gh0s7/NE_YuR
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tcp/quic lab finished

Browse Source
This commit is contained in:
CGH0S7
2025-12-25 14:33:29 +08:00
parent ac5b4bc15d
commit 200566e8fe
261 changed files with 2664 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

253
network/arpicmplab/start/lib/npcap/docs/index.html Normal file
View File

@ -0,0 +1,253 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Npcap: Nmap Project's packet sniffing library for Windows</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.2"><meta name="description" content="A guide to Npcap, a packet capture and network analysis framework for Windows, for users and software developers. Npcap is a modern, safe, and compatible update to WinPcap."><link rel="home" href="index.html" title="Npcap: Nmap Project's packet sniffing library for Windows"><link rel="next" href="npcap-users-guide.html" title="Npcap Users' Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Npcap: Nmap Project's packet sniffing library for Windows</th></tr><tr><td width="20%" align="left"><EFBFBD></td><th width="60%" align="center"><EFBFBD></th><td width="20%" align="right"><EFBFBD><a accesskey="n" href="npcap-users-guide.html">Next</a></td></tr></table><hr></div><div class="article"><div class="titlepage"><div><div><h2 class="title"><a name="npcap"></a>Npcap: Nmap Project's packet sniffing library for Windows</h2></div><div><div class="abstract"><p class="title"><b>Abstract</b></p>
<p>A guide to Npcap, a packet capture and network analysis framework for Windows, for users and software developers. Npcap is a modern, safe, and compatible update to WinPcap.</p>
</div></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl class="toc"><dt><span class="sect1"><a href="index.html#npcap-intro">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="index.html#npcap-description">What is Npcap?</a></span></dt><dt><span class="sect2"><a href="index.html#npcap-winpcap">Npcap and WinPcap</a></span></dt><dt><span class="sect2"><a href="index.html#id562734">Purpose of this manual</a></span></dt><dt><span class="sect2"><a href="index.html#id562788">Terminology</a></span></dt><dt><span class="sect2"><a href="index.html#npcap-license">Npcap License</a></span></dt><dt><span class="sect2"><a href="index.html#npcap-download">Obtaining Npcap</a></span></dt><dt><span class="sect2"><a href="index.html#npcap-guide-copyright">Acknowledgements and copyright</a></span></dt></dl></dd><dt><span class="sect1"><a href="npcap-users-guide.html">Npcap Users' Guide</a></span></dt><dd><dl><dt><span class="sect2"><a href="npcap-users-guide.html#npcap-installation">Installation</a></span></dt><dt><span class="sect2"><a href="npcap-users-guide.html#npcap-feature-dot11-wireshark">How to use Wireshark to capture raw 802.11 traffic in <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span></a></span></dt><dt><span class="sect2"><a href="npcap-users-guide.html#npcap-qa">Q &amp; A</a></span></dt><dt><span class="sect2"><a href="npcap-users-guide.html#npcap-issues">Reporting Bugs</a></span></dt></dl></dd><dt><span class="sect1"><a href="npcap-devguide.html">Developing software with Npcap</a></span></dt><dd><dl><dt><span class="sect2"><a href="npcap-devguide.html#npcap-development">Using the Npcap SDK</a></span></dt><dt><span class="sect2"><a href="npcap-devguide.html#npcap-examples">Examples</a></span></dt><dt><span class="sect2"><a href="npcap-devguide.html#npcap-devguide-updating">Updating WinPcap software to Npcap</a></span></dt><dt><span class="sect2"><a href="npcap-devguide.html#npcap-detect">How to detect what version Npcap/WinPcap you are using?</a></span></dt><dt><span class="sect2"><a href="npcap-devguide.html#npcap-feature-native">For software that want to use Npcap first when Npcap and WinPcap coexist</a></span></dt><dt><span class="sect2"><a href="npcap-devguide.html#npcap-feature-loopback">For software that uses Npcap loopback feature</a></span></dt><dt><span class="sect2"><a href="npcap-devguide.html#npcap-feature-dot11">For software that uses Npcap raw 802.11 feature</a></span></dt><dt><span class="sect2"><a href="npcap-devguide.html#npcap-api">The Npcap API</a></span></dt></dl></dd><dt><span class="sect1"><a href="npcap-tutorial.html">Npcap Development Tutorial</a></span></dt><dd><dl><dt><span class="sect2"><a href="npcap-tutorial.html#npcap-tutorial-devlist">Obtaining the device list</a></span></dt><dt><span class="sect2"><a href="npcap-tutorial.html#npcap-tutorial-devdetails">Obtaining advanced information about installed devices</a></span></dt><dt><span class="sect2"><a href="npcap-tutorial.html#npcap-tutorial-openadapter">Opening an adapter and capturing the packets</a></span></dt><dt><span class="sect2"><a href="npcap-tutorial.html#npcap-tutorial-pcap-next-ex">Capturing the packets without the callback</a></span></dt><dt><span class="sect2"><a href="npcap-tutorial.html#npcap-tutorial-filtering">Filtering the traffic</a></span></dt><dt><span class="sect2"><a href="npcap-tutorial.html#npcap-tutorial-interpreting">Interpreting the packets</a></span></dt><dt><span class="sect2"><a href="npcap-tutorial.html#npcap-tutorial-offline">Handling offline dump files</a></span></dt><dt><span class="sect2"><a href="npcap-tutorial.html#npcap-tutorial-sending">Sending Packets</a></span></dt><dt><span class="sect2"><a href="npcap-tutorial.html#npcap-tutorial-statistics">Gathering Statistics on the network traffic</a></span></dt></dl></dd><dt><span class="sect1"><a href="npcap-internals.html">Npcap internals</a></span></dt><dd><dl><dt><span class="sect2"><a href="npcap-internals.html#npcap-structure">Npcap structure</a></span></dt><dt><span class="sect2"><a href="npcap-internals.html#npcap-internals-driver">Npcap driver internals</a></span></dt><dt><span class="sect2"><a href="npcap-internals.html#npcap-internals-references">Further reading</a></span></dt></dl></dd></dl></div>
<a class="indexterm" name="npcap-indexterm"></a>
<div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="npcap-intro"></a>Introduction</h2></div></div></div>
<p>This Manual describes the programming interface and the source code of
Npcap. It provides detailed descriptions of the functions and structures
exported to programmers, along with complete documentation of the Npcap
internals. Several tutorials and examples are provided as well.</p>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-description"></a>What is Npcap?</h3></div></div></div>
<p>Npcap is an architecture for packet capture and network analysis for
Windows operating systems, consisting of a software library and a network
driver.</p>
<p>Most networking applications access the network through widely-used
operating system primitives such as sockets. It is easy to access data on
the network with this approach since the operating system copes with the
low level details (protocol handling, packet reassembly, etc.) and
provides a familiar interface that is similar to the one used to read and
write files.</p>
<p>Sometimes, however, the <span class="quote">&#8220;<span class="quote">easy way</span>&#8221;</span> is not up to the task,
since some applications require direct access to packets on the network.
That is, they need access to the <span class="quote">&#8220;<span class="quote">raw</span>&#8221;</span> data on the network
without the interposition of protocol processing by the operating
system.</p>
<p>The purpose of Npcap is to give this kind of access to Windows
applications. It provides facilities to:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">capture raw packets, both the ones destined to the machine where
it's running and the ones exchanged by other hosts (on shared media)</li><li class="listitem">filter the packets according to user-specified rules before
dispatching them to the application</li><li class="listitem">transmit raw packets to the network</li><li class="listitem">gather statistical information on the network traffic</li></ul></div>
<p>This set of capabilities is obtained by means of a device driver,
which is installed inside the networking portion of the Windows kernel,
plus a couple of DLLs.</p>
<p>All of these features are exported through a powerful programming
interface, easily usable by applications. The main goal of this manual is
to document this interface, with the help of several examples.</p>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="id562445"></a>What kind of programs use Npcap?</h4></div></div></div>
<p>The Npcap programming interface can be used by many types of
network tools for analysis, troubleshooting, security and monitoring.
In particular, classical tools that rely on Npcap are:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">network and protocol analyzers</li><li class="listitem">network monitors</li><li class="listitem">traffic loggers</li><li class="listitem">traffic generators</li><li class="listitem">user-level bridges and routers</li><li class="listitem">network intrusion detection systems (NIDS)</li><li class="listitem">network scanners</li><li class="listitem">security tools</li></ul></div>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="id562468"></a>What Npcap can't do</h4></div></div></div>
<p>Npcap receives and sends the packets independently from the host
protocols, like TCP/IP. This means that it isn't able to block, filter or
manipulate the traffic generated by other programs on the same machine: it
simply <span class="quote">&#8220;<span class="quote">sniffs</span>&#8221;</span> the packets that transit on the wire. Therefore, it does not
provide the appropriate support for applications like traffic shapers, QoS
schedulers and personal firewalls. </p>
</div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-winpcap"></a>Npcap and WinPcap</h3></div></div></div>
<p>Npcap is an update of <a class="ulink" href="http://www.winpcap.org/" target="_top">WinPcap</a>
to the <a class="ulink" href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff565492(v=vs.85).aspx" target="_top">NDIS 6 Light-Weight Filter (LWF)</a> API.
It supports <span class="command"><strong>Windows 7, 8, 8.1, and 10</strong></span>. It is developed
by the <a class="ulink" href="http://nmap.org/" target="_top">Nmap Project</a>
as a continuation of the project started by Yang Luo
under <a class="ulink" href="https://www.google-melange.com/gsoc/project/details/google/gsoc2013/hsluoyz/5727390428823552" target="_top">Google Summer of Code 2013</a> and
<a class="ulink" href="https://www.google-melange.com/gsoc/project/details/google/gsoc2015/hsluoyz/5723971634855936" target="_top">2015</a>.
It also received many helpful tests from <a class="ulink" href="https://www.wireshark.org/" target="_top">Wireshark</a>
and <a class="ulink" href="http://www.netscantools.com/" target="_top">NetScanTools</a>.
</p>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-features"></a>Feature comparison with WinPcap</h4></div></div></div>
<p>Npcap carries on the WinPcap legacy, but is not without its own
innovations. Here are some of the most exciting improvements and new
features that Npcap adds:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>NDIS 6 Support</em></span>: Npcap makes use of the new NDIS Lightweight Filter driver introduced in
NDIS 6.0. This driver type is faster and has less overhead
than the legacy <a class="ulink" href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff557012(v=vs.85).aspx" target="_top">NDIS 5 Intermediate Driver</a>
type used by WinPcap.
</p></li><li class="listitem"><p><span class="emphasis"><em>Latest libpcap API Support</em></span>: Npcap provides support
for the latest <a class="ulink" href="https://github.com/the-tcpdump-group/libpcap" target="_top">libpcap API</a>
by accepting libpcap as a <a class="ulink" href="https://git-scm.com/docs/git-submodule" target="_top">Git submodule</a>.
The latest libpcap 1.8 has integrated more fascinating features and functions than the
<a class="ulink" href="https://www.winpcap.org/misc/changelog.htm" target="_top">deprecated libpcap 1.0.0 shipped by WinPcap</a>.
Moreover, since Linux already has a good support for latest libpcap API, using
Npcap on Windows facilitates your software to base on the same API on both Windows and Linux.</p></li><li class="listitem"><p><span class="emphasis"><em><span class="quote">&#8220;<span class="quote">Admin-only Mode</span>&#8221;</span> Support</em></span>: Npcap supports to restrict its
use to Administrators for safety purpose. If Npcap is installed with
the option <span class="quote">&#8220;<span class="quote">Restrict Npcap driver's access to Administrators only</span>&#8221;</span> checked,
when a non-Admin user tries to start a user software (Nmap, Wireshark, etc),
the <a class="ulink" href="http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7" target="_top">User Account Control (UAC)</a>
dialog will prompt asking for Administrator privilege. Only when the end
user chooses Yes, the driver can be accessed. This is similar to UNIX
where you need root access to capture packets.</p></li><li class="listitem"><p><span class="emphasis"><em>Loopback Packet Capture</em></span>: Npcap is able to
see Windows loopback packets using the
<a class="ulink" href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx" target="_top">
Windows Filtering Platform (WFP)</a>. Npcap supplies an
interface named <span class="quote">&#8220;<span class="quote">NPF_Loopback</span>&#8221;</span>, with the description <span class="quote">&#8220;<span class="quote">Adapter for loopback capture.</span>&#8221;</span>
If you are a Wireshark user, choose this adapter
to capture, you will see all loopback traffic the same way as other
non-loopback adapters. Try it by typing in commands like <span class="command"><strong>ping 127.0.0.1</strong></span>
(IPv4) or <span class="command"><strong>ping ::1</strong></span> (IPv6).</p></li><li class="listitem"><p><span class="emphasis"><em>Loopback Packet Injection</em></span>: Besides loopback packet
capturing, Npcap can also send out loopback packets using the
<a class="ulink" href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff556958(v=vs.85).aspx" target="_top">Winsock Kernel (WSK)</a>
technique. A user software (e.g. Nmap) can just send packets
on the <span class="quote">&#8220;<span class="quote">NPF_Loopback</span>&#8221;</span> device using
<code class="function">pcap_inject()</code> or
<code class="function">PacketSendPacket</code> just like on a standard
interface. Npcap
will automatically remove the packet's DLT_NULL header and
inject the payload into Windows TCP/IP stack.</p></li><li class="listitem"><p><span class="emphasis"><em>Raw 802.11 Packets Capture Support</em></span>: Npcap is able to see
<span class="emphasis"><em>802.11</em></span> packets instead of <span class="emphasis"><em>fake Ethernet</em></span> packets on ordinary wireless
adapters. You need to select the <code class="option">Support raw 802.11 traffic (and monitor
mode) for wireless adapters</code> option in the installation wizard to enable
this feature. When your adapter is in <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span>, Npcap will supply all
<span class="emphasis"><em>802.11 data + control + management</em></span> packets with radiotap headers. When
your adapter is in <span class="quote">&#8220;<span class="quote">Managed Mode</span>&#8221;</span>, Npcap will only supply <span class="emphasis"><em>Ethernet</em></span>
packets. Npcap directly supports to use Wireshark to capture in <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span>.
Meantime, Npcap also provides the <code class="filename">WlanHelper.exe</code>
tool to help you switch to <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span> on your own. See more details
about this feature in section
<span class="quote">&#8220;<span class="quote"><a class="link" href="npcap-devguide.html#npcap-feature-dot11" title="For software that uses Npcap raw 802.11 feature">For software that uses Npcap raw 802.11 feature</a></span>&#8221;</span>.
See more details about radiotap here:
<a class="ulink" href="http://www.radiotap.org/" target="_top">http://www.radiotap.org/</a></p></li><li class="listitem"><p><span class="emphasis"><em><span class="quote">&#8220;<span class="quote">WinPcap API-compatible Mode</span>&#8221;</span>
Support</em></span>: <span class="quote">&#8220;<span class="quote">WinPcap API-compatible Mode</span>&#8221;</span> makes Npcap a
strict WinPcap replacement by using the same DLL location and service name as
WinPcap. This is useful for testing or migrating from software that only uses
WinPcap, but because Npcap is masquerading as WinPcap, software will not be
able to be aware of and use Npcap's newer features. It's notable that before
installing in this mode, any existing WinPcap installation will be
uninstalled and replaced.
</p></li></ul></div>
</div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="id562734"></a>Purpose of this manual</h3></div></div></div>
<p>The purpose of this manual is to provide a comprehensive and easy way
to browse the documentation of the Npcap architecture. You will find
three main sections: <a class="xref" href="npcap-users-guide.html" title="Npcap Users' Guide">the section called &#8220;Npcap Users' Guide&#8221;</a>,
<a class="xref" href="npcap-devguide.html" title="Developing software with Npcap">the section called &#8220;Developing software with Npcap&#8221;</a>,
and <a class="xref" href="npcap-internals.html" title="Npcap internals">the section called &#8220;Npcap internals&#8221;</a>.</p>
<p><a class="xref" href="npcap-users-guide.html" title="Npcap Users' Guide">the section called &#8220;Npcap Users' Guide&#8221;</a> is for end users of Npcap, and
primarily concerns installation options, hardware compatibility, and bug
reporting procedures.</p>
<p><a class="xref" href="npcap-devguide.html" title="Developing software with Npcap">the section called &#8220;Developing software with Npcap&#8221;</a> is for programmers who need to use
Npcap from an application: it contains information about functions and
data structures exported by the Npcap API, a manual for writing packet
filters, and information on how to include it in an application. A
tutorial with several code samples is provided as well; it can be used to
learn the basics of the Npcap API using a step-by-step approach, but it
also offers code snippets that demonstrate advanced features.</p>
<p><a class="xref" href="npcap-internals.html" title="Npcap internals">the section called &#8220;Npcap internals&#8221;</a> is intended for Npcap developers
and maintainers, or for people who are curious about how this system
works: it provides a general description of the Npcap architecture and
explains how it works. Additionally, it documents the complete device
driver structure, the source code, the Packet.dll interface and the
low-level Npcap API. If you want to understand what happens inside Npcap
or if you need to extend it, this is the section you will want to
read.</p>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="id562788"></a>Terminology</h3></div></div></div>
<p>We call Npcap an <em class="wordasword">architecture</em> rather than
<em class="wordasword">library</em> because packet capture is a low level
mechanism that requires a strict interaction with the network adapter and
with the operating system, in particular with its networking
implementation, so a simple library is not sufficient.</p>
<p>For consistency with the literature, we will use the term
<em class="wordasword">packet</em> even though
<em class="wordasword">frame</em> is more accurate since the capture process
is done at the data-link layer and the data-link header is included in
the captured data.</p>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-license"></a>Npcap License</h3></div></div></div>
<p>Even though Npcap source code is publicly available for review, it is
not open source software and may not be redistributed without special
permission from the Nmap Project. The
<a class="ulink" href="https://github.com/nmap/npcap/blob/master/LICENSE" target="_top">Npcap License</a>
allows end users to download, install, and use Npcap from our site for
free. Software providers (open source or otherwise) which want to use
Npcap functionality are welcome to point their users to npcap.org for
those users to download and install.</p>
<p>We fund the Npcap project by selling licenses to companies who wish
to redistribute Npcap within their products. The
<a class="ulink" href="https://nmap.org/npcap/oem/" target="_top">Npcap OEM edition</a> allows
companies to silently and seamlessly install Npcap during their product's
installation rather than asking users to download and install Npcap
themselves. The Npcap OEM commercial license also includes support,
updates and indemnification. This is similar to the commercial licenses
we offer for embedding <a class="ulink" href="https://nmap.org/" target="_top">Nmap</a> in
commercial software. More details are available from <a class="ulink" href="https://nmap.org/npcap/oem/" target="_top">the Npcap OEM page</a>.</p>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-download"></a>Obtaining Npcap</h3></div></div></div>
<p>The latest Npcap release can always be found
<a class="ulink" href="https://nmap.org/npcap/#download" target="_top">on the Npcap
website</a> as an executable installer and as a source code
archive.</p>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-guide-copyright"></a>Acknowledgements and copyright</h3></div></div></div>
<p>Portions of this guide were adapted from the WinPcap documentation.
Copyright <20> 2002-2005 Politecnico di Torino. Copyright <20>
2005-2010 CACE Technologies. Copyright <20> 2010-2013 Riverbed
Technology. Copyright <20> 2020 Insecure.Com, LLC. All rights
reserved.</p>
</div>
</div>
</div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><EFBFBD></td><td width="20%" align="center"><EFBFBD></td><td width="40%" align="right"><EFBFBD><a accesskey="n" href="npcap-users-guide.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"><EFBFBD></td><td width="20%" align="center"><EFBFBD></td><td width="40%" align="right" valign="top"><EFBFBD>Npcap Users' Guide</td></tr></table></div></body></html>

705
network/arpicmplab/start/lib/npcap/docs/npcap-devguide.html Normal file
View File

