</h2></div></div><div class="bibliodiv"><h3 class="title"><a name="id2781186">Sources</a></h3><div id="id2781192" class="biblioentry"><a name="id2781192"></a><p><span class="bibliomisc">
345 Portions of this work based on
346 pcap(3) by the Lawrence
347 Berkeley National Laboratory, University of California,
348 Berkeley, CA.
349 . </span></p></div></div></div></div></body></html>
Something went wrong with that request. Please try again.