@ -0,0 +1,705 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Developing software with Npcap</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.2"><meta name="description" content="Writing software that captures or injects network traffic is easy with Npcap. This guide describes the Npcap SDK, WinPcap compatibility, and the Npcap API."><link rel="home" href="index.html" title="Npcap: Nmap Project's packet sniffing library for Windows"><link rel="up" href="index.html" title="Npcap: Nmap Project's packet sniffing library for Windows"><link rel="prev" href="npcap-users-guide.html" title="Npcap Users' Guide"><link rel="next" href="npcap-tutorial.html" title="Npcap Development Tutorial"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Developing software with Npcap</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="npcap-users-guide.html">Prev</a><EFBFBD></td><th width="60%" align="center"><EFBFBD></th><td width="20%" align="right"><EFBFBD><a accesskey="n" href="npcap-tutorial.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="npcap-devguide"></a>Developing software with Npcap</h2></div><div><div class="abstract"><p class="title"><b>Abstract</b></p>
<p> Writing software that captures or injects network traffic is easy
with Npcap. This guide describes the Npcap SDK, WinPcap compatibility,
and the Npcap API.</p>
</div></div></div></div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-development"></a>Using the Npcap SDK</h3></div></div></div>
<p>
To build software that uses Npcap, use the latest version of the Npcap Software Development Kit (SDK).
The latest SDK can be downloaded on <a class="ulink" href="http://npcap.org/#download" target="_top">Npcap.org</a>.
Updates to the SDK are much less frequent than updates to the Npcap binaries.
</p>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-examples"></a>Examples</h3></div></div></div>
<p>
Examples of applications using Npcap are available <a class="ulink" href="https://github.com/nmap/npcap/tree/master/Examples" target="_top">in the Examples directory</a> in the source distribution.
Several of these examples are explored in more depth in the <a class="xref" href="npcap-tutorial.html" title="Npcap Development Tutorial">the section called &#8220;Npcap Development Tutorial&#8221;</a>.
</p>
<p>
Npcap developer Yang Luo has also provided an example:
<a class="ulink" href="https://github.com/hsluoyz/UserBridge/" target="_top">UserBridge</a>,
which is a tool to redirect all packets from one interface to another.
</p>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-devguide-updating"></a>Updating WinPcap software to Npcap</h3></div></div></div>
<p>
For the most part, Npcap is completely compatible with software written
for WinPcap. Minor changes need to be made to <a class="xref" href="npcap-devguide.html#npcap-feature-native-dll" title="DLL loading">the section called &#8220;DLL loading&#8221;</a> and in some
cases <a class="xref" href="npcap-devguide.html#npcap-feature-native-servicename" title="Service name">the section called &#8220;Service name&#8221;</a>. However, there have been many improvements to the libpcap
API between the last release of WinPcap and the current release of Npcap.
Reviewing the changes may help improve performance, reliability, and
maintainability of software that uses Npcap.
</p>
<p>Apart from the libpcap API, WinPcap exported a few functions used by
<a class="ulink" href="https://www.winpcap.org/windump/" target="_top">WinDump</a> that were
related to porting a Unix-style tool to Windows but unrelated to packet
capture. Those functions were not documented in the WinPcap
documentation, have never been included in libpcap, and are therefore not
in the Npcap API: <code class="code">getservent</code>, <code class="code">endservent</code>, and
<code class="code">eproto_db</code>.</p>
<p>One other function exported by WinPcap, <code class="code">wsockinit</code>, is
available via the Npcap API as <code class="code">pcap_wsockinit</code>. It calls
<code class="code">WSAStartup</code> for Windows Sockets version 1.1 and ensures that
<code class="code">WSACleanup</code> is called when the process ends.</p>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-detect"></a>How to detect what version Npcap/WinPcap you are using?</h3></div></div></div>
<p>
Sometimes, our user software needs to detect the existence of Npcap/WinPcap
at install-time or run-time. Although Npcap's GUI installer has the ability
to handle this, you may want to handle it by yourself in some conditions,
like you run Npcap installer in silent-mode. The run-time detection is even
more useful. Your software probably has some functions that rely on Npcap's
particular features (like loopback capture). You need to know if you
are running on top of Npcap or the legacy WinPcap to control whether to
switch your functions on. Fortunately, Npcap provides you some methods to
detect Npcap/WinPcap at install-time and run-time.
</p>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-detect-version"></a>Npcap version</h4></div></div></div>
<p> Npcap has a version number that is independent of WinPcap. The last
release of WinPcap was version 4.1.3, but Npcap started over counting
versions from 0.00. In order to make it clear to the installers and other
software that Npcap is newer and more advanced, the executable
<span class="quote">&#8220;<span class="quote">file version</span>&#8221;</span> was advanced to <span class="quote">&#8220;<span class="quote">5.0.0.000</span>&#8221;</span> at
that point. The major version will always be <span class="quote">&#8220;<span class="quote">5</span>&#8221;</span> to
distinguish Npcap from WinPcap. The minor version is Npcap's major
version; the revision is Npcap's minor version; and the build number is
an encoding of the build date. So a file version of
<span class="quote">&#8220;<span class="quote">5.0.92.612</span>&#8221;</span> is Npcap 0.92, built on June 12th.</p>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-detect-install-time"></a>Install-time detection</h4></div></div></div>
<p>
You can check the existence of <code class="filename">C:\Program Files\Npcap\NPFInstall.exe</code> to
detect Npcap's existence. If Npcap exists, you can check the file version of
<code class="filename">C:\Program Files\Npcap\NPFInstall.exe</code> to detect Npcap e-version. The
e-version also gives you the version. The NSIS code is shown below. <code class="varname">$inst_ver</code>
is an e-version string like <span class="quote">&#8220;<span class="quote">5.0.7.424</span>&#8221;</span>
</p>
<pre class="screen">
GetDllVersion "C:\Program Files\Npcap\NPFInstall.exe" $R0 $R1
IntOp $R2 $R0 / 0x00010000
IntOp $R3 $R0 &amp; 0x0000FFFF
IntOp $R4 $R1 / 0x00010000
IntOp $R5 $R1 &amp; 0x0000FFFF
StrCpy $inst_ver "$R2.$R3.$R4.$R5"
</pre>
<p>
You can check the installation options of an already installed Npcap by reading the registry
key: <code class="filename">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters</code>.
The entries like <code class="filename">AdminOnly</code>,
<code class="filename">LoopbackSupport</code>, <code class="filename">DltNull</code>,<code class="filename">Dot11Support</code>,
<code class="filename">VlanSupport</code>, <code class="filename">WinPcapCompatible</code>, etc.
are <code class="code">REG_DWORD</code> type. A 0x00000001 value
indicates the installation option is <span class="emphasis"><em>CHECKED</em></span>.
</p>
<p>Note: Prior to Npcap 0.93, these values were stored in the
<code class="filename">Services\npcap</code> key directly.</p>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-detect-run-time"></a>Run-time detection</h4></div></div></div>
<p>
Npcap and WinPcap can be installed together on a system. Which capture
library is used by the user software relies on the DLL loading path. If
Npcap's <code class="filename">wpcap.dll</code> is loaded first, then you are using
Npcap, vice versa. However, it's difficult and fragile to check the DLL
loading path by yourself. Fortunately, you can use
<code class="function">pcap_lib_version</code> to get the Npcap/WinPcap version
string.
</p>
<pre class="screen">
char *pcap_version = pcap_lib_version();
printf("%s", pcap_version);
// Npcap output: "Npcap version 0.92, based on libpcap version 1.8.1"
// WinPcap output: "WinPcap version 4.1.3"
</pre>
<p>Npcap requires the <code class="varname">npcap</code> service to be running. If
installed in <span class="quote">&#8220;<span class="quote">WinPcap Compatible Mode</span>&#8221;</span>, the
<code class="varname">npf</code> service can be started instead. Given that
<code class="varname">npcap</code> service is always installed
in both modes, a good practice is just trying the <code class="varname">npcap</code> service first.
If it fails, then try the <code class="varname">npf</code> service. This is also what most of our users
do in their software based on our investigation. A code sample from Nmap is
<a class="ulink" href="https://github.com/nmap/nmap/blob/8c8e4a08c6c6b7abd2343e5921aafb6077bdb257/mswin32/winfix.cc#L322-L328" target="_top">here</a>.
</p>
</div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-feature-native"></a>For software that want to use Npcap first when Npcap and WinPcap coexist</h3></div></div></div>
<p>
Prerequisite: Uncheck the <code class="option">Install Npcap in WinPcap API-compatible Mode</code> option at
install-time (which is by default).
</p>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-feature-native-dll"></a>DLL loading</h4></div></div></div>
<p>Npcap installs its DLLs into <code class="filename">C:\Windows\System32\Npcap\</code>
instead of WinPcap's <code class="filename">C:\Windows\System32\</code>. Because of how Windows'
<a class="ulink" href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms686203(v=vs.85).aspx" target="_top">DLL search path</a> works,
your application will use WinPcap first by default when Npcap and WinPcap coexist,
as <code class="filename">C:\Windows\System32\</code> is prior to <code class="filename">C:\Windows\System32\Npcap\</code>.
So when Npcap and WinPcap coexist, an application that want to use Npcap instead
of WinPcap must make <code class="filename">C:\Windows\System32\Npcap\</code> precedent to the
<code class="filename">C:\Windows\System32\</code> in the DLL search path. Here are two ways
to modify this search path to make your application load Npcap's DLLs first,
based on how your application links Npcap/WinPcap's library
(<code class="filename">wpcap.dll</code>).</p>
<div class="sect4"><div class="titlepage"><div><div><h5 class="title"><a name="npcap-feature-native-dll-implicitly"></a>If the application <span class="emphasis"><em>implicitly</em></span> links <code class="filename">wpcap.dll</code></h5></div></div></div>
<p>Implicit linking means that either you specified <code class="filename">wpcap.lib</code>
in your <code class="option">Project Properties</code> -&gt; <code class="option">Configuration Properties</code>
-&gt; <code class="option">Linker</code> -&gt; <code class="option">Input</code> -&gt; <code class="option">Additional Dependencies</code> in Visual Studio,
or specified <code class="code">#pragma comment(linker, "wpcap.lib")</code> in your code.</p>
<p>You need to do the following two steps:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Specify <code class="filename">wpcap.dll</code> as a delay-loaded DLL: In
Visual Studio, open the <code class="option">Project Properties</code> window. Go to:
<code class="option">Configuration Properties</code> -&gt; <code class="option">Linker</code> -&gt; <code class="option">Input</code>
-&gt; <code class="option">Delay Loaded Dlls</code>. Enter <code class="filename">wpcap.dll</code>
in that option.</p></li><li class="listitem"><p>Before calling any <code class="filename">wpcap.dll</code> functions,
call <code class="function">SetDllDirectory</code> to add <code class="filename">C:\Windows\System32\Npcap\</code>
to DLL search path.</p></li></ul></div>
<p><a class="ulink" href="https://github.com/hsluoyz/WinDump/" target="_top">Here</a>
is an example called WinDump, a simple packet capture tool using Npcap/WinPcap.
And <a class="ulink" href="https://github.com/hsluoyz/WinDump/commit/dffe2eaa520fc3b449ec0a90dcfa24f96359bbfa" target="_top">this commit</a>
makes it able to use Npcap first when Npcap and WinPcap coexist.</p>
</div>
<div class="sect4"><div class="titlepage"><div><div><h5 class="title"><a name="npcap-feature-native-dll-explicitly"></a>If the application <span class="emphasis"><em>explicitly</em></span> links <code class="filename">wpcap.dll</code></h5></div></div></div>
<p>Explicit linking means that you explicitly called <code class="function">LoadLibrary</code>
to load <code class="filename">wpcap.dll</code> and called <code class="function">GetProcAddress</code> to get the
function pointers.</p>
<p>You need to do the following one step:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Before calling <code class="function">LoadLibrary</code> to load <code class="filename">wpcap.dll</code>,
call <code class="function">SetDllDirectory</code> to add <code class="filename">C:\Windows\System32\Npcap\</code>
to DLL search path.</p></li></ul></div>
<p>The function <code class="function">init_npcap_dll_path</code> is provided in the following example:
<a class="ulink" href="https://github.com/hsluoyz/WinDump/commit/dffe2eaa520fc3b449ec0a90dcfa24f96359bbfa" target="_top">WinDump</a></p>
</div>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-feature-native-servicename"></a>Service name</h4></div></div></div>
<p>Because Npcap is a NDIS 6 LWF filter driver it is designed to run
at system boot, so software will generally not need to start it,
unlike WinPcap which was often installed in a demand-start
configuration.</p>
<p>Npcap uses service name <span class="quote">&#8220;<span class="quote">npcap</span>&#8221;</span> instead of WinPcap's <span class="quote">&#8220;<span class="quote">npf</span>&#8221;</span> with
<span class="quote">&#8220;<span class="quote">WinPcap Compatible Mode</span>&#8221;</span> OFF. So applications using
<span class="command"><strong>net start npf</strong></span> for starting service must change to this:
run <span class="command"><strong>net start npcap</strong></span> first, if it fails, then try
<span class="command"><strong>net start npf</strong></span>.</p>
</div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-feature-loopback"></a>For software that uses Npcap loopback feature</h3></div></div></div>
<p>
Npcap 0.9983 and newer support loopback traffic capture and injection without requiring a particular installation option.
</p>
<p>
Npcap's loopback adapter device is reported by
<code class="function">pcap_findalldevs()</code> as
<span class="quote">&#8220;<span class="quote">\Device\NPF_Loopback</span>&#8221;</span>. This name is always available even
if <span class="quote">&#8220;<span class="quote">Legacy loopback support</span>&#8221;</span> was chosen at install time,
which puts the name of the legacy loopback adapter in the
<code class="filename">LoopbackAdapter</code> REG_SZ value of the
<code class="filename">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters</code>.
Registry key.
</p>
<p>
Traffic captured and injected on the loopback adapter uses the
<code class="varname">DLT_NULL</code> data link type, which consists of a 4-byte
header in host byte order that is either 2 for IPv4 packets or 24 for
IPv6 packets.
</p>
<p>
The MTU of <span class="quote">&#8220;<span class="quote">Npcap Loopback Adapter</span>&#8221;</span> is hard-coded to 65536 by Npcap. Software
using Npcap should get this value automatically and no special handling is needed. This value is
arbitrary and does not imply a limitation on the Windows loopback stack,
so it may be possible to capture packets with a size larger than the adapter's MTU.
</p>
<p>
Don't try to make OID requests to <span class="quote">&#8220;<span class="quote">Npcap Loopback Adapter</span>&#8221;</span> except
<code class="varname">OID_GEN_MAXIMUM_TOTAL_SIZE</code> (MTU). Those requests will still succeed like
other adapters do, but they only make sense for NDIS adapters and Npcap doesn't even use the
NDIS way to handle the loopback traffic. The only handled OID request by Npcap is
<code class="varname">OID_GEN_MAXIMUM_TOTAL_SIZE</code>. If you query its value, you will always get
65550 (65536 + 14). If you try to set its value, the operation will always fail.
</p>
<p>If you use IP Helper API to get adapter list, you will get an interface named
like <span class="quote">&#8220;<span class="quote">Loopback Pseudo-Interface 1</span>&#8221;</span>. This interface is a DUMMY interface by Microsoft
and can't be seen in NDIS layer. And it also takes the 127.0.0.1/::1 IP address. A good practice
for software is replacing the <code class="varname">AdapterName</code> of the
<span class="quote">&#8220;<span class="quote">Loopback Pseudo-Interface 1</span>&#8221;</span> entry with
<span class="quote">&#8220;<span class="quote">NPF_Loopback</span>&#8221;</span>, as Nmap does in its enhancements to
libdnet.</p>
<p><span class="quote">&#8220;<span class="quote">Legacy loopback support</span>&#8221;</span> installs a copy of the
Microsft KM-TEST loopback adapter named <span class="quote">&#8220;<span class="quote">Npcap Loopback
Adapter</span>&#8221;</span> for software that expects to find the loopback adapter
via ordinary Windows API calls. The features and operation are no
different from standard loopback support, but the
name of the adapter will be written to the
<code class="filename">LoopbackAdapter</code> Registry value.
</p>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-feature-dot11"></a>For software that uses Npcap raw 802.11 feature</h3></div></div></div>
<p>
Prerequisite: Check the <code class="option">Support raw 802.11 traffic (and monitor mode) for wireless adapters</code> option at install-time.
</p>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-feature-dot11-steps"></a>Steps</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Install the latest version Npcap with the
<code class="option">Support raw 802.11 traffic (and monitor mode) for wireless
adapters</code> option checked in the installation wizard. With this
option checked, Npcap will see packets with <span class="emphasis"><em>Radiotap +
802.11</em></span> headers for wireless adapters. Otherwise, Npcap will
see packets with <span class="emphasis"><em>fake Ethernet</em></span> headers for wireless
adapters.</p></li><li class="listitem"><p>Run <code class="filename">WlanHelper.exe</code> with
<span class="emphasis"><em>Administrator privilege</em></span>. If you use
<code class="option">-i</code>, follow the interactive prompts to choose your
wireless adapter and select <span class="quote">&#8220;<span class="quote">Network Monitor</span>&#8221;</span> mode.
<code class="filename">WlanHelper.exe</code> also supports parameters to be used
in an API manner, run <span class="command"><strong>WlanHelper.exe -h</strong></span> for
details.</p></li><li class="listitem"><p>Use the Npcap API from your user software as usual. For
example, launch Wireshark and capture on the wireless adapter, viewingall
802.11 packets (<span class="emphasis"><em>data + control + management</em></span>).
</p></li><li class="listitem"><p>If you need to return to <span class="quote">&#8220;<span class="quote">Managed Mode</span>&#8221;</span>, run
<span class="command"><strong>WlanHelper.exe</strong></span> again, following the prompts or
selecting the appropriate command-line options to switch off the
<span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span>.</p></li></ul></div>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-feature-dot11-tips"></a>Tips</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>You can use <code class="filename">WlanHelper.exe</code> tool to
switch on the <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span> in order to see
<span class="emphasis"><em>802.11 control and management</em></span> packets. You
can also use the <code class="code">pcap_set_rfmon</code> function within your
code, as Wireshark does.
</p></li><li class="listitem"><p>Switching on the <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span> will
disconnect your wireless network from the AP, you can switch back to
<span class="quote">&#8220;<span class="quote">Managed Mode</span>&#8221;</span> using the same
<code class="filename">WlanHelper.exe</code> tool.</p></li><li class="listitem"><p>The <code class="filename">WlanHelper.exe</code> tool is
installed to <span class="quote">&#8220;<span class="quote">%SYSTEMROOT%\System32\Npcap</span>&#8221;</span> after installing Npcap.</p></li></ul></div>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-feature-dot11-terminology"></a>Terminology</h4></div></div></div>
<p>
<span class="quote">&#8220;<span class="quote">Managed Mode</span>&#8221;</span> (for Linux) = <span class="quote">&#8220;<span class="quote">Extensible Station Mode</span>&#8221;</span> (aka <span class="quote">&#8220;<span class="quote">ExtSTA</span>&#8221;</span>, for Windows)
</p>
<p>
<span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span> (for Linux) = <span class="quote">&#8220;<span class="quote">Network Monitor Mode</span>&#8221;</span> (aka <span class="quote">&#8220;<span class="quote">NetMon</span>&#8221;</span>, for Windows)
</p>
<p>
<span class="quote">&#8220;<span class="quote">Master Mode</span>&#8221;</span> (for Linux) = <span class="quote">&#8220;<span class="quote">Extensible Access Point</span>&#8221;</span> (aka <span class="quote">&#8220;<span class="quote">ExtAP</span>&#8221;</span>, for Windows)
</p>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-feature-dot11-wlanhelper"></a>WlanHelper</h4></div></div></div>
<p>
WlanHelper is used to set/get the operation mode (like <span class="quote">&#8220;<span class="quote">Monitor
Mode</span>&#8221;</span>) for a wireless adapter on Windows. WlanHelper tries to
follow the grammar of <code class="filename">iwconfig</code>, a wireless
management tool for Linux. So if you rename
<code class="filename">WlanHelper.exe</code> to <code class="filename">iwconfig.exe</code>,
your command lines for WlanHelper will be exactly the same with the
iwconfig tool.
</p>
<div class="sect4"><div class="titlepage"><div><div><h5 class="title"><a name="npcap-feature-dot11-wlanhelper-usage"></a>WlanHelper's Usage</h5></div></div></div>
<p>
Note: <span class="command"><strong>WlanHelper</strong></span> must run under <span class="emphasis"><em>Administrator privilege</em></span>.
</p>
<div class="sect5"><div class="titlepage"><div><div><h6 class="title"><a name="npcap-feature-dot11-wlanhelper-usage-interactive"></a>Interactive way</h6></div></div></div>
<p>
Run <span class="command"><strong>WlanHelper</strong></span> with the <code class="option">-i</code> option.
</p>
</div>
<div class="sect5"><div class="titlepage"><div><div><h6 class="title"><a name="npcap-feature-dot11-wlanhelper-usage-api"></a>Command-line API way</h6></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Run <span class="command"><strong>netsh wlan show interfaces</strong></span>, get the <code class="option">Name</code> or <code class="option">GUID</code> for the interface.</p></li><li class="listitem"><p>Run <span class="command"><strong>WlanHelper -h</strong></span> to see the man page.</p></li></ul></div>
<div class="example"><a name="npcap-ex-wlanhelper-man"></a><p class="title"><b>Example<EFBFBD>1.<2E>WlanHelper Man</b></p><div class="example-contents">
<pre class="screen">
C:\&gt; <strong class="userinput"><code>WlanHelper.exe</code></strong>
WlanHelper for Npcap 0.91 ( http://npcap.org )
Usage: WlanHelper [Commands]
or: WlanHelper {Interface Name or GUID} [Options]
OPTIONS:
mode : Get interface operation mode
mode &lt;managed|monitor|master|..&gt; : Set interface operation mode
modes : Get all operation modes supported by the interface, comma-separated
channel : Get interface channel
channel &lt;1-14&gt; : Set interface channel (only works in monitor mode)
freq : Get interface frequency
freq &lt;VALUE&gt; : Set interface frequency (only works in monitor mode)
modu : Get interface modulation
modu &lt;dsss|fhss|irbaseband|ofdm|hrdsss|erp|ht|vht|ihv (VALUE)|..&gt; : Set interface modulation
modus : Get all modulations supported by the interface, comma-separated
COMMANDS:
-i : Enter the interactive mode
-h : Print this help summary page
OPERATION MODES:
managed : The Extensible Station (ExtSTA) operation mode
monitor : The Network Monitor (NetMon) operation mode
master : The Extensible Access Point (ExtAP) operation mode (supported from Windows 7 and later)
wfd_device : The Wi-Fi Direct Device operation mode (supported from Windows 8 and later)
wfd_owner : The Wi-Fi Direct Group Owner operation mode (supported from Windows 8 and later)
wfd_client : The Wi-Fi Direct Client operation mode (supported from Windows 8 and later)
802.11 MODULATIONS (https://en.wikipedia.org/wiki/IEEE_802.11):
802.11-1997 : dsss, fhss
802.11a : ofdm
802.11b : dsss
802.11g : ofdm
802.11n : mimo-ofdm
802.11ac : mimo-ofdm
EXAMPLES:
WlanHelper Wi-Fi mode
WlanHelper 42dfd47a-2764-43ac-b58e-3df569c447da channel 11
WlanHelper 42dfd47a-2764-43ac-b58e-3df569c447da freq 2
WlanHelper "Wireless Network Connection" mode monitor
SEE THE MAN PAGE (https://github.com/nmap/npcap) FOR MORE OPTIONS AND EXAMPLES
</pre>
</div></div><br class="example-break">
<p>
An example:
</p>
<div class="example"><a name="npcap-ex-wlanhelper-api"></a><p class="title"><b>Example<EFBFBD>2.<2E>WlanHelper API Usage</b></p><div class="example-contents">
<pre class="screen">
C:\&gt; <strong class="userinput"><code>netsh wlan show interfaces</code></strong>
There is 1 interface on the system:
Name : <em class="replaceable"><code>Wi-Fi</code></em>
Description : Qualcomm Atheros AR9485WB-EG Wireless Network Adapter
GUID : <em class="replaceable"><code>42dfd47a-2764-43ac-b58e-3df569c447da</code></em>
Physical address : a4:db:30:d9:3a:9a
State : connected
SSID : LUO-PC_Network
BSSID : d8:15:0d:72:8c:18
Network type : Infrastructure
Radio type : 802.11n
Authentication : WPA2-Personal
Cipher : CCMP
Connection mode : Auto Connect
Channel : 1
Receive rate (Mbps) : 150
Transmit rate (Mbps) : 150
Signal : 100%
Profile : LUO-PC_Network
Hosted network status : Not available
C:\&gt; <strong class="userinput"><code>WlanHelper.exe <em class="replaceable"><code>wi-fi</code></em> mode</code></strong>
managed
C:\&gt; <strong class="userinput"><code>WlanHelper.exe <em class="replaceable"><code>wi-fi</code></em> mode monitor</code></strong>
Success
C:\&gt; <strong class="userinput"><code>WlanHelper.exe <em class="replaceable"><code>wi-fi</code></em> mode </code></strong>
monitor
C:\&gt; <strong class="userinput"><code>WlanHelper.exe <em class="replaceable"><code>wi-fi</code></em> mode managed</code></strong>
Success
C:\&gt; <strong class="userinput"><code>WlanHelper.exe <em class="replaceable"><code>wi-fi</code></em> mode</code></strong>
managed
</pre>
</div></div><br class="example-break">
</div>
</div>
</div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-api"></a>The Npcap API</h3></div></div></div>
<p>The Npcap API is exported by <code class="filename">wpcap.dll</code> and is the
Windows port of <a class="ulink" href="https://www.tcpdump.org/" target="_top">libpcap</a>.
The API and functions are described in
<a class="ulink" href="wpcap/pcap.html" target="_top">the pcap(1) man page</a>.
</p>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-api-extensions"></a>Extensions to libpcap for Windows</h3></div></div></div>
<p>
There are a few extensions to libpcap that exist only on Windows.
Software that uses these extensions will not be portable to non-Windows
systems. The following is a brief list of these extensions and their purpose.
</p>
<div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="code">pcap_setbuff</code>
</span></dt><dd>
<p>
Sets the size of the kernel buffer associated with an adapter.
</p>
<code class="code">int pcap_setbuff(pcap_t *p, int dim);</code>
<p><code class="literal">dim</code> specifies the size of the buffer in
bytes. The return value is 0 when the call succeeds, -1 otherwise.
If an old buffer was already created with a previous call to
<code class="literal">pcap_setbuff()</code>, it is deleted and its content is
discarded. <a class="ulink" href="wpcap/pcap_open_live.html" target="_top">pcap_open_live()</a> creates
a 1 MByte buffer by default.
</p>
<p>
<span class="emphasis"><em>Portability note:</em></span> libpcap provides the <a class="ulink" href="wpcap/pcap_set_buffer_size.html" target="_top">pcap_set_buffer_size()</a>
function for setting the kernel buffer size. This removes the need
to use the non-portable <code class="literal">pcap_setbuff()</code> for this
purpose.
</p>
</dd><dt><span class="term">
<code class="code">pcap_setmode</code>
</span></dt><dd>
<p>Sets the working mode of the interface.</p>
<code class="code">int pcap_setmode(pcap_t *p, int mode);</code>
<p>
Valid values for mode are <code class="literal">MODE_CAPT</code> (default
capture mode) and <code class="literal">MODE_STAT</code> (statistical mode).
See <a class="xref" href="npcap-tutorial.html#npcap-tutorial-statistics" title="Gathering Statistics on the network traffic">the section called &#8220;Gathering Statistics on the network traffic&#8221;</a> for details about
statistical mode.
</p>
</dd><dt><span class="term">
<code class="code">pcap_setmintocopy</code>
</span></dt><dd>
<p>
Sets the minumum amount of data received by the kernel in a single call.
</p>
<code class="code">int pcap_setmintocopy(pcap_t *p, int size);</code>
<p>
This function changes the minimum amount of data in the
kernel buffer that causes a read from the application to return
(unless the timeout expires). If the value of
<code class="literal">size</code> is large, the kernel is forced to wait the
arrival of several packets before
copying the data to the user. This guarantees a low number of
system calls, i.e. low processor usage, and is a good setting for
applications like packet-sniffers and protocol analyzers. Vice
versa, in presence of a small value for this variable, the kernel
will copy the packets as soon as the application is ready to
receive them. This is useful for real time applications that need
the best responsiveness from the kernel. <a class="ulink" href="wpcap/pcap_open_live.html" target="_top">pcap_open_live()</a> sets a
default <code class="literal">size</code> value of 16000 bytes.
</p>
<p>
<span class="emphasis"><em>Portability note:</em></span> libpcap provides the <a class="ulink" href="wpcap/pcap_set_immediate_mode.html" target="_top">pcap_set_immediate_mode()</a>
function for applications that need to receive packets as soon as
they arrive. This removes the need to use the non-portable
<code class="literal">pcap_setmintocopy()</code> for this purpose.
</p>
</dd><dt><span class="term">
<code class="code">pcap_getevent</code>
</span></dt><dd>
<p>Returns the handle of the event associated with the interface.</p>
<code class="code">HANDLE pcap_getevent(pcap_t *p);</code>
<p> This event can be passed to functions like
<code class="literal">WaitForSingleObject()</code> or
<code class="literal">WaitForMultipleObjects()</code> to wait until the
driver's buffer contains some data without performing a read.
</p>
<p>
<span class="emphasis"><em>Portability note:</em></span> This function is the Windows
alternative to <a class="ulink" href="wpcap/pcap_get_selectable_fd.html" target="_top">pcap_get_selectable_fd()</a>,
which is only available on UNIX-like systems. Most applications
will not need an event loop that waits on multiple packet capture
handles.
</p>
</dd><dt><span class="term">
<code class="code">pcap_oid_get_request</code> and <code class="code">pcap_oid_set_request</code>
</span></dt><dd>
<p>Send an OID request to the underlying NDIS drivers</p>
<code class="code">int pcap_oid_get_request(pcap_t *, bpf_u_int32, void *, size_t *);</code>
<code class="code">int pcap_oid_set_request(pcap_t *, bpf_u_int32, const void *, size_t *);</code>
</dd><dt><span class="term">
Queuing sent packets with <code class="code">pcap_send_queue</code>
</span></dt><dd>
<p>
Npcap has the ability to queue multiple raw packets for
transmission on the network in a single call. This is more
efficient than issuing a series of
<code class="literal">pcap_sendpacket()</code>, because the packets are
buffered in the kernel driver, so the number of context switches is
reduced.
</p>
<code class="code">pcap_send_queue* pcap_sendqueue_alloc(u_int memsize);</code>
<code class="code">void pcap_sendqueue_destroy(pcap_send_queue* queue);</code>
<p>Allocate a send queue as a buffer of <code class="literal">memsize</code>
bytes. The <code class="literal">pcap_send_queue</code> allocated can be
freed with <code class="literal">pcap_sendqueue_destroy()</code>.</p>
<code class="code">int pcap_sendqueue_queue(pcap_send_queue* queue, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data);</code>
<p>
<code class="literal">pcap_sendqueue_queue()</code> adds a packet at the end
of the send queue pointed by the <code class="literal">queue</code>
parameter. <code class="literal">pkt_header</code> points to a
<code class="literal">pcap_pkthdr</code> structure with the timestamp and the
length of the packet, <code class="literal">pkt_data</code> points to a
buffer with the data of the packet.
</p>
<p>
The <code class="literal">pcap_pkthdr</code> structure is the same used by
Npcap and libpcap to store the packets in a file, therefore sending
a capture file is straightforward. 'Raw packet' means that the
sending application will have to include the protocol headers,
since every packet is sent to the network 'as is'. The CRC of the
packets needs not to be calculated, because it will be
transparently added by the network interface.
</p>
<code class="code">u_int pcap_sendqueue_transmit(pcap_t *p, pcap_send_queue* queue, int sync);</code>
<p>
This function transmits the content of a queue to the wire.
<code class="literal">p</code> is a pointer to the adapter on which the
packets will be sent, <code class="literal">queue</code> points to a
<code class="literal">pcap_send_queue</code> structure containing the packets
to send), <code class="literal">sync</code> determines if the send operation
must be synchronized: if it is non-zero, the packets are sent
respecting the timestamps, otherwise they are sent as fast as
possible.
</p>
<p>
The return value is the amount of bytes actually sent. If it is
smaller than the <code class="literal">size</code> parameter, an error
occurred during the send. The error can be caused by a
driver/adapter problem or by an inconsistent/bogus send queue.
</p>
<p>
<span class="emphasis"><em>Performance note:</em></span> When <code class="literal">sync</code>
is set to <code class="literal">TRUE</code>, the packets are synchronized in
the kernel with a high precision timestamp. This requires a
non-negligible amount of CPU, but allows normally to send the
packets with a precision of some microseconds (depending on the
accuracy of the performance counter of the machine). Such a
precision cannot be reached sending the packets with
<code class="literal">pcap_sendpacket()</code>.
</p>
</dd><dt><span class="term">
<code class="code">pcap_stats_ex</code>
</span></dt><dd>
<code class="code">struct pcap_stat *pcap_stats_ex(pcap_t *p, int *pcap_stat_size);</code>
<p>
<code class="literal">pcap_stats_ex()</code> extends the
<code class="literal">pcap_stats()</code> allowing to return more statistical
parameters than the old call. One of the advantages of
this new call is that the <code class="literal">pcap_stat</code> structure is
not allocated by the user; instead, it is returned back by the
system. This allow to extend the <code class="literal">pcap_stat</code>
structure without affecting backward compatibility on older
applications. These will simply check at the values of the members
at the beginning of the structure, while only newest applications
are able to read new statistical values, which are appended in
tail.
</p>
<p>
To be sure not to read a piece of memory which has not been allocated
by the system, the variable <code class="literal">pcap_stat_size</code> will
return back the size of the structure <code class="literal">pcap_stat</code>
allocated by the system.
</p>
<p>
<code class="literal">p</code>: pointer to the <code class="literal">pcap_t</code>
currently in use. <code class="literal">pcap_stat_size</code>: pointer to an
integer that will contain (when the function returns back) the size
of the structure <code class="literal">pcap_stat</code> as it has been
allocated by the system.
</p>
<p>
The function returns a pointer to a pcap_stat structure, that will
contain the statistics related to the current device. The return
value is <code class="literal">NULL</code> in case of errors, and the error
text can be obtained with <code class="literal">pcap_perror()</code> or
<code class="literal">pcap_geterr()</code>.
</p>
</dd><dt><span class="term">
<code class="code">pcap_setuserbuffer</code>
</span></dt><dd>
<p>Sets the size of the buffer that accepts packets from the kernel driver.</p>
<code class="code">int pcap_setuserbuffer(pcap_t *p, int size);</code>
<p>
The size of the packet buffer is a parameter that can sensibly
influence the performance of the capture process, since this buffer
will contain the packets received from the the Npcap driver. The
driver is able to return several packets using a single read call,
and the number of packets transferable to the application in a call
is limited only by the size of this buffer. Therefore setting a
larger buffer siz can noticeably decrease the number of system
calls, reducing the impact of the capture process on the processor.
</p>
</dd></dl></div>
</div>
</div>
</div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="npcap-users-guide.html">Prev</a><EFBFBD></td><td width="20%" align="center"><EFBFBD></td><td width="40%" align="right"><EFBFBD><a accesskey="n" href="npcap-tutorial.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Npcap Users' Guide<64></td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"><EFBFBD>Npcap Development Tutorial</td></tr></table></div></body></html>

305
network/arpicmplab/start/lib/npcap/docs/npcap-internals.html Normal file
View File

@ -0,0 +1,305 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Npcap internals</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.2"><meta name="description" content="Describes the internal structure and interfaces of Npcap: the NPF driver and Packet.dll"><link rel="home" href="index.html" title="Npcap: Nmap Project's packet sniffing library for Windows"><link rel="up" href="index.html" title="Npcap: Nmap Project's packet sniffing library for Windows"><link rel="prev" href="npcap-tutorial.html" title="Npcap Development Tutorial"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Npcap internals</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="npcap-tutorial.html">Prev</a><EFBFBD></td><th width="60%" align="center"><EFBFBD></th><td width="20%" align="right"><EFBFBD></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="npcap-internals"></a>Npcap internals</h2></div><div><div class="abstract"><p class="title"><b>Abstract</b></p>
<p>Describes the internal structure and interfaces of Npcap: the NPF
driver and Packet.dll</p>
</div></div></div></div>
<p>This portion of the manual describes the internal structure and
interfaces of Npcap, starting from the lowest-level module. It is targeted
at people who must extend or modify this software, or to the ones
interested in how it works. Therefore, developers who just want to use
Npcap in their software don't need to read it.</p>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-structure"></a>Npcap structure</h3></div></div></div>
<p>Npcap is an architecture for packet capture and network analysis for the
Win32 platforms. It includes a kernel-level packet filter, a
low-level dynamic link library (packet.dll), and a high-level and
system-independent library (wpcap.dll).</p>
<p>Why do we use the term <em class="wordasword">architecture</em> rather
than <em class="wordasword">library</em>? Because packet capture is a low
level mechanism that requires a strict interaction with the network
adapter and with the operating system, in particular with its networking
implementation, so a simple library is not sufficient.</p>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="id572152"></a>Main components of Npcap.</h4></div></div></div>
<p>First, a capture system needs to bypass the operating systems's
protocol stack in order to access the raw data transiting on the
network. This requires a portion running inside the kernel of OS,
interacting directly with the network interface drivers. This portion
is very system dependent, and in our solution it is realized as a
device driver, called Netgroup Packet Filter (NPF); This driver offers
basic features like packet capture and injection, as well as more
advanced ones like a programmable filtering system and a monitoring
engine. The filtering system can be used to restrict a capture session
to a subset of the network traffic (e.g. it is possible to capture only
the ftp traffic generated by a particular host); the monitoring engine
provides a powerful but simple to use mechanism to obtain statistics on
the traffic (e.g. it is possible to obtain the network load or the
amount of data exchanged between two hosts).</p>
<p>Second, the capture system must export an interface that user-level
applications will use to take advantage of the features provided by the
kernel driver. Npcap provides two different libraries:
<code class="filename">packet.dll</code> and
<code class="filename">wpcap.dll</code>.</p>
<p> Packet.dll offers a low-level API that can be used to directly
access the functions of the driver, with a programming interface
independent from the Microsoft OS.</p>
<p>Wpcap.dll exports a more powerful set of high level capture
primitives that are compatible with libpcap, the well known Unix
capture library. These functions enable packet capture in a manner that
is independent of the underlying network hardware and operating
system.</p>
</div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-internals-driver"></a>Npcap driver internals</h3></div></div></div>
<p>This section documents the internals of the Netgroup Packet Filter
(NPF), the kernel portion of Npcap. Normal users are probably interested
in how to use Npcap and not in its internal structure. Therefore the
information present in this module is destined mainly to Npcap developers
and maintainers, or to the people interested in how the driver works. In
particular, a good knowledge of OSes, networking and Windows kernel
programming and device drivers development is required to profitably read
this section.</p>
<p>NPF is the Npcap component that does the hard work, processing the
packets that transit on the network and exporting capture, injection and
analysis capabilities to user-level.</p>
<p>The following paragraphs will describe the interaction of NPF with
the OS and its basic structure.</p>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-internals-driver-ndis"></a>NPF and NDIS</h4></div></div></div>
<p>NDIS (Network Driver Interface Specification) is a standard that
defines the communication between a network adapter (or, better, the
driver that manages it) and the protocol drivers (that implement for
example TCP/IP). Main NDIS purpose is to act as a wrapper that allows
protocol drivers to send and receive packets onto a network (LAN or
WAN) without caring either the particular adapter or the particular
Win32 operating system.</p>
<p>NDIS supports four types of network drivers:</p>
<div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">
<p><span class="emphasis"><em>Miniport drivers</em></span>. Miniport drivers
directly manage network interface cards, referred to as NICs. The
miniport drivers interface directly to the hardware at their lower
edge and at their upper edge present an interface to allow upper
layers to send packets on the network, to handle interrupts, to
reset the NIC, to halt the NIC and to query and set the operational
characteristics of the driver.</p>
<p>Miniport drivers implement only the hardware-specific
operations necessary to manage a NIC, including sending and
receiving data on the NIC. Operations common to all lowest level
NIC drivers, such as synchronization, is provided by NDIS.
Miniports do not call operating system routines directly; their
interface to the operating system is NDIS.</p>
<p>A miniport does not keep track of bindings. It merely passes
packets up to NDIS and NDIS makes sure that these packets are
passed to the correct protocols.</p>
</li><li class="listitem">
<p><span class="emphasis"><em>Intermediate drivers</em></span>. Intermediate drivers
interface between an upper-level driver such as a protocol driver
and a miniport. To the upper-level driver, an intermediate driver
looks like a miniport. To a miniport, the intermediate driver looks
like a protocol driver. An intermediate protocol driver can layer
on top of another intermediate driver although such layering could
have a negative effect on system performance. A typical reason for
developing an intermediate driver is to perform media translation
between an existing legacy protocol driver and a miniport that
manages a NIC for a new media type unknown to the protocol driver.
For instance, an intermediate driver could translate from LAN
protocol to ATM protocol. An intermediate driver cannot communicate
with user-mode applications, but only with other NDIS drivers.</p>
</li><li class="listitem">
<p><span class="emphasis"><em>Filter drivers</em></span>. Filter drivers can monitor
and modify traffic between protocol drivers and miniport drivers
like an intermediate driver, but are much simpler. They have less
processing overhead than intermediate drivers.</p>
</li><li class="listitem">
<p><span class="emphasis"><em>Transport drivers or protocol drivers</em></span>. A
protocol driver implements a network protocol stack such as IPX/SPX
or TCP/IP, offering its services over one or more network interface
cards. A protocol driver services application-layer clients at its
upper edge and connects to one or more NIC driver(s) or
intermediate NDIS driver(s) at its lower edge.</p>
</li></ol></div>
<p>NPF is implemented as a filter driver. In order to provide complete
access to the raw traffic and allow injection of packets, it is
registered as a modifying filter driver in the compression
<code class="literal">FilterClass</code>.</p>
<p>Notice that the various Windows operating systems have different
versions of NDIS: NPF is NDIS 6.0 compliant, and so requires a Windows
OS that supports NDIS 6.0: Windows Vista or later.</p>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-internals-structure"></a>NPF structure basics</h4></div></div></div>
<p>NPF is able to perform a number of different operations: capture,
monitoring, dump to disk, packet injection. The following paragraphs
will describe shortly each of these operations.</p>
<div class="sect4"><div class="titlepage"><div><div><h5 class="title"><a name="npcap-internals-capture"></a>Packet Capture</h5></div></div></div>
<p>The most important operation of NPF is packet capture. During a
capture, the driver sniffs the packets using a network interface and
delivers them intact to the user-level applications.</p>
<p>The capture process relies on two main components:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>A packet filter that decides if an incoming packet
has to be accepted and copied to the listening application. Most
applications using NPF reject far more packets than those
accepted, therefore a versatile and efficient packet filter is
critical for good over-all performance. A packet filter is a
function with boolean output that is applied to a packet. If the
value of the function is true the capture driver copies the
packet to the application; if it is false the packet is
discarded. NPF packet filter is a bit more complex, because it
determines not only if the packet should be kept, but also the
amount of bytes to keep. The filtering system adopted by NPF
derives from the <span class="emphasis"><em>BSD Packet Filter</em></span> (BPF), a
virtual processor able to execute filtering programs expressed in
a pseudo-assembler and created at user level. The application
takes a user-defined filter (e.g. <span class="quote">&#8220;<span class="quote">pick up all UDP
packets</span>&#8221;</span>) and, using wpcap.dll, compiles them into a BPF
program (e.g. <span class="quote">&#8220;<span class="quote">if the packet is IP and the
<code class="literal">protocol type</code> field is equal to 17, then
return true</span>&#8221;</span>). Then, the application uses the
<code class="literal">BIOCSETF</code> IOCTL to inject the filter in the
kernel. At this point, the program is executed for every incoming
packet, and only the conformant packets are accepted. Unlike
traditional solutions, NPF does not
<span class="emphasis"><em>interpret</em></span> the filters, but it
<span class="emphasis"><em>executes</em></span> them. For performance reasons,
before using the filter NPF feeds it to a JIT compiler that
translates it into a native 80x86 function. When a packet is
captured, NPF calls this native function instead of invoking the
filter interpreter, and this makes the process very fast. The
concept behind this optimization is very similar to the one of
Java jitters.</p>
</li><li class="listitem">
<p>A circular buffer to store the packets and avoid loss. A
packet is stored in the buffer with a header that maintains
information like the timestamp and the size of the packet.
Moreover, an alignment padding is inserted between the packets in
order to speed-up the access to their data by the applications.
Groups of packets can be copied with a single operation from the
NPF buffer to the applications. This improves performances
because it minimizes the number of reads. If the buffer is full
when a new packet arrives, the packet is discarded and hence it's
lost. Both kernel and user buffer can be changed at runtime for
maximum versatility: packet.dll and wpcap.dll provide functions
for this purpose.</p>
</li></ul></div>
<p>The size of the user buffer is very important because it determines
the <span class="emphasis"><em>maximum</em></span> amount of data that can be copied from
kernel space to user space within a single system call. On the other
hand, it can be noticed that also the <span class="emphasis"><em>minimum</em></span>
amount of data that can be copied in a single call is extremely
important. In presence of a large value for this variable, the kernel
waits for the arrival of several packets before copying the data to the
user. This guarantees a low number of system calls, i.e. low processor
usage, which is a good setting for applications like sniffers. On the
other side, a small value means that the kernel will copy the packets
as soon as the application is ready to receive them. This is excellent
for real time applications (like, for example, ARP redirectors or
bridges) that need the better responsiveness from the kernel. From
this point of view, NPF has a configurable behavior, that allows users
to choose between best efficiency or best responsiveness (or any
intermediate situation).</p>
<p>The wpcap library includes a couple of system calls that can be
used both to set the timeout after which a read expires and the minimum
amount of data that can be transferred to the application. By default,
the read timeout is 1 second, and the minimum amount of data copied
between the kernel and the application is 16K.</p>
</div>
<div class="sect4"><div class="titlepage"><div><div><h5 class="title"><a name="npcap-internals-injection"></a>Packet injection</h5></div></div></div>
<p>NPF allows to write raw packets to the network. To send data, a
user-level application performs a WriteFile() system call on the NPF
device file. The data is sent to the network as is, without
encapsulating it in any protocol, therefore the application will have
to build the various headers for each packet. The application usually
does not need to generate the FCS because it is calculated by the
network adapter hardware and it is attached automatically at the end of
a packet before sending it to the network.</p>
<p>In normal situations, the sending rate of the packets to the
network is not very high because of the need of a system call for each
packet. For this reason, the possibility to send a single packet more
than once with a single write system call has been added. The
user-level application can set, with an IOCTL call
(<code class="literal">BIOCSWRITEREP</code>), the number of times a single packet
will be repeated: for example, if this value is set to 1000, every raw
packet written by the application on the driver's device file will be
sent 1000 times. This feature can be used to generate high speed
traffic for testing purposes: the overload of context switches is no
longer present, so performance is remarkably better.</p>
</div>
<div class="sect4"><div class="titlepage"><div><div><h5 class="title"><a name="npcap-internals-monitoring"></a>Network monitoring</h5></div></div></div>
<p>Npcap offers a kernel-level programmable monitoring module, able to
calculate simple statistics on the network traffic. Statistics can be
gathered without the need to copy the packets to the application, that
simply receives and displays the results obtained from the monitoring
engine. This allows to avoid great part of the capture overhead in
terms of memory and CPU clocks.</p>
<p>The monitoring engine is made of a <span class="emphasis"><em>classifier</em></span>
followed by a <span class="emphasis"><em>counter</em></span>. The packets are classified
using the filtering engine of NPF, that provides a configurable way to
select a subset of the traffic. The data that pass the filter go to the
counter, that keeps some variables like the number of packets and the
amount of bytes accepted by the filter and updates them with the data
of the incoming packets. These variables are passed to the user-level
application at regular intervals whose period can be configured by the
user. No buffers are allocated at kernel and user level.</p>
</div>
</div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-internals-references"></a>Further reading</h3></div></div></div>
<p>The structure of NPF and its filtering engine derive directly from
the one of the BSD Packet Filter (BPF), so if you are interested the
subject you can read the following papers:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>S. McCanne and V. Jacobson, <a class="ulink" href="ftp://ftp.ee.lbl.gov/papers/bpf-usenix93.ps.Z" target="_top">The BSD Packet
Filter: A New Architecture for User-level Packet Capture</a>.
Proceedings of the 1993 Winter USENIX Technical Conference (San
Diego, CA, Jan. 1993), USENIX.</p>
</li><li class="listitem"><p>A. Begel, S. McCanne, S.L.Graham, BPF+: <a class="ulink" href="http://www.acm.org/pubs/articles/proceedings/comm/316188/p123-begel/p123-begel.pdf" target="_top">Exploiting
Global Data-flow Optimization in a Generalized Packet Filter
Architecture</a>, Proceedings of ACM SIGCOMM '99, pages 123-134,
Conference on Applications, technologies, architectures, and
protocols for computer communications, August 30 - September 3, 1999,
Cambridge, USA</p>
</li></ul></div>
</div>
</div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="npcap-tutorial.html">Prev</a><EFBFBD></td><td width="20%" align="center"><EFBFBD></td><td width="40%" align="right"><EFBFBD></td></tr><tr><td width="40%" align="left" valign="top">Npcap Development Tutorial<61></td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"><EFBFBD></td></tr></table></div></body></html>

1693
network/arpicmplab/start/lib/npcap/docs/npcap-tutorial.html Normal file
View File

File diff suppressed because it is too large Load Diff

382
network/arpicmplab/start/lib/npcap/docs/npcap-users-guide.html Normal file
View File

@ -0,0 +1,382 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Npcap Users' Guide</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.2"><meta name="description" content="The Users' Guide covers the basics of installing and removing Npcap, interactions with WinPcap, frequently asked questions, and how to report bugs."><link rel="home" href="index.html" title="Npcap: Nmap Project's packet sniffing library for Windows"><link rel="up" href="index.html" title="Npcap: Nmap Project's packet sniffing library for Windows"><link rel="prev" href="index.html" title="Npcap: Nmap Project's packet sniffing library for Windows"><link rel="next" href="npcap-devguide.html" title="Developing software with Npcap"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Npcap Users' Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="index.html">Prev</a><EFBFBD></td><th width="60%" align="center"><EFBFBD></th><td width="20%" align="right"><EFBFBD><a accesskey="n" href="npcap-devguide.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="npcap-users-guide"></a>Npcap Users' Guide</h2></div><div><div class="abstract"><p class="title"><b>Abstract</b></p>
<p>The Users' Guide covers the basics of installing and removing
Npcap, interactions with WinPcap, frequently asked questions,
and how to report bugs.</p>
</div></div></div></div>
<p>Because Npcap is a packet capture architecture, not merely a software
library, some aspects of installation and configuration may fall to the end
user. This Users' Guide covers the basics of installing, configuring, and
removing Npcap, as well as how to report bugs.</p>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-installation"></a>Installation</h3></div></div></div>
<p>
Npcap is distributed as a signed executable installer, downloadable from
<a class="ulink" href="https://nmap.org/npcap/#download" target="_top">Nmap.com</a>. Major
versions are backwards-compatible, and users of the free non-commercial
version are encouraged to upgrade regularly for security and stability
fixes. Software distributors may have separate requirements for supported
Npcap versions. Please refer to
<a class="ulink" href="http://www.npcap.org/#License" target="_top">the Npcap License</a> for
terms of use and redistribution.</p>
<p>
The Npcap installer and uninstaller are easy to use in
<span class="quote">&#8220;<span class="quote">Graphical Mode</span>&#8221;</span> (direct run) and <span class="quote">&#8220;<span class="quote">Silent Mode</span>&#8221;</span> (run with
<code class="option">/S</code> parameter, available only with <a class="ulink" href="https://nmap.org/npcap/oem/" target="_top">Npcap OEM</a>).
</p>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-installation-options"></a>Installer options</h4></div></div></div>
<p>
The installer accepts several command-line options that correspond to the
options presented in the graphical interface (GUI). The options can be
set by command-line flags taking the form
<code class="option">/<em class="replaceable"><code>name</code></em>=<em class="replaceable"><code>value</code></em></code>.
</p>
<p>The values for these options must be one of:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="option">yes</code>: select the option</p></li><li class="listitem"><p><code class="option">no</code>: unselect the option</p></li><li class="listitem"><p><code class="option">enforced</code>: select the option and make it unchangable in the GUI</p></li><li class="listitem"><p><code class="option">disabled</code>: unselect the option and make it unchangable in the GUI</p></li></ul></div>
<div class="sect4"><div class="titlepage"><div><div><h5 class="title"><a name="npcap-installer-options-gui"></a>Graphical installer options</h5></div></div></div>
<p>The following options are presented as checkboxes in the
installer, but can be set or locked via command-line flags. Unless
otherwise noted, the default for these options is <code class="option">no</code>.
</p>
<div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">/loopback_support</code></span></dt><dd><p>
<span class="emphasis"><em>Legacy loopback support for Nmap 7.80 and older. Not needed for Wireshark.</em></span>
Older versions of Npcap required a Microsoft KM-TEST loopback
adapter to be installed in order to capture and inject loopback
traffic. This is no longer needed, but some software won't be
able to do loopback injection unless the adapter is installed.
Use this option to install the legacy loopback adapter if
needed.
</p>
<p>See <a class="xref" href="npcap-devguide.html#npcap-feature-loopback" title="For software that uses Npcap loopback feature">the section called &#8220;For software that uses Npcap loopback feature&#8221;</a> for more
information.
</p></dd><dt><span class="term"><code class="option">/admin_only</code></span></dt><dd><p>
<span class="emphasis"><em>Restrict Npcap driver's access to Administrators
only</em></span>. When this option is chosen, the devices
created by the Npcap driver for capture and injection on each
network adapter will be created with a restrictive ACL that
only allows access to the device by the SYSTEM and built-in
Administrators. Because this level of access requires UAC
elevation, a helper binary, <code class="literal">NpcapHelper.exe</code>,
is used to request elevation for each process that opens a
capture handle.
</p></dd><dt><span class="term"><code class="option">/dot11_support</code></span></dt><dd><p>
<span class="emphasis"><em>Support raw 802.11 traffic (and monitor mode) for
wireless adapters</em></span>. This option installs a second
Lightweight Filter Driver that uses the Native WiFi API to
capture raw 802.11 WiFi frames on devices that are put into
network monitor mode. Captured frames are given a Radiotap
header. Not all hardware or network drivers support the Native
WiFi API.
</p></dd><dt><span class="term"><code class="option">/winpcap_mode</code></span></dt><dd><p>
<span class="emphasis"><em>Install Npcap in WinPcap API-compatible
Mode</em></span>. Npcap uses the same API and DLL names as
WinPcap, so to avoid unintentionally removing working WinPcap
installations, it places its DLLs in a different directory than
WinPcap. This option also installs the DLLs to the system
directory, so software written for WinPcap will work
seamlessly, though the new features of Npcap will not be
available. This requires removal of any old WinPcap
installations.
</p></dd></dl></div>
</div>
<div class="sect4"><div class="titlepage"><div><div><h5 class="title"><a name="npcap-installer-options-cli"></a>Command-line installation options</h5></div></div></div>
<p>Some advanced or deprecated options are only available on the
command-line. Options marked <code class="literal">(deprecated)</code> are
subject to removal in future versions.</p>
<div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">/S</code> (Silent install, Npcap OEM only)</span></dt><dd><p>
Installs Npcap without showing any graphical windows or
prompts. Silent install is available only for Npcap OEM.
</p></dd><dt><span class="term"><code class="option">/disable_restore_point</code></span></dt><dd><p>
The default for this option is <code class="option">yes</code>, so the
installer will not set a system restore point. Windows may
independently create a restore point because of the driver
installation independent from this option. To ensure a
restore point is made, specify
<code class="option">/disable_restore_point=no</code>.
</p></dd><dt><span class="term"><code class="option">/no_kill</code></span></dt><dd><p>
Control termination of
processes using Npcap during upgrades or WinPcap when
<code class="option">/winpcap_mode=yes</code> is chosen. See
<a class="xref" href="npcap-users-guide.html#npcap-installation-uninstall-options" title="Uninstaller options">the section called &#8220;Uninstaller options&#8221;</a>
for more detailed discussion.
</p></dd><dt><span class="term"><code class="option">/D</code> (destination directory)</span></dt><dd><p>
The destination directory for installation can be overridden by
the <code class="option">/D</code> option, with a few restrictions. First, it will
only affect where Npcap keeps its installation logs and helper utilities.
The driver and DLLs will always be installed into the appropriate
directories below <span class="command"><strong>%SYSTEMROOT%\System32\</strong></span>. Second, the
<code class="option">/D</code> must be the last option in the command, and the path
must not contain quotes. For example, to change the installation directory
to <code class="filename">C:\Path With Spaces\</code>, the invocation would be:
<span class="command"><strong>npcap-<em class="replaceable"><code>version</code></em>.exe /D=C:\Path With Spaces</strong></span>
</p></dd><dt><span class="term"><code class="option">/npf_startup</code> (deprecated)</span></dt><dd><p>
<span class="emphasis"><em>Automatically start the Npcap driver at boot
time</em></span>. This option defaults to
<code class="option">yes</code>, because Windows expects NDIS filter
drivers to be available at boot time. If you choose to disable
this, Windows may not start networking for up to 90 seconds
after boot.
</p></dd><dt><span class="term"><code class="option">/vlan_support</code> (deprecated, ignored)</span></dt><dd><p>
<span class="emphasis"><em>Support 802.1Q VLAN tag when capturing and sending
data (currently unsupported)</em></span>. This feature was
disabled in 2016 to prevent a crash and has not been
re-enabled.
</p></dd></dl></div>
</div>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-installation-uninstall-options"></a>Uninstaller options</h4></div></div></div>
<p>
The uninstaller provided with Npcap also accepts some command-line options.
</p>
<div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">/S</code> (Silent uninstall)</span></dt><dd>
<p>Uninstalls Npcap without showing any graphical windows or
prompts. Silent uninstall is available in all editions of Npcap,
not just Npcap OEM. If Npcap OEM installer in silent mode needs
to uninstall an older Npcap installation, it passes the
<code class="option">/S</code> option to the existing uninstaller.</p>
</dd><dt><span class="term"><code class="option">/Q</code> (Quick uninstall)</span></dt><dd>
<p>Skips the confirmation page and finish page in the uninstall
wizard. This option does not have any meaning for silent
uninstalls.</p>
</dd><dt><span class="term"><code class="option">/no_kill</code>=<em class="replaceable"><code>yes|no</code></em> (do not kill processes)</span></dt><dd>
<p>Controls how the uninstaller handles processes that are still using
Npcap at the time of uninstall. The default value is
<code class="literal">no</code>, which allows the uninstaller to terminate
processes that would block Npcap from being uninstalled. If
<code class="option">/no_kill=yes</code> is specified, then Npcap
uninstaller will fail if there are still applications using Npcap
driver or DLLs.</p>
<p>In the default case, <code class="option">/no_kill=no</code>, the
graphical uninstaller will give the user the choice to manually
close the offending programs, have the uninstaller terminate
them, or abort the uninstallation. In silent mode, Npcap
uninstaller will immediately terminate any command-line processes
that are using Npcap (like a Nmap process that is still
scanning), and wait for at most 15 seconds to gracefully
terminate any GUI processes that are using Npcap (like Wireshark
UI that is still capturing). <span class="quote">&#8220;<span class="quote">Gracefully</span>&#8221;</span> means
that if you are still capturing via Wireshark, Wireshark UI will
prompt the user about whether to save the current capture before
closing. The user will have 15 seconds to save his session.
<span class="emphasis"><em>Note:</em></span> although Npcap uninstaller won't
terminate Wireshark UI processes immediately, the live capture
stops immediately. This is because Wireshark UI uses command-line
processes named <code class="varname">dumpcap.exe</code> to capture, and
that command-line process will be terminated immediately.</p>
<p>If this option is provided on the
<span class="emphasis"><em>installer</em></span> command line, it will be passed to
the Npcap uninstaller when doing an upgrade or
replacement.</p>
</dd></dl></div>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-installation-options-disabled"></a>Disabled and enforced options for GUI Mode</h4></div></div></div>
<p>
We may disable or enforce certain options in the installer GUI to make them unselectable. This
usually means that those options can easily cause compatibility issues and are considered
not suitable for most users, or we think we need to enforce some rules for the Npcap API. Advanced users can still change their states via command-line
parameters, which is described in following sections.
</p>
<p>
Fortunately, if a distributor wants to start the Npcap installer GUI and disable or enforce
certain options for reasons like compatibility. It can also use the four value
mechanism by setting the command-line parameters to <code class="option">disabled</code> or <code class="option">enforced</code>.
For example, the following command will start an installer GUI with the
<code class="option">loopback_support</code> option disabled and unselected:
</p>
<p>
<span class="command"><strong>npcap-<em class="replaceable"><code>version</code></em>.exe /loopback_support=disabled</strong></span>
</p>
</div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-feature-dot11-wireshark"></a>How to use Wireshark to capture raw 802.11 traffic in <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span></h3></div></div></div>
<p>
The latest Wireshark has already integrated the support for Npcap's <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span> capture.
If you want to use Wireshark to capture raw 802.11 traffic in <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span>, you need to
switch on the monitor mode inside the Wireshark UI instead of using <a class="xref" href="npcap-devguide.html#npcap-feature-dot11-wlanhelper" title="WlanHelper">the section called &#8220;WlanHelper&#8221;</a>.
This is because Wireshark only recognizes the monitor mode set by itself. So when you turn
on monitor mode outside Wireshark (like in <code class="filename">WlanHelper</code>), Wireshark will not know the adapter
has been in monitor mode, and will still try to capture in Ethernet mode, which will get no traffic.
So after all, the correct steps are:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Install latest version Wireshark and latest version Npcap with
<code class="option">Support raw 802.11 traffic</code> option checked.</p></li><li class="listitem"><p>Launch Wireshark QT UI (GTK version is similar), go to <span class="quote">&#8220;<span class="quote">Capture options</span>&#8221;</span>.
Then toggle the checkbox in the <span class="quote">&#8220;<span class="quote">Monitor Mode</span>&#8221;</span> column of your wireless adapter's row.
Click the <span class="quote">&#8220;<span class="quote">Start</span>&#8221;</span> button. If you see a horizontal line instead of the checkbox,
then it probably means that your adapter doesn't support monitor mode. You can use the
<code class="filename">WlanHelper</code> tool to double-check this fact.</p></li><li class="listitem"><p>To decrypt <span class="emphasis"><em>encrypted 802.11 data</em></span>
packets, you need to specify the decipher key in Wireshark, otherwise
you will only see 802.11 data packets.</p></li><li class="listitem"><p>Stop the capture in Wireshark UI when you finishes capturing, the monitor mode
will be turned off automatically by Npcap.</p></li></ul></div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-qa"></a>Q &amp; A</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Network disconnects after installing Npcap: As Microsoft states
<a class="ulink" href="https://support.microsoft.com/en-us/kb/2019184" target="_top">here</a>,
<span class="emphasis"><em>an optional NDIS light-weight filter (LWF) driver like Npcap could cause
90-second delay in network availability</em></span>. Some solutions you could try
are: 1) wait for 90 seconds; 2) disable and re-enable the adapter icon in
<span class="command"><strong>ncpa.cpl</strong></span>; 3) reboot. If this doesn't work,
please <a class="ulink" href="http://issues.nmap.org/new?title=Npcap+Bug+Report" target="_top">file a bug report</a>.
</p></li><li class="listitem"><p>Installation fails with error code <code class="varname">0x8004a029</code>:
The cause is that you have <span class="quote">&#8220;<span class="quote">reached the maximum number of network filter
drivers</span>&#8221;</span>, see solution
<a class="ulink" href="https://social.technet.microsoft.com/Forums/windows/en-US/4deb27fc-33ce-4fc0-a26f-3fec5b57733d/is-there-a-maximum-number-of-network-filter-drivers-in-windows-7?forum=w7itpronetworking" target="_top">here</a>.
</p></li><li class="listitem"><p>Npcap Loopback Adapter is missing (legacy loopback support):
The legacy Npcap Loopback Adapter is actually a wrapper of Microsoft Loopback Adapter.
Such adapters won't show up in Wireshark if the <code class="varname">Basic Filtering Enging (BFE)</code>
service was not running. To fix this issue, you should start this service at <code class="varname">services.msc</code>
manually and restart the Npcap service by running <span class="command"><strong>net stop npcap</strong></span>
and <span class="command"><strong>net start npcap</strong></span>. See details about this issue
<a class="ulink" href="https://github.com/nmap/nmap/issues/802" target="_top">here</a>.
</p></li><li class="listitem"><p>Npcap only captures TCP handshake and teardown, but not data packets.
Some network adapters support offloading of tasks to free up CPU time for
performance reasons. When this happens, Npcap may not receive all of the
packets, or may receive them in a different form than is actually sent on the
wire. To avoid this issue, you may disable TCP Chimney, IP Checksum
Offloading, and Large Send Offloading in the network adapter properites on
Windows. See details about this issue in
<a class="ulink" href="https://github.com/nmap/nmap/issues/989" target="_top">issue
#989</a> on our tracker.
</p></li></ul></div>
</div>
<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="npcap-issues"></a>Reporting Bugs</h3></div></div></div>
<p>
Please report any bugs or issues about Npcap on
<a class="ulink" href="http://issues.nmap.org/new?title=Npcap+Bug+Report" target="_top">the Nmap Project's Issues tracker</a>.
In your report, please provide your <span class="emphasis"><em>DiagReport</em></span> output, user
software version (e.g. Nmap, Wireshark), steps to reproduce the problem, and other information
you think necessary. If your issue occurs only on a particular OS version (e.g. Win10
1511, 1607), please mention it in the report.
</p>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-issues-diagreport"></a>Diagnostic report</h4></div></div></div>
<p>
Npcap has provided a diagnostic utility called <code class="filename">DiagReport</code>.
It provides a lot of information including OS metadata, Npcap related files,
install options, registry values, services, etc. You can simply click the
<code class="filename">C:\Program Files\Npcap\DiagReport.bat</code> file to run <code class="filename">DiagReport</code>.
It will pop up a text report via Notepad (it's stored in: <code class="filename">C:\Program Files\Npcap\DiagReport.txt</code>).
Please always submit it to us if you encounter any issues.
</p>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-issues-installation-log"></a>General installation log</h4></div></div></div>
<p>
Npcap keeps track of the installation in a log file:
<code class="filename">C:\Program Files\Npcap\install.log</code>. Please submit it
together in your report if you encounter issues during the installation
(e.g. the installer halts).
</p>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-issues-driver-installation-log"></a>Driver installation log</h4></div></div></div>
<p>
Npcap keeps track of the driver installation (aka commands run by
<code class="filename">NPFInstall.exe</code>) in a log file:
<code class="filename">C:\Program Files\Npcap\NPFInstall.log</code>, please submit
it together in your report if you encounter issues during the driver
installation or problems with the <span class="quote">&#8220;<span class="quote">Npcap Loopback Adapter</span>&#8221;</span>.
</p>
<p>
There's another system-provided driver installation log in:
<code class="filename">C:\Windows\INF\setupapi.dev.log</code>.
If you encounter errors during the driver/service installation, please copy
the Npcap-related lines out and send them together in
your report.
</p>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-issues-packet-log"></a>Dynamic link library (DLL) log</h4></div></div></div>
<p>
For problems with Npcap's regular operation, you may need to obtain a
debug log from <code class="filename">Packet.dll</code>. To do this, you will
need a debug build of Npcap. If you are a Npcap developer, you can build
the <code class="filename">Packet.sln</code> project with the
<code class="varname">_DEBUG_TO_FILE</code> macro defined. If you are an end user,
you can contact the Npcap development team for the latest Npcap debug
build. The debugging process will continue to append to the debug log
(<code class="filename">C:\Program Files\Npcap\Packet.log</code>), so you may want
to delete it after an amount of time, or save your output to another
place before it gets too large.
</p>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-issues-driver-log"></a>Driver log</h4></div></div></div>
<p>
If there is an issue with the Npcap driver, you can open an
<span class="emphasis"><em>Administrator</em></span> command prompt, enter <span class="command"><strong>sc query
npcap</strong></span> to query the driver status and <span class="command"><strong>net start
npcap</strong></span> to start the driver (replace
<em class="replaceable"><code>npcap</code></em> with <em class="replaceable"><code>npf</code></em> if you
installed Npcap in <span class="quote">&#8220;<span class="quote">WinPcap Compatible Mode</span>&#8221;</span>). The command
output will inform you whether there's an error. If the driver is running
well, but the issue still exists, then you may need to check the driver's
log. Normal Npcap releases don't switch on the driver log function for
performance. Contact the Npcap development team to obtain a driver-debug
version of the Npcap installer. When you have got an appropriate
driver-debug version Npcap, you need to use <a class="ulink" href="https://technet.microsoft.com/en-us/sysinternals/debugview.aspx" target="_top">DbgView</a>
to read the Windows kernel log (which contains our driver log). You may
need to turn on DbgView before installing Npcap, if the error occurs when
the driver loads. When done, save the DbgView output to a file and submit
it in your report.
</p>
</div>
<div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="npcap-issues-bsod"></a>Blue screen of death (BSoD) dump</h4></div></div></div>
<p>
If you encountered BSoD when using Npcap, please attach the minidump
file (in <code class="filename">C:\Windows\Minidump\</code>) to your report
together with the Npcap version. We may ask you to provide the full
dump (<code class="filename">C:\Windows\MEMORY.DMP</code>) for further troubleshooting.
</p>
</div>
</div>
</div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="index.html">Prev</a><EFBFBD></td><td width="20%" align="center"><EFBFBD></td><td width="40%" align="right"><EFBFBD><a accesskey="n" href="npcap-devguide.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Npcap: Nmap Project's packet sniffing library for Windows<77></td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"><EFBFBD>Developing software with Npcap</td></tr></table></div></body></html>

540
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap-filter.html Normal file
View File

@ -0,0 +1,540 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>PCAP-FILTER man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap-filter - packet filter syntax <br>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">
<p class="level0"><span Class="bold">pcap_compile()</span> is used to compile a string into a filter program. The resulting filter program can then be applied to some stream of packets to determine which packets will be supplied to <a Class="bold" href="./pcap_loop.html">pcap_loop</a>, <span Class="bold">pcap_dispatch(3PCAP)</span>, <span Class="bold">pcap_next(3PCAP)</span>, or <a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a>.
<p class="level0">The <span Class="emphasis">filter expression</span> consists of one or more <span Class="emphasis">primitives</span>. Primitives usually consist of an <span Class="emphasis">id</span> (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier:
<p class="level0"><a name="fItypefP"></a><span class="nroffip">type</span>
<p class="level1"><span Class="emphasis">type</span> qualifiers say what kind of thing the id name or number refers to. Possible types are <span Class="bold">host</span>, <span Class="bold">net ,</span> <span Class="bold">port</span> and <span Class="bold">portrange</span>. E.g., `host foo&#39;, `net 128.3&#39;, `port 20&#39;, `portrange 6000-6008&#39;. If there is no type qualifier, <span Class="bold">host</span> is assumed.
<p class="level0"><a name="fIdirfP"></a><span class="nroffip">dir</span>
<p class="level1"><span Class="emphasis">dir</span> qualifiers specify a particular transfer direction to and/or from <span Class="emphasis">id</span>. Possible directions are <span Class="bold">src</span>, <span Class="bold">dst</span>, <span Class="bold">src or dst</span>, <span Class="bold">src and dst</span>, <span Class="bold">ra</span>, <span Class="bold">ta</span>, <span Class="bold">addr1</span>, <span Class="bold">addr2</span>, <span Class="bold">addr3</span>, and <span Class="bold">addr4</span>. E.g., `src foo&#39;, `dst net 128.3&#39;, `src or dst port ftp-data&#39;. If there is no dir qualifier, <span Class="bold">src or dst</span> is assumed. The <span Class="bold">ra</span>, <span Class="bold">ta</span>, <span Class="bold">addr1</span>, <span Class="bold">addr2</span>, <span Class="bold">addr3</span>, and <span Class="bold">addr4</span> qualifiers are only valid for IEEE 802.11 Wireless LAN link layers.
<p class="level0"><a name="fIprotofP"></a><span class="nroffip">proto</span>
<p class="level1"><span Class="emphasis">proto</span> qualifiers restrict the match to a particular protocol. Possible protos are: <span Class="bold">ether</span>, <span Class="bold">fddi</span>, <span Class="bold">tr</span>, <span Class="bold">wlan</span>, <span Class="bold">ip</span>, <span Class="bold">ip6</span>, <span Class="bold">arp</span>, <span Class="bold">rarp</span>, <span Class="bold">decnet</span>, <span Class="bold">tcp</span> and <span Class="bold">udp</span>. E.g., `ether src foo&#39;, `arp net 128.3&#39;, `tcp port 21&#39;, `udp portrange 7000-7009&#39;, `wlan addr2 0:2:3:4:5:6&#39;. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g., `src foo&#39; means `(ip or arp or rarp) src foo&#39; (except the latter is not legal syntax), `net bar&#39; means `(ip or arp or rarp) net bar&#39; and `port 53&#39; means `(tcp or udp) port 53&#39;.
<p class="level1">[`fddi&#39; is actually an alias for `ether&#39;; the parser treats them identically as meaning ``the data link level used on the specified network interface.&#39;&#39; FDDI headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ethernet fields. FDDI headers also contain other fields, but you cannot name them explicitly in a filter expression.
<p class="level1">Similarly, `tr&#39; and `wlan&#39; are aliases for `ether&#39;; the previous paragraph&#39;s statements about FDDI headers also apply to Token Ring and 802.11 wireless LAN headers. For 802.11 headers, the destination address is the DA field and the source address is the SA field; the BSSID, RA, and TA fields aren&#39;t tested.]
<p class="level1">In addition to the above, there are some special `primitive&#39; keywords that don&#39;t follow the pattern: <span Class="bold">gateway</span>, <span Class="bold">broadcast</span>, <span Class="bold">less</span>, <span Class="bold">greater</span> and arithmetic expressions. All of these are described below.
<p class="level1">More complex filter expressions are built up by using the words <span Class="bold">and</span>, <span Class="bold">or</span> and <span Class="bold">not</span> to combine primitives. E.g., `host foo and not port ftp and not port ftp-data&#39;. To save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain&#39; is exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain&#39;.
<p class="level1">Allowable primitives are:
<p class="level0"><a name="fBdst"></a><span class="nroffip">dst host host</span>
<p class="level1">True if the IPv4/v6 destination field of the packet is <span Class="emphasis">host</span>, which may be either an address or a name.
<p class="level0"><a name="fBsrc"></a><span class="nroffip">src host host</span>
<p class="level1">True if the IPv4/v6 source field of the packet is <span Class="emphasis">host</span>.
<p class="level0"><a name="fBhost"></a><span class="nroffip">host host</span>
<p class="level1">True if either the IPv4/v6 source or destination of the packet is <span Class="emphasis">host</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Any of the above host expressions can be prepended with the keywords, <span Class="bold">ip</span>, <span Class="bold">arp</span>, <span Class="bold">rarp</span>, or <span Class="bold">ip6</span> as in:
<p class="level1"><pre class="level1">
<span class="bold">ip host <span class="emphasis">host</span>
</pre>
<p class="level1">
<p class="level1">which is equivalent to:
<p class="level1"><pre class="level1">
<span class="bold">ether proto <span class="emphasis">\ip<span class="bold"> and host <span class="emphasis">host</span>
</pre>
<p class="level1">
<p class="level1">If <span Class="emphasis">host</span> is a name with multiple IP addresses, each address will be checked for a match.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether dst ehost</span>
<p class="level1">True if the Ethernet destination address is <span Class="emphasis">ehost</span>. <span Class="emphasis">Ehost</span> may be either a name from /etc/ethers or a numerical MAC address of the form &quot;xx:xx:xx:xx:xx:xx&quot;, &quot;xx.xx.xx.xx.xx.xx&quot;, &quot;xx-xx-xx-xx-xx-xx&quot;, &quot;xxxx.xxxx.xxxx&quot;, &quot;xxxxxxxxxxxx&quot;, or various mixes of &#39;:&#39;, &#39;.&#39;, and &#39;-&#39;, where each &quot;x&quot; is a hex digit (0-9, a-f, or A-F).
<p class="level0"><a name="fBether"></a><span class="nroffip">ether src ehost</span>
<p class="level1">True if the Ethernet source address is <span Class="emphasis">ehost</span>.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether host ehost</span>
<p class="level1">True if either the Ethernet source or destination address is <span Class="emphasis">ehost</span>.
<p class="level0"><a name="fBgatewayfP"></a><span class="nroffip">gateway host</span>
<p class="level1">True if the packet used <span Class="emphasis">host</span> as a gateway. I.e., the Ethernet source or destination address was <span Class="emphasis">host</span> but neither the IP source nor the IP destination was <span Class="emphasis">host</span>. <span Class="emphasis">Host</span> must be a name and must be found both by the machine&#39;s host-name-to-IP-address resolution mechanisms (host name file, DNS, NIS, etc.) and by the machine&#39;s host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.). (An equivalent expression is
<p class="level1"><pre class="level1">
<span class="bold">ether host <span class="emphasis">ehost <span class="bold">and not host <span class="emphasis">host</span>
</pre>
<p class="level1">
<p class="level1">which can be used with either names or numbers for <span Class="emphasis">host / ehost</span>.) This syntax does not work in IPv6-enabled configuration at this moment.
<p class="level0"><a name="fBdst"></a><span class="nroffip">dst net net</span>
<p class="level1">True if the IPv4/v6 destination address of the packet has a network number of <span Class="emphasis">net</span>. <span Class="emphasis">Net</span> may be either a name from the networks database (/etc/networks, etc.) or a network number. An IPv4 network number can be written as a dotted quad (e.g., 192.168.1.0), dotted triple (e.g., 192.168.1), dotted pair (e.g, 172.16), or single number (e.g., 10); the netmask is 255.255.255.255 for a dotted quad (which means that it&#39;s really a host match), 255.255.255.0 for a dotted triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for a single number. An IPv6 network number must be written out fully; the netmask is ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 &quot;network&quot; matches are really always host matches, and a network match requires a netmask length.
<p class="level0"><a name="fBsrc"></a><span class="nroffip">src net net</span>
<p class="level1">True if the IPv4/v6 source address of the packet has a network number of <span Class="emphasis">net</span>.
<p class="level0"><a name="fBnet"></a><span class="nroffip">net net</span>
<p class="level1">True if either the IPv4/v6 source or destination address of the packet has a network number of <span Class="emphasis">net</span>.
<p class="level0"><a name="fBnet"></a><span class="nroffip">net net mask netmask</span>
<p class="level1">True if the IPv4 address matches <span Class="emphasis">net</span> with the specific <span Class="emphasis">netmask</span>. May be qualified with <span Class="bold">src</span> or <span Class="bold">dst</span>. Note that this syntax is not valid for IPv6 <span Class="emphasis">net</span>.
<p class="level0"><a name="fBnet"></a><span class="nroffip">net net/len</span>
<p class="level1">True if the IPv4/v6 address matches <span Class="emphasis">net</span> with a netmask <span Class="emphasis">len</span> bits wide. May be qualified with <span Class="bold">src</span> or <span Class="bold">dst</span>.
<p class="level0"><a name="fBdst"></a><span class="nroffip">dst port port</span>
<p class="level1">True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of <span Class="emphasis">port</span>. The <span Class="emphasis">port</span> can be a number or a name used in /etc/services (see <span Class="emphasis">tcp</span>(4P) and <span Class="emphasis">udp</span>(4P)). If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (e.g., <span Class="bold">dst port 513</span> will print both tcp/login traffic and udp/who traffic, and <span Class="bold">port domain</span> will print both tcp/domain and udp/domain traffic).
<p class="level0"><a name="fBsrc"></a><span class="nroffip">src port port</span>
<p class="level1">True if the packet has a source port value of <span Class="emphasis">port</span>.
<p class="level0"><a name="fBport"></a><span class="nroffip">port port</span>
<p class="level1">True if either the source or destination port of the packet is <span Class="emphasis">port</span>.
<p class="level0"><a name="fBdst"></a><span class="nroffip">dst portrange port1-port2</span>
<p class="level1">True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value between <span Class="emphasis">port1</span> and <span Class="emphasis">port2</span>. <span Class="emphasis">port1</span> and <span Class="emphasis">port2</span> are interpreted in the same fashion as the <span Class="emphasis">port</span> parameter for <span Class="bold">port</span>.
<p class="level0"><a name="fBsrc"></a><span class="nroffip">src portrange port1-port2</span>
<p class="level1">True if the packet has a source port value between <span Class="emphasis">port1</span> and <span Class="emphasis">port2</span>.
<p class="level0"><a name="fBportrange"></a><span class="nroffip">portrange port1-port2</span>
<p class="level1">True if either the source or destination port of the packet is between <span Class="emphasis">port1</span> and <span Class="emphasis">port2</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Any of the above port or port range expressions can be prepended with the keywords, <span Class="bold">tcp</span> or <span Class="bold">udp</span>, as in:
<p class="level1"><pre class="level1">
<span class="bold">tcp src port <span class="emphasis">port</span>
</pre>
<p class="level1">
<p class="level1">which matches only tcp packets whose source port is <span Class="emphasis">port</span>.
<p class="level0"><a name="fBless"></a><span class="nroffip">less length</span>
<p class="level1">True if the packet has a length less than or equal to <span Class="emphasis">length</span>. This is equivalent to:
<p class="level1"><pre class="level1">
<span class="bold">len &lt;= <span class="emphasis">length</span>.
</pre>
<p class="level1">
<p class="level1">
<p class="level0"><a name="fBgreater"></a><span class="nroffip">greater length</span>
<p class="level1">True if the packet has a length greater than or equal to <span Class="emphasis">length</span>. This is equivalent to:
<p class="level1"><pre class="level1">
<span class="bold">len &gt;= <span class="emphasis">length</span>.
</pre>
<p class="level1">
<p class="level1">
<p class="level0"><a name="fBip"></a><span class="nroffip">ip proto protocol</span>
<p class="level1">True if the packet is an IPv4 packet (see <span Class="emphasis">ip</span>(4P)) of protocol type <span Class="emphasis">protocol</span>. <span Class="emphasis">Protocol</span> can be a number or one of the names <span Class="bold">icmp</span>, <span Class="bold">icmp6</span>, <span Class="bold">igmp</span>, <span Class="bold">igrp</span>, <span Class="bold">pim</span>, <span Class="bold">ah</span>, <span Class="bold">esp</span>, <span Class="bold">vrrp</span>, <span Class="bold">udp</span>, or <span Class="bold">tcp</span>. Note that the identifiers <span Class="bold">tcp</span>, <span Class="bold">udp</span>, and <span Class="bold">icmp</span> are also keywords and must be escaped via backslash (\). Note that this primitive does not chase the protocol header chain.
<p class="level0"><a name="fBip6"></a><span class="nroffip">ip6 proto protocol</span>
<p class="level1">True if the packet is an IPv6 packet of protocol type <span Class="emphasis">protocol</span>. Note that this primitive does not chase the protocol header chain.
<p class="level0"><a name="fBproto"></a><span class="nroffip">proto protocol</span>
<p class="level1">True if the packet is an IPv4 or IPv6 packet of protocol type <span Class="emphasis">protocol</span>. Note that this primitive does not chase the protocol header chain.
<p class="level0"><a name="fBtcpfR"></a><span class="nroffip">tcp, udp, icmp</span>
<p class="level1">Abbreviations for:
<p class="level1"><pre class="level1">
<span class="bold">proto <span class="emphasis">p</span><span class="bold">
</pre>
<p class="level1">
<p class="level1">where <span Class="emphasis">p</span> is one of the above protocols.
<p class="level0"><a name="fBip6"></a><span class="nroffip">ip6 protochain protocol</span>
<p class="level1">True if the packet is IPv6 packet, and contains protocol header with type <span Class="emphasis">protocol</span> in its protocol header chain. For example,
<p class="level1"><pre class="level1">
<span class="bold">ip6 protochain 6</span>
</pre>
<p class="level1">
<p class="level1">matches any IPv6 packet with TCP protocol header in the protocol header chain. The packet may contain, for example, authentication header, routing header, or hop-by-hop option header, between IPv6 header and TCP header. The BPF code emitted by this primitive is complex and cannot be optimized by the BPF optimizer code, and is not supported by filter engines in the kernel, so this can be somewhat slow, and may cause more packets to be dropped.
<p class="level0"><a name="fBip"></a><span class="nroffip">ip protochain protocol</span>
<p class="level1">Equivalent to <span class="bold">ip6 protochain <span Class="emphasis">protocol</span>, but this is for IPv4.
<p class="level0"><a name="fBprotochain"></a><span class="nroffip">protochain protocol</span>
<p class="level1">True if the packet is an IPv4 or IPv6 packet of protocol type <span Class="emphasis">protocol</span>. Note that this primitive chases the protocol header chain.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether broadcast</span>
<p class="level1">True if the packet is an Ethernet broadcast packet. The <span Class="emphasis">ether</span> keyword is optional.
<p class="level0"><a name="fBip"></a><span class="nroffip">ip broadcast</span>
<p class="level1">True if the packet is an IPv4 broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions, and looks up the subnet mask on the interface on which the capture is being done.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If the subnet mask of the interface on which the capture is being done is not available, either because the interface on which capture is being done has no netmask or because the capture is being done on the Linux &quot;any&quot; interface, which can capture on more than one interface, this check will not work correctly.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether multicast</span>
<p class="level1">True if the packet is an Ethernet multicast packet. The <span Class="bold">ether</span> keyword is optional. This is shorthand for `<span Class="bold">ether[0] &amp; 1 != 0</span>&#39;.
<p class="level0"><a name="fBip"></a><span class="nroffip">ip multicast</span>
<p class="level1">True if the packet is an IPv4 multicast packet.
<p class="level0"><a name="fBip6"></a><span class="nroffip">ip6 multicast</span>
<p class="level1">True if the packet is an IPv6 multicast packet.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether proto protocol</span>
<p class="level1">True if the packet is of ether type <span Class="emphasis">protocol</span>. <span Class="emphasis">Protocol</span> can be a number or one of the names <span Class="bold">ip</span>, <span Class="bold">ip6</span>, <span Class="bold">arp</span>, <span Class="bold">rarp</span>, <span Class="bold">atalk</span>, <span Class="bold">aarp</span>, <span Class="bold">decnet</span>, <span Class="bold">sca</span>, <span Class="bold">lat</span>, <span Class="bold">mopdl</span>, <span Class="bold">moprc</span>, <span Class="bold">iso</span>, <span Class="bold">stp</span>, <span Class="bold">ipx</span>, or <span Class="bold">netbeui</span>. Note these identifiers are also keywords and must be escaped via backslash (\).
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">[In the case of FDDI (e.g., `<span Class="bold">fddi proto arp</span>&#39;), Token Ring (e.g., `<span Class="bold">tr proto arp</span>&#39;), and IEEE 802.11 wireless LANS (e.g., `<span Class="bold">wlan proto arp</span>&#39;), for most of those protocols, the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI, Token Ring, or 802.11 header.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">When filtering for most protocol identifiers on FDDI, Token Ring, or 802.11, the filter checks only the protocol ID field of an LLC header in so-called SNAP format with an Organizational Unit Identifier (OUI) of 0x000000, for encapsulated Ethernet; it doesn&#39;t check whether the packet is in SNAP format with an OUI of 0x000000. The exceptions are:
<p class="level2">
<p class="level2"><span Class="bold">iso</span> the filter checks the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) fields of the LLC header;
<p class="level2"><span Class="bold">stp</span> and <span Class="bold">netbeui</span> the filter checks the DSAP of the LLC header;
<p class="level2"><span Class="bold">atalk</span> the filter checks for a SNAP-format packet with an OUI of 0x080007 and the AppleTalk etype.
<p class="level1">
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">In the case of Ethernet, the filter checks the Ethernet type field for most of those protocols. The exceptions are:
<p class="level2">
<p class="level2"><span Class="bold">iso</span>, <span Class="bold">stp</span>, and <span Class="bold">netbeui</span> the filter checks for an 802.3 frame and then checks the LLC header as it does for FDDI, Token Ring, and 802.11;
<p class="level2"><span Class="bold">atalk</span> the filter checks both for the AppleTalk etype in an Ethernet frame and for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;
<p class="level2"><span Class="bold">aarp</span> the filter checks for the AppleTalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame with an OUI of 0x000000;
<p class="level2"><span Class="bold">ipx</span> the filter checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of IPX, and the IPX etype in a SNAP frame.
<p class="level1">
<p class="level0"><a name="fBipfR"></a><span class="nroffip">ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui</span>
<p class="level1">Abbreviations for:
<p class="level1"><pre class="level1">
<span class="bold">ether proto <span class="emphasis">p</span>
</pre>
<p class="level1">
<p class="level1">where <span Class="emphasis">p</span> is one of the above protocols.
<p class="level0"><a name="fBlatfR"></a><span class="nroffip">lat, moprc, mopdl</span>
<p class="level1">Abbreviations for:
<p class="level1"><pre class="level1">
<span class="bold">ether proto <span class="emphasis">p</span>
</pre>
<p class="level1">
<p class="level1">where <span Class="emphasis">p</span> is one of the above protocols. Note that not all applications using <a Class="bold" href="./pcap.html">pcap</a>(3PCAP) currently know how to parse these protocols.
<p class="level0"><a name="fBdecnet"></a><span class="nroffip">decnet src host</span>
<p class="level1">True if the DECNET source address is <span Class="emphasis">host</span>, which may be an address of the form ``10.123&#39;&#39;, or a DECNET host name. [DECNET host name support is only available on ULTRIX systems that are configured to run DECNET.]
<p class="level0"><a name="fBdecnet"></a><span class="nroffip">decnet dst host</span>
<p class="level1">True if the DECNET destination address is <span Class="emphasis">host</span>.
<p class="level0"><a name="fBdecnet"></a><span class="nroffip">decnet host host</span>
<p class="level1">True if either the DECNET source or destination address is <span Class="emphasis">host</span>.
<p class="level0"><a name="fBllcfP"></a><span class="nroffip">llc</span>
<p class="level1">True if the packet has an 802.2 LLC header. This includes:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Ethernet packets with a length field rather than a type field that aren&#39;t raw NetWare-over-802.3 packets;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">IEEE 802.11 data packets;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Token Ring packets (no check is done for LLC frames);
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">FDDI packets (no check is done for LLC frames);
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">LLC-encapsulated ATM packets, for SunATM on Solaris.
<p class="level0"><a name="fBllcfP"></a><span class="nroffip">llc \Fitype</span>
<p class="level1">True if the packet has an 802.2 LLC header and has the specified <span Class="emphasis">type</span>. <span Class="emphasis">type</span> can be one of:
<p class="level2">
<p class="level2"><span Class="bold">i</span> Information (I) PDUs
<p class="level2"><span Class="bold">s</span> Supervisory (S) PDUs
<p class="level2"><span Class="bold">u</span> Unnumbered (U) PDUs
<p class="level2"><span Class="bold">rr</span> Receiver Ready (RR) S PDUs
<p class="level2"><span Class="bold">rnr</span> Receiver Not Ready (RNR) S PDUs
<p class="level2"><span Class="bold">rej</span> Reject (REJ) S PDUs
<p class="level2"><span Class="bold">ui</span> Unnumbered Information (UI) U PDUs
<p class="level2"><span Class="bold">ua</span> Unnumbered Acknowledgment (UA) U PDUs
<p class="level2"><span Class="bold">disc</span> Disconnect (DISC) U PDUs
<p class="level2"><span Class="bold">sabme</span> Set Asynchronous Balanced Mode Extended (SABME) U PDUs
<p class="level2"><span Class="bold">test</span> Test (TEST) U PDUs
<p class="level2"><span Class="bold">xid</span> Exchange Identification (XID) U PDUs
<p class="level2"><span Class="bold">frmr</span> Frame Reject (FRMR) U PDUs
<p class="level1">
<p class="level0"><a name="fBinboundfP"></a><span class="nroffip">inbound</span>
<p class="level1">Packet was received by the host performing the capture rather than being sent by that host. This is only supported for certain link-layer types, such as SLIP and the ``cooked&#39;&#39; Linux capture mode used for the ``any&#39;&#39; device and for some other device types.
<p class="level0"><a name="fBoutboundfP"></a><span class="nroffip">outbound</span>
<p class="level1">Packet was sent by the host performing the capture rather than being received by that host. This is only supported for certain link-layer types, such as SLIP and the ``cooked&#39;&#39; Linux capture mode used for the ``any&#39;&#39; device and for some other device types.
<p class="level0"><a name="fBifname"></a><span class="nroffip">ifname interface</span>
<p class="level1">True if the packet was logged as coming from the specified interface (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBon"></a><span class="nroffip">on interface</span>
<p class="level1">Synonymous with the <span Class="bold">ifname</span> modifier.
<p class="level0"><a name="fBrnr"></a><span class="nroffip">rnr num</span>
<p class="level1">True if the packet was logged as matching the specified PF rule number (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBrulenum"></a><span class="nroffip">rulenum num</span>
<p class="level1">Synonymous with the <span Class="bold">rnr</span> modifier.
<p class="level0"><a name="fBreason"></a><span class="nroffip">reason code</span>
<p class="level1">True if the packet was logged with the specified PF reason code. The known codes are: <span Class="bold">match</span>, <span Class="bold">bad-offset</span>, <span Class="bold">fragment</span>, <span Class="bold">short</span>, <span Class="bold">normalize</span>, and <span Class="bold">memory</span> (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBrset"></a><span class="nroffip">rset name</span>
<p class="level1">True if the packet was logged as matching the specified PF ruleset name of an anchored ruleset (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBruleset"></a><span class="nroffip">ruleset name</span>
<p class="level1">Synonymous with the <span Class="bold">rset</span> modifier.
<p class="level0"><a name="fBsrnr"></a><span class="nroffip">srnr num</span>
<p class="level1">True if the packet was logged as matching the specified PF rule number of an anchored ruleset (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBsubrulenum"></a><span class="nroffip">subrulenum num</span>
<p class="level1">Synonymous with the <span Class="bold">srnr</span> modifier.
<p class="level0"><a name="fBaction"></a><span class="nroffip">action act</span>
<p class="level1">True if PF took the specified action when the packet was logged. Known actions are: <span Class="bold">pass</span> and <span Class="bold">block</span> and, with later versions of <span Class="bold">pf</span>(4), <span Class="bold">nat</span>, <span Class="bold">rdr</span>, <span Class="bold">binat</span> and <span Class="bold">scrub</span> (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan ra ehost</span>
<p class="level1">True if the IEEE 802.11 RA is <span Class="emphasis">ehost</span>. The RA field is used in all frames except for management frames.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan ta ehost</span>
<p class="level1">True if the IEEE 802.11 TA is <span Class="emphasis">ehost</span>. The TA field is used in all frames except for management frames and CTS (Clear To Send) and ACK (Acknowledgment) control frames.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan addr1 ehost</span>
<p class="level1">True if the first IEEE 802.11 address is <span Class="emphasis">ehost</span>.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan addr2 ehost</span>
<p class="level1">True if the second IEEE 802.11 address, if present, is <span Class="emphasis">ehost</span>. The second address field is used in all frames except for CTS (Clear To Send) and ACK (Acknowledgment) control frames.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan addr3 ehost</span>
<p class="level1">True if the third IEEE 802.11 address, if present, is <span Class="emphasis">ehost</span>. The third address field is used in management and data frames, but not in control frames.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan addr4 ehost</span>
<p class="level1">True if the fourth IEEE 802.11 address, if present, is <span Class="emphasis">ehost</span>. The fourth address field is only used for WDS (Wireless Distribution System) frames.
<p class="level0"><a name="fBtype"></a><span class="nroffip">type wlan_type</span>
<p class="level1">True if the IEEE 802.11 frame type matches the specified <span Class="emphasis">wlan_type</span>. Valid <span Class="emphasis">wlan_type</span>s are: <span Class="bold">mgt</span>, <span Class="bold">ctl</span> and <span Class="bold">data</span>.
<p class="level0"><a name="fBtype"></a><span class="nroffip">type wlan_type subtype wlan_subtype</span>
<p class="level1">True if the IEEE 802.11 frame type matches the specified <span Class="emphasis">wlan_type</span> and frame subtype matches the specified <span Class="emphasis">wlan_subtype</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If the specified <span Class="emphasis">wlan_type</span> is <span Class="bold">mgt</span>, then valid <span Class="emphasis">wlan_subtype</span>s are: <span Class="bold">assoc-req</span>, <span Class="bold">assoc-resp</span>, <span Class="bold">reassoc-req</span>, <span Class="bold">reassoc-resp</span>, <span Class="bold">probe-req</span>, <span Class="bold">probe-resp</span>, <span Class="bold">beacon</span>, <span Class="bold">atim</span>, <span Class="bold">disassoc</span>, <span Class="bold">auth</span> and <span Class="bold">deauth</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If the specified <span Class="emphasis">wlan_type</span> is <span Class="bold">ctl</span>, then valid <span Class="emphasis">wlan_subtype</span>s are: <span Class="bold">ps-poll</span>, <span Class="bold">rts</span>, <span Class="bold">cts</span>, <span Class="bold">ack</span>, <span Class="bold">cf-end</span> and <span Class="bold">cf-end-ack</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If the specified <span Class="emphasis">wlan_type</span> is <span Class="bold">data</span>, then valid <span Class="emphasis">wlan_subtype</span>s are: <span Class="bold">data</span>, <span Class="bold">data-cf-ack</span>, <span Class="bold">data-cf-poll</span>, <span Class="bold">data-cf-ack-poll</span>, <span Class="bold">null</span>, <span Class="bold">cf-ack</span>, <span Class="bold">cf-poll</span>, <span Class="bold">cf-ack-poll</span>, <span Class="bold">qos-data</span>, <span Class="bold">qos-data-cf-ack</span>, <span Class="bold">qos-data-cf-poll</span>, <span Class="bold">qos-data-cf-ack-poll</span>, <span Class="bold">qos</span>, <span Class="bold">qos-cf-poll</span> and <span Class="bold">qos-cf-ack-poll</span>.
<p class="level0"><a name="fBsubtype"></a><span class="nroffip">subtype wlan_subtype</span>
<p class="level1">True if the IEEE 802.11 frame subtype matches the specified <span Class="emphasis">wlan_subtype</span> and frame has the type to which the specified <span Class="emphasis">wlan_subtype</span> belongs.
<p class="level0"><a name="fBdir"></a><span class="nroffip">dir dir</span>
<p class="level1">True if the IEEE 802.11 frame direction matches the specified <span Class="emphasis">dir</span>. Valid directions are: <span Class="bold">nods</span>, <span Class="bold">tods</span>, <span Class="bold">fromds</span>, <span Class="bold">dstods</span>, or a numeric value.
<p class="level0"><a name="fBvlan"></a><span class="nroffip">vlan [vlan_id]</span>
<p class="level1">True if the packet is an IEEE 802.1Q VLAN packet. If <span Class="emphasis">[vlan_id]</span> is specified, only true if the packet has the specified <span Class="emphasis">vlan_id</span>. Note that the first <span Class="bold">vlan</span> keyword encountered in <span Class="emphasis">expression</span> changes the decoding offsets for the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is a VLAN packet. The <span class="bold">vlan <span Class="emphasis">[vlan_id]</span> expression may be used more than once, to filter on VLAN hierarchies. Each use of that expression increments the filter offsets by 4.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For example:
<p class="level1"><pre class="level1">
<span class="bold">vlan 100 &amp;&amp; vlan 200</span>
</pre>
<p class="level1">
<p class="level1">filters on VLAN 200 encapsulated within VLAN 100, and
<p class="level1"><pre class="level1">
<span class="bold">vlan &amp;&amp; vlan 300 &amp;&amp; ip</span>
</pre>
<p class="level1">
<p class="level1">filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any higher order VLAN.
<p class="level0"><a name="fBmpls"></a><span class="nroffip">mpls [label_num]</span>
<p class="level1">True if the packet is an MPLS packet. If <span Class="emphasis">[label_num]</span> is specified, only true is the packet has the specified <span Class="emphasis">label_num</span>. Note that the first <span Class="bold">mpls</span> keyword encountered in <span Class="emphasis">expression</span> changes the decoding offsets for the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is a MPLS-encapsulated IP packet. The <span class="bold">mpls <span Class="emphasis">[label_num]</span> expression may be used more than once, to filter on MPLS hierarchies. Each use of that expression increments the filter offsets by 4.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For example:
<p class="level1"><pre class="level1">
<span class="bold">mpls 100000 &amp;&amp; mpls 1024</span>
</pre>
<p class="level1">
<p class="level1">filters packets with an outer label of 100000 and an inner label of 1024, and
<p class="level1"><pre class="level1">
<span class="bold">mpls &amp;&amp; mpls 1024 &amp;&amp; host 192.9.200.1</span>
</pre>
<p class="level1">
<p class="level1">filters packets to or from 192.9.200.1 with an inner label of 1024 and any outer label.
<p class="level0"><a name="fBpppoedfP"></a><span class="nroffip">pppoed</span>
<p class="level1">True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet type 0x8863).
<p class="level0"><a name="fBpppoes"></a><span class="nroffip">pppoes [session_id]</span>
<p class="level1">True if the packet is a PPP-over-Ethernet Session packet (Ethernet type 0x8864). If <span Class="emphasis">[session_id]</span> is specified, only true if the packet has the specified <span Class="emphasis">session_id</span>. Note that the first <span Class="bold">pppoes</span> keyword encountered in <span Class="emphasis">expression</span> changes the decoding offsets for the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is a PPPoE session packet.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For example:
<p class="level1"><pre class="level1">
<span class="bold">pppoes 0x27 &amp;&amp; ip</span>
</pre>
<p class="level1">
<p class="level1">filters IPv4 protocols encapsulated in PPPoE session id 0x27.
<p class="level0"><a name="fBgeneve"></a><span class="nroffip">geneve [vni]</span>
<p class="level1">True if the packet is a Geneve packet (UDP port 6081). If <span Class="emphasis">[vni]</span> is specified, only true if the packet has the specified <span Class="emphasis">vni</span>. Note that when the <span Class="bold">geneve</span> keyword is encountered in <span Class="emphasis">expression</span>, it changes the decoding offsets for the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is a Geneve packet.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For example:
<p class="level1"><pre class="level1">
<span class="bold">geneve 0xb &amp;&amp; ip</span>
</pre>
<p class="level1">
<p class="level1">filters IPv4 protocols encapsulated in Geneve with VNI 0xb. This will match both IP directly encapsulated in Geneve as well as IP contained inside an Ethernet frame.
<p class="level0"><a name="fBiso"></a><span class="nroffip">iso proto protocol</span>
<p class="level1">True if the packet is an OSI packet of protocol type <span Class="emphasis">protocol</span>. <span Class="emphasis">Protocol</span> can be a number or one of the names <span Class="bold">clnp</span>, <span Class="bold">esis</span>, or <span Class="bold">isis</span>.
<p class="level0"><a name="fBclnpfR"></a><span class="nroffip">clnp, esis, isis</span>
<p class="level1">Abbreviations for:
<p class="level1"><pre class="level1">
<span class="bold">iso proto <span class="emphasis">p</span>
</pre>
<p class="level1">
<p class="level1">where <span Class="emphasis">p</span> is one of the above protocols.
<p class="level0"><a name="fBl1fR"></a><span class="nroffip">l1, l2, iih, lsp, snp, csnp, psnp</span>
<p class="level1">Abbreviations for IS-IS PDU types.
<p class="level0"><a name="fBvpifP"></a><span class="nroffip">vpi n</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, with a virtual path identifier of <span Class="emphasis">n</span>.
<p class="level0"><a name="fBvcifP"></a><span class="nroffip">vci n</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, with a virtual channel identifier of <span Class="emphasis">n</span>.
<p class="level0"><a name="fBlanefP"></a><span class="nroffip">lane</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is an ATM LANE packet. Note that the first <span Class="bold">lane</span> keyword encountered in <span Class="emphasis">expression</span> changes the tests done in the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is either a LANE emulated Ethernet packet or a LANE LE Control packet. If <span Class="bold">lane</span> isn&#39;t specified, the tests are done under the assumption that the packet is an LLC-encapsulated packet.
<p class="level0"><a name="fBoamf4sfP"></a><span class="nroffip">oamf4s</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is a segment OAM F4 flow cell (VPI=0 &amp; VCI=3).
<p class="level0"><a name="fBoamf4efP"></a><span class="nroffip">oamf4e</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is an end-to-end OAM F4 flow cell (VPI=0 &amp; VCI=4).
<p class="level0"><a name="fBoamf4fP"></a><span class="nroffip">oamf4</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 &amp; (VCI=3 | VCI=4)).
<p class="level0"><a name="fBoamfP"></a><span class="nroffip">oam</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 &amp; (VCI=3 | VCI=4)).
<p class="level0"><a name="fBmetacfP"></a><span class="nroffip">metac</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit (VPI=0 &amp; VCI=1).
<p class="level0"><a name="fBbccfP"></a><span class="nroffip">bcc</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a broadcast signaling circuit (VPI=0 &amp; VCI=2).
<p class="level0"><a name="fBscfP"></a><span class="nroffip">sc</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit (VPI=0 &amp; VCI=5).
<p class="level0"><a name="fBilmicfP"></a><span class="nroffip">ilmic</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on an ILMI circuit (VPI=0 &amp; VCI=16).
<p class="level0"><a name="fBconnectmsgfP"></a><span class="nroffip">connectmsg</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Connect Ack, Release, or Release Done message.
<p class="level0"><a name="fBmetaconnectfP"></a><span class="nroffip">metaconnect</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Release, or Release Done message.
<p class="level0"><a name="fIexpr"></a><span class="nroffip">expr relop expr</span>
<p class="level1">True if the relation holds, where <span Class="emphasis">relop</span> is one of &gt;, &lt;, &gt;=, &lt;=, =, !=, and <span Class="emphasis">expr</span> is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, %, &amp;, |, ^, &lt;&lt;, &gt;&gt;], a length operator, and special packet data accessors. Note that all comparisons are unsigned, so that, for example, 0x80000000 and 0xffffffff are &gt; 0.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The % and ^ operators are currently only supported for filtering in the kernel on Linux with 3.7 and later kernels; on all other systems, if those operators are used, filtering will be done in user mode, which will increase the overhead of capturing packets and may cause more packets to be dropped.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">To access data inside the packet, use the following syntax:
<p class="level1"><pre class="level1">
<span class="emphasis">proto<span class="bold"> [ <span class="emphasis">expr<span class="bold"> : <span class="emphasis">size<span class="bold"> ]</span>
</pre>
<p class="level1">
<p class="level1"><span Class="emphasis">Proto</span> is one of <span class="bold">ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6</span> or <span Class="bold">radio</span>, and indicates the protocol layer for the index operation. (<span Class="bold">ether, fddi, wlan, tr, ppp, slip</span> and <span Class="bold">link</span> all refer to the link layer. <span Class="bold">radio</span> refers to the &quot;radio header&quot; added to some 802.11 captures.) Note that <span Class="emphasis">tcp, udp</span> and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by <span Class="emphasis">expr</span>. <span Class="emphasis">Size</span> is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword <span Class="bold">len</span>, gives the length of the packet.
<p class="level1">For example, `<span Class="bold">ether[0] &amp; 1 != 0</span>&#39; catches all multicast traffic. The expression `<span Class="bold">ip[0] &amp; 0xf != 5</span>&#39; catches all IPv4 packets with options. The expression `<span Class="bold">ip[6:2] &amp; 0x1fff = 0</span>&#39; catches only unfragmented IPv4 datagrams and frag zero of fragmented IPv4 datagrams. This check is implicitly applied to the <span Class="bold">tcp</span> and <span Class="bold">udp</span> index operations. For instance, <span Class="bold">tcp[0]</span> always means the first byte of the TCP <span Class="emphasis">header</span>, and never means the first byte of an intervening fragment.
<p class="level1">Some offsets and field values may be expressed as names rather than as numeric values. The following protocol header field offsets are available: <span Class="bold">icmptype</span> (ICMP type field), <span class="bold">icmp6type (ICMP v6 type field) <span Class="bold">icmpcode</span> (ICMP code field), <span Class="bold">icmp6code</span> (ICMP v6 code field), and <span Class="bold">tcpflags</span> (TCP flags field).
<p class="level1">The following ICMP type field values are available: <span Class="bold">icmp-echoreply</span>, <span Class="bold">icmp-unreach</span>, <span Class="bold">icmp-sourcequench</span>, <span Class="bold">icmp-redirect</span>, <span Class="bold">icmp-echo</span>, <span Class="bold">icmp-routeradvert</span>, <span Class="bold">icmp-routersolicit</span>, <span Class="bold">icmp-timxceed</span>, <span Class="bold">icmp-paramprob</span>, <span Class="bold">icmp-tstamp</span>, <span Class="bold">icmp-tstampreply</span>, <span Class="bold">icmp-ireq</span>, <span Class="bold">icmp-ireqreply</span>, <span Class="bold">icmp-maskreq</span>, <span Class="bold">icmp-maskreply</span>.
<p class="level1">The following ICMPv6 type fields are available: <span Class="bold">icmp6-echo</span>, <span Class="bold">icmp6-echoreply</span>, <span Class="bold">icmp6-multicastlistenerquery</span>, <span Class="bold">icmp6-multicastlistenerreportv1</span>, <span Class="bold">icmp6-multicastlistenerdone</span>, <span Class="bold">icmp6-routersolicit</span>, <span Class="bold">icmp6-routeradvert</span>, <span Class="bold">icmp6-neighborsolicit</span>, <span Class="bold">icmp6-neighboradvert</span>, <span Class="bold">icmp6-redirect</span>, <span Class="bold">icmp6-routerrenum</span>, <span Class="bold">icmp6-nodeinformationquery</span>, <span Class="bold">icmp6-nodeinformationresponse</span>, <span Class="bold">icmp6-ineighbordiscoverysolicit</span>, <span Class="bold">icmp6-ineighbordiscoveryadvert</span>, <span Class="bold">icmp6-multicastlistenerreportv2</span>, <span Class="bold">icmp6-homeagentdiscoveryrequest</span>, <span Class="bold">icmp6-homeagentdiscoveryreply</span>, <span Class="bold">icmp6-mobileprefixsolicit</span>, <span Class="bold">icmp6-mobileprefixadvert</span>, <span Class="bold">icmp6-certpathsolicit</span>, <span Class="bold">icmp6-certpathadvert</span>, <span Class="bold">icmp6-multicastrouteradvert</span>, <span Class="bold">icmp6-multicastroutersolicit</span>, <span Class="bold">icmp6-multicastrouterterm</span>.
<p class="level1">The following TCP flags field values are available: <span Class="bold">tcp-fin</span>, <span Class="bold">tcp-syn</span>, <span Class="bold">tcp-rst</span>, <span Class="bold">tcp-push</span>, <span Class="bold">tcp-ack</span>, <span Class="bold">tcp-urg</span>, <span Class="bold">tcp-ece</span>, <span Class="bold">tcp-cwr</span>.
<p class="level1">Primitives may be combined using:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A parenthesized group of primitives and operators.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Negation (`<a class="bold" href="#">!</a>&#39; or `<span Class="bold">not</span>&#39;).
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Concatenation (`<span Class="bold">&amp;&amp;</span>&#39; or `<span Class="bold">and</span>&#39;).
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Alternation (`<a class="bold" href="#">||</a>&#39; or `<span Class="bold">or</span>&#39;).
<p class="level1">Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right. Note that explicit <span Class="bold">and</span> tokens, not juxtaposition, are now required for concatenation.
<p class="level1">If an identifier is given without a keyword, the most recent keyword is assumed. For example,
<p class="level1"><pre class="level1">
<span class="bold">not host vs and ace</span>
</pre>
<p class="level1">
<p class="level1">is short for
<p class="level1"><pre class="level1">
<span class="bold">not host vs and host ace</span>
</pre>
<p class="level1">
<p class="level1">which should not be confused with
<p class="level1"><pre class="level1">
<span class="bold">not ( host vs or ace )</span>
</pre>
<p class="level1">
<p class="level1"><a name="EXAMPLES"></a><h2 class="nroffsh">EXAMPLES</h2>
<p class="level0">
<p class="level0">To select all packets arriving at or departing from <span Class="emphasis">sundown</span>:
<p class="level1"><pre class="level1">
<span class="bold">host sundown</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select traffic between <span Class="emphasis">helios</span> and either <span Class="emphasis">hot</span> or <span Class="emphasis">ace</span>:
<p class="level1"><pre class="level1">
<span class="bold">host helios and \( hot or ace \)</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all IP packets between <span Class="emphasis">ace</span> and any host except <span Class="emphasis">helios</span>:
<p class="level1"><pre class="level1">
<span class="bold">ip host ace and not helios</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all traffic between local hosts and hosts at Berkeley:
<p class="level1"><pre class="level1">
<span class="bold"></span>
net ucb-ether
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all ftp traffic through internet gateway <span Class="emphasis">snup</span>:
<p class="level1"><pre class="level1">
<span class="bold"></span>
gateway snup and (port ftp or ftp-data)
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).
<p class="level1"><pre class="level1">
<span class="bold"></span>
ip and not net <span class="emphasis">localnet</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
<p class="level1"><pre class="level1">
<span class="bold"></span>
tcp[tcpflags] &amp; (tcp-syn|tcp-fin) != 0 and not src and dst net <span class="emphasis">localnet</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)
<p class="level1"><pre class="level1">
<span class="bold"></span>
tcp port 80 and (((ip[2:2] - ((ip[0]&amp;0xf)&lt;&lt;2)) - ((tcp[12]&amp;0xf0)&gt;&gt;2)) != 0)
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select IP packets longer than 576 bytes sent through gateway <span Class="emphasis">snup</span>:
<p class="level1"><pre class="level1">
<span class="bold"></span>
gateway snup and ip[2:2] &gt; 576
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select IP broadcast or multicast packets that were <span Class="emphasis">not</span> sent via Ethernet broadcast or multicast:
<p class="level1"><pre class="level1">
<span class="bold"></span>
ether[0] &amp; 1 = 0 and ip[16] &gt;= 224
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all ICMP packets that are not echo requests/replies (i.e., not ping packets):
<p class="level1"><pre class="level1">
<span class="bold"></span>
icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
</pre>
<p class="level1">
<p class="level0"><a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <a name="BUGS"></a><h2 class="nroffsh">BUGS</h2>
<p class="level0">To report a security issue please send an e-mail to security@tcpdump.org.
<p class="level0">To report bugs and other problems, contribute patches, request a feature, provide generic feedback etc please see the file <span Class="emphasis">CONTRIBUTING</span> in the libpcap source tree root.
<p class="level0">Filter expressions on fields other than those in Token Ring headers will not correctly handle source-routed Token Ring packets.
<p class="level0">Filter expressions on fields other than those in 802.11 headers will not correctly handle 802.11 data packets with both To DS and From DS set.
<p class="level0"><span Class="bold">ip6 proto</span> should chase header chain, but at this moment it does not. <span Class="bold">ip6 protochain</span> is supplied for this behavior.
<p class="level0">Arithmetic expression against transport layer headers, like <span Class="bold">tcp[0]</span>, does not work against IPv6 packets. It only looks at IPv4 packets. <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

60
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap-linktype.html Normal file
View File

@ -0,0 +1,60 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>PCAP-LINKTYPE man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap-linktype - link-layer header types supported by libpcap <a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">For a live capture or ``savefile&#39;&#39;, libpcap supplies, as the return value of the <a Class="bold" href="./pcap_datalink.html">pcap_datalink</a>(3PCAP) routine, a value that indicates the type of link-layer header at the beginning of the packets it provides. This is not necessarily the type of link-layer header that the packets being captured have on the network from which they&#39;re being captured; for example, packets from an IEEE 802.11 network might be provided by libpcap with Ethernet headers that the network adapter or the network adapter driver generates from the 802.11 headers. The names for those values begin with <span Class="bold">DLT_</span>, so they are sometimes called &quot;DLT_ values&quot;.
<p class="level0">The values stored in the link-layer header type field in the savefile header are, in most but not all cases, the same as the values returned by <span Class="bold">pcap_datalink()</span>. The names for those values begin with <span Class="bold">LINKTYPE_</span>.
<p class="level0">The link-layer header types supported by libpcap are described at <a href="https://www.tcpdump.org/linktypes.html.">https://www.tcpdump.org/linktypes.html.</a> <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

84
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap-savefile.html Normal file
View File

@ -0,0 +1,84 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>PCAP-SAVEFILE man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap-savefile - libpcap savefile format <a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">NOTE: applications and libraries should, if possible, use libpcap to read savefiles, rather than having their own code to read savefiles. If, in the future, a new file format is supported by libpcap, applications and libraries using libpcap to read savefiles will be able to read the new format of savefiles, but applications and libraries using their own code to read savefiles will have to be changed to support the new file format.
<p class="level0">``Savefiles&#39;&#39; read and written by libpcap and applications using libpcap start with a per-file header. The format of the per-file header is:
<p class="level1">
<p class="level1">box; c s c | c c s. Magic number _ Major version Minor version _ Time zone offset _ Time stamp accuracy _ Snapshot length _ Link-layer header type
<p class="level1">
<p class="level0">
<p class="level0">All fields in the per-file header are in the byte order of the host writing the file. Normally, the first field in the per-file header is a 4-byte magic number, with the value 0xa1b2c3d4. The magic number, when read by a host with the same byte order as the host that wrote the file, will have the value 0xa1b2c3d4, and, when read by a host with the opposite byte order as the host that wrote the file, will have the value 0xd4c3b2a1. That allows software reading the file to determine whether the byte order of the host that wrote the file is the same as the byte order of the host on which the file is being read, and thus whether the values in the per-file and per-packet headers need to be byte-swapped.
<p class="level0">If the magic number has the value 0xa1b23c4d (with the two nibbles of the two lower-order bytes of the magic number swapped), which would be read as 0xa1b23c4d by a host with the same byte order as the host that wrote the file and as 0x4d3cb2a1 by a host with the opposite byte order as the host that wrote the file, the file format is the same as for regular files, except that the time stamps for packets are given in seconds and nanoseconds rather than seconds and microseconds.
<p class="level0">Following this are:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 2-byte file format major version number; the current version number is 2.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 2-byte file format minor version number; the current version number is 4.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 4-byte time zone offset; this is always 0.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 4-byte number giving the accuracy of time stamps in the file; this is always 0.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 4-byte number giving the &quot;snapshot length&quot; of the capture; packets longer than the snapshot length are truncated to the snapshot length, so that, if the snapshot length is <span Class="emphasis">N</span>, only the first <span Class="emphasis">N</span> bytes of a packet longer than <span Class="emphasis">N</span> bytes will be saved in the capture.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">a 4-byte number giving the link-layer header type for packets in the capture; see <a Class="bold" href="./pcap-linktype.html">pcap-linktype</a>(7) for the <span Class="bold">LINKTYPE_</span> values that can appear in this field.
<p class="level1">Following the per-file header are zero or more packets; each packet begins with a per-packet header, which is immediately followed by the raw packet data. The format of the per-packet header is:
<p class="level2">
<p class="level2">box; c. Time stamp, seconds value _ Time stamp, microseconds or nanoseconds value _ Length of captured packet data _ Un-truncated length of the packet data
<p class="level2">
<p class="level1">
<p class="level1">All fields in the per-packet header are in the byte order of the host writing the file. The per-packet header begins with a time stamp giving the approximate time the packet was captured; the time stamp consists of a 4-byte value, giving the time in seconds since January 1, 1970, 00:00:00 UTC, followed by a 4-byte value, giving the time in microseconds or nanoseconds since that second, depending on the magic number in the file header. Following that are a 4-byte value giving the number of bytes of captured data that follow the per-packet header and a 4-byte value giving the number of bytes that would have been present had the packet not been truncated by the snapshot length. The two lengths will be equal if the number of bytes of packet data are less than or equal to the snapshot length. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

82
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap-tstamp.html Normal file
View File

@ -0,0 +1,82 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>PCAP-TSTAMP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap-tstamp - packet time stamps in libpcap <a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">When capturing traffic, each packet is given a time stamp representing, for incoming packets, the arrival time of the packet and, for outgoing packets, the transmission time of the packet. This time is an approximation of the arrival or transmission time. If it is supplied by the operating system running on the host on which the capture is being done, there are several reasons why it might not precisely represent the arrival or transmission time:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">if the time stamp is applied to the packet when the networking stack receives the packet, the networking stack might not see the packet until an interrupt is delivered for the packet or a timer event causes the networking device driver to poll for packets, and the time stamp might not be applied until the packet has had some processing done by other code in the networking stack, so there might be a significant delay between the time when the last bit of the packet is received by the capture device and when the networking stack time-stamps the packet;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">the timer used to generate the time stamps might have low resolution, for example, it might be a timer updated once per host operating system timer tick, with the host operating system timer ticking once every few milliseconds;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">a high-resolution timer might use a counter that runs at a rate dependent on the processor clock speed, and that clock speed might be adjusted upwards or downwards over time and the timer might not be able to compensate for all those adjustments;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">the host operating system&#39;s clock might be adjusted over time to match a time standard to which the host is being synchronized, which might be done by temporarily slowing down or speeding up the clock or by making a single adjustment;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">different CPU cores on a multi-core or multi-processor system might be running at different speeds, or might not have time counters all synchronized, so packets time-stamped by different cores might not have consistent time stamps.
<p class="level1">In addition, packets time-stamped by different cores might be time-stamped in one order and added to the queue of packets for libpcap to read in another order, so time stamps might not be monotonically increasing.
<p class="level1">Some capture devices on some platforms can provide time stamps for packets; those time stamps are usually high-resolution time stamps, and are usually applied to the packet when the first or last bit of the packet arrives, and are thus more accurate than time stamps provided by the host operating system. Those time stamps might not, however, be synchronized with the host operating system&#39;s clock, so that, for example, the time stamp of a packet might not correspond to the time stamp of an event on the host triggered by the arrival of that packet.
<p class="level1">Depending on the capture device and the software on the host, libpcap might allow different types of time stamp to be used. The <a Class="bold" href="./pcap_list_tstamp_types.html">pcap_list_tstamp_types</a>(3PCAP) routine provides, for a packet capture handle created by <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP) but not yet activated by <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP), a list of time stamp types supported by the capture device for that handle. The list might be empty, in which case no choice of time stamp type is offered for that capture device. If the list is not empty, the <a Class="bold" href="./pcap_set_tstamp_type.html">pcap_set_tstamp_type</a>(3PCAP) routine can be used after a <span Class="bold">pcap_create()</span> call and before a <span Class="bold">pcap_activate()</span> call to specify the type of time stamp to be used on the device. The time stamp types are listed here; the first value is the &#35;define to use in code, the second value is the value returned by <a Class="bold" href="./pcap_tstamp_type_val_to_name.html">pcap_tstamp_type_val_to_name</a> and accepted by <a Class="bold" href="./pcap_tstamp_type_name_to_val.html">pcap_tstamp_type_name_to_val</a>.
<p class="level2">
<p class="level2"><span Class="bold">PCAP_TSTAMP_HOST</span> - <span Class="bold">host</span> Time stamp provided by the host on which the capture is being done. The precision of this time stamp is unspecified; it might or might not be synchronized with the host operating system&#39;s clock.
<p class="level2"><span Class="bold">PCAP_TSTAMP_HOST_LOWPREC</span> - <span Class="bold">host_lowprec</span> Time stamp provided by the host on which the capture is being done. This is a low-precision time stamp, synchronized with the host operating system&#39;s clock.
<p class="level2"><span Class="bold">PCAP_TSTAMP_HOST_HIPREC</span> - <span Class="bold">host_hiprec</span> Time stamp provided by the host on which the capture is being done. This is a high-precision time stamp; it might or might not be synchronized with the host operating system&#39;s clock. It might be more expensive to fetch than <span Class="bold">PCAP_TSTAMP_HOST_LOWPREC</span>.
<p class="level2"><span Class="bold">PCAP_TSTAMP_ADAPTER</span> - <span Class="bold">adapter</span> Time stamp provided by the network adapter on which the capture is being done. This is a high-precision time stamp, synchronized with the host operating system&#39;s clock.
<p class="level2"><span Class="bold">PCAP_TSTAMP_ADAPTER_UNSYNCED</span> - <span Class="bold">adapter_unsynced</span> Time stamp provided by the network adapter on which the capture is being done. This is a high-precision time stamp; it is not synchronized with the host operating system&#39;s clock.
<p class="level1">
<p class="level1">By default, when performing a live capture or reading from a savefile, time stamps are supplied as seconds since January 1, 1970, 00:00:00 UTC, and microseconds since that seconds value, even if higher-resolution time stamps are available from the capture device or in the savefile. If, when reading a savefile, the time stamps in the file have a higher resolution than one microsecond, the additional digits of resolution are discarded.
<p class="level1">The <a Class="bold" href="./pcap_set_tstamp_precision.html">pcap_set_tstamp_precision</a>(3PCAP) routine can be used after a <span Class="bold">pcap_create()</span> call and after a <span Class="bold">pcap_activate()</span> call to specify the resolution of the time stamps to get for the device. If the hardware or software cannot supply a higher-resolution time stamp, the <span Class="bold">pcap_set_tstamp_precision()</span> call will fail, and the time stamps supplied after the <span Class="bold">pcap_activate()</span> call will have microsecond resolution.
<p class="level1">When opening a savefile, the <span Class="bold">\%pcap_open_offline_with_tstamp_precision</span>(3PCAP) and <span Class="bold">\%pcap_fopen_offline_with_tstamp_precision</span>(3PCAP) routines can be used to specify the resolution of time stamps to be read from the file; if the time stamps in the file have a lower resolution, the fraction-of-a-second portion of the time stamps will be scaled to the specified resolution.
<p class="level1">The <a Class="bold" href="./pcap_get_tstamp_precision.html">pcap_get_tstamp_precision</a>(3PCAP) routine returns the resolution of time stamps that will be supplied; when capturing packets, this does not reflect the actual precision of the time stamp supplied by the hardware or operating system and, when reading a savefile, this does not indicate the actual precision of time stamps in the file. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

269
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap.html Normal file
View File

@ -0,0 +1,269 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap - Packet Capture library <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">The Packet Capture library provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism. It also supports saving captured packets to a ``savefile&#39;&#39;, and reading packets from a ``savefile&#39;&#39;. <a name="Opening"></a><h2 class="nroffsh">Opening a capture handle for reading</h2>
<p class="level0">To open a handle for a live capture, given the name of the network or other interface on which the capture should be done, call <span Class="bold">pcap_create</span>(), set the appropriate options on the handle, and then activate it with <span Class="bold">pcap_activate</span>().
<p class="level0">To obtain a list of devices that can be opened for a live capture, call <span Class="bold">pcap_findalldevs</span>(); to free the list returned by <span Class="bold">pcap_findalldevs</span>(), call <span Class="bold">pcap_freealldevs</span>(). <span Class="bold">pcap_lookupdev</span>() will return the first device on that list that is not a ``loopback`` network interface.
<p class="level0">To open a handle for a ``savefile&#39;&#39; from which to read packets, given the pathname of the ``savefile&#39;&#39;, call <span Class="bold">pcap_open_offline</span>(); to set up a handle for a ``savefile&#39;&#39;, given a <span Class="bold">FILE\ *</span> referring to a file already opened for reading, call <span Class="bold">pcap_fopen_offline</span>().
<p class="level0">In order to get a ``fake&#39;&#39; <span Class="bold">pcap_t</span> for use in routines that require a <span Class="bold">pcap_t</span> as an argument, such as routines to open a ``savefile&#39;&#39; for writing and to compile a filter expression, call <span Class="bold">pcap_open_dead</span>().
<p class="level0"><span Class="bold">pcap_create</span>(), <span Class="bold">pcap_open_offline</span>(), <span Class="bold">pcap_fopen_offline</span>(), and <span Class="bold">pcap_open_dead</span>() return a pointer to a <span Class="bold">pcap_t</span>, which is the handle used for reading packets from the capture stream or the ``savefile&#39;&#39;, and for finding out information about the capture stream or ``savefile&#39;&#39;. To close a handle, use <span Class="bold">pcap_close</span>().
<p class="level0">The options that can be set on a capture handle include
<p class="level0"><a name="snapshot"></a><span class="nroffip">snapshot length</span>
<p class="level1">If, when capturing, you capture the entire contents of the packet, that requires more CPU time to copy the packet to your application, more disk and possibly network bandwidth to write the packet data to a file, and more disk space to save the packet. If you don&#39;t need the entire contents of the packet - for example, if you are only interested in the TCP headers of packets - you can set the &quot;snapshot length&quot; for the capture to an appropriate value. If the snapshot length is set to <span Class="emphasis">snaplen</span>, and <span Class="emphasis">snaplen</span> is less than the size of a packet that is captured, only the first <span Class="emphasis">snaplen</span> bytes of that packet will be captured and provided as packet data.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A snapshot length of 65535 should be sufficient, on most if not all networks, to capture all the data available from the packet.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The snapshot length is set with <span Class="bold">pcap_set_snaplen</span>().
<p class="level0"><a name="promiscuous"></a><span class="nroffip">promiscuous mode</span>
<p class="level1">On broadcast LANs such as Ethernet, if the network isn&#39;t switched, or if the adapter is connected to a &quot;mirror port&quot; on a switch to which all packets passing through the switch are sent, a network adapter receives all packets on the LAN, including unicast or multicast packets not sent to a network address that the network adapter isn&#39;t configured to recognize.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Normally, the adapter will discard those packets; however, many network adapters support &quot;promiscuous mode&quot;, which is a mode in which all packets, even if they are not sent to an address that the adapter recognizes, are provided to the host. This is useful for passively capturing traffic between two or more other hosts for analysis.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Note that even if an application does not set promiscuous mode, the adapter could well be in promiscuous mode for some other reason.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For now, this doesn&#39;t work on the &quot;any&quot; device; if an argument of &quot;any&quot; or NULL is supplied, the setting of promiscuous mode is ignored.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Promiscuous mode is set with <span Class="bold">pcap_set_promisc</span>().
<p class="level0"><a name="monitor"></a><span class="nroffip">monitor mode</span>
<p class="level1">On IEEE 802.11 wireless LANs, even if an adapter is in promiscuous mode, it will supply to the host only frames for the network with which it&#39;s associated. It might also supply only data frames, not management or control frames, and might not provide the 802.11 header or radio information pseudo-header for those frames.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">In &quot;monitor mode&quot;, sometimes also called &quot;rfmon mode&quot; (for &quot;Radio Frequency MONitor&quot;), the adapter will supply all frames that it receives, with 802.11 headers, and might supply a pseudo-header with radio information about the frame as well.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Note that in monitor mode the adapter might disassociate from the network with which it&#39;s associated, so that you will not be able to use any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Monitor mode is set with <span Class="bold">pcap_set_rfmon</span>(), and <span Class="bold">pcap_can_set_rfmon</span>() can be used to determine whether an adapter can be put into monitor mode.
<p class="level0"><a name="packet"></a><span class="nroffip">packet buffer timeout</span>
<p class="level1">If, when capturing, packets are delivered as soon as they arrive, the application capturing the packets will be woken up for each packet as it arrives, and might have to make one or more calls to the operating system to fetch each packet.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If, instead, packets are not delivered as soon as they arrive, but are delivered after a short delay (called a &quot;packet buffer timeout&quot;), more than one packet can be accumulated before the packets are delivered, so that a single wakeup would be done for multiple packets, and each set of calls made to the operating system would supply multiple packets, rather than a single packet. This reduces the per-packet CPU overhead if packets are arriving at a high rate, increasing the number of packets per second that can be captured.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The packet buffer timeout is required so that an application won&#39;t wait for the operating system&#39;s capture buffer to fill up before packets are delivered; if packets are arriving slowly, that wait could take an arbitrarily long period of time.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Not all platforms support a packet buffer timeout; on platforms that don&#39;t, the packet buffer timeout is ignored. A zero value for the timeout, on platforms that support a packet buffer timeout, will cause a read to wait forever to allow enough packets to arrive, with no timeout. A negative value is invalid; the result of setting the timeout to a negative value is unpredictable.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1"><span Class="bold">NOTE</span>: the packet buffer timeout cannot be used to cause calls that read packets to return within a limited period of time, because, on some platforms, the packet buffer timeout isn&#39;t supported, and, on other platforms, the timer doesn&#39;t start until at least one packet arrives. This means that the packet buffer timeout should <span Class="bold">NOT</span> be used, for example, in an interactive application to allow the packet capture loop to ``poll&#39;&#39; for user input periodically, as there&#39;s no guarantee that a call reading packets will return after the timeout expires even if no packets have arrived.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The packet buffer timeout is set with <span Class="bold">pcap_set_timeout</span>().
<p class="level0"><a name="immediate"></a><span class="nroffip">immediate mode</span>
<p class="level1">In immediate mode, packets are always delivered as soon as they arrive, with no buffering. Immediate mode is set with <span Class="bold">pcap_set_immediate_mode</span>().
<p class="level0"><a name="buffer"></a><span class="nroffip">buffer size</span>
<p class="level1">Packets that arrive for a capture are stored in a buffer, so that they do not have to be read by the application as soon as they arrive. On some platforms, the buffer&#39;s size can be set; a size that&#39;s too small could mean that, if too many packets are being captured and the snapshot length doesn&#39;t limit the amount of data that&#39;s buffered, packets could be dropped if the buffer fills up before the application can read packets from it, while a size that&#39;s too large could use more non-pageable operating system memory than is necessary to prevent packets from being dropped.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The buffer size is set with <span Class="bold">pcap_set_buffer_size</span>().
<p class="level0"><a name="timestamp"></a><span class="nroffip">timestamp type</span>
<p class="level1">On some platforms, the time stamp given to packets on live captures can come from different sources that can have different resolutions or that can have different relationships to the time values for the current time supplied by routines on the native operating system. See <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) for a list of time stamp types.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The time stamp type is set with <span Class="bold">pcap_set_tstamp_type</span>().
<p class="level1">Reading packets from a network interface may require that you have special privileges:
<p class="level1"><span Class="bold">Under SunOS 3.x or 4.x with NIT or BPF:</span> You must have read access to <span Class="emphasis">/dev/nit</span> or <span Class="emphasis">/dev/bpf*</span>.
<p class="level1"><span Class="bold">Under Solaris with DLPI:</span> You must have read/write access to the network pseudo device, e.g. <span Class="emphasis">/dev/le</span>. On at least some versions of Solaris, however, this is not sufficient to allow <span Class="emphasis">tcpdump</span> to capture in promiscuous mode; on those versions of Solaris, you must be root, or the application capturing packets must be installed setuid to root, in order to capture in promiscuous mode. Note that, on many (perhaps all) interfaces, if you don&#39;t capture in promiscuous mode, you will not see any outgoing packets, so a capture not done in promiscuous mode may not be very useful.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">In newer versions of Solaris, you must have been given the <span Class="bold">net_rawaccess</span> privilege; this is both necessary and sufficient to give you access to the network pseudo-device - there is no need to change the privileges on that device. A user can be given that privilege by, for example, adding that privilege to the user&#39;s <span Class="bold">defaultpriv</span> key with the <span Class="bold">usermod (@MAN_ADMIN_COMMANDS@)</span> command.
<p class="level1"><span Class="bold">Under HP-UX with DLPI:</span> You must be root or the application capturing packets must be installed setuid to root.
<p class="level1"><span Class="bold">Under IRIX with snoop:</span> You must be root or the application capturing packets must be installed setuid to root.
<p class="level1"><span Class="bold">Under Linux:</span> You must be root or the application capturing packets must be installed setuid to root (unless your distribution has a kernel that supports capability bits such as CAP_NET_RAW and code to allow those capability bits to be given to particular accounts and to cause those bits to be set on a user&#39;s initial processes when they log in, in which case you must have CAP_NET_RAW in order to capture and CAP_NET_ADMIN to enumerate network devices with, for example, the <span Class="bold">-D</span> flag).
<p class="level1"><span Class="bold">Under ULTRIX and Digital UNIX/Tru64 UNIX:</span> Any user may capture network traffic. However, no user (not even the super-user) can capture in promiscuous mode on an interface unless the super-user has enabled promiscuous-mode operation on that interface using <span Class="emphasis">pfconfig</span>(8), and no user (not even the super-user) can capture unicast traffic received by or sent by the machine on an interface unless the super-user has enabled copy-all-mode operation on that interface using <span Class="emphasis">pfconfig</span>, so <span Class="emphasis">useful</span> packet capture on an interface probably requires that either promiscuous-mode or copy-all-mode operation, or both modes of operation, be enabled on that interface.
<p class="level1"><span Class="bold">Under BSD (this includes macOS):</span> You must have read access to <span Class="emphasis">/dev/bpf*</span> on systems that don&#39;t have a cloning BPF device, or to <span Class="emphasis">/dev/bpf</span> on systems that do. On BSDs with a devfs (this includes macOS), this might involve more than just having somebody with super-user access setting the ownership or permissions on the BPF devices - it might involve configuring devfs to set the ownership or permissions every time the system is booted, if the system even supports that; if it doesn&#39;t support that, you might have to find some other way to make that happen at boot time.
<p class="level1">Reading a saved packet file doesn&#39;t require special privileges.
<p class="level1">The packets read from the handle may include a ``pseudo-header&#39;&#39; containing various forms of packet meta-data, and probably includes a link-layer header whose contents can differ for different network interfaces. To determine the format of the packets supplied by the handle, call <span Class="bold">pcap_datalink</span>(); <span Class="emphasis"><a href="https://www.tcpdump.org/linktypes.html">https://www.tcpdump.org/linktypes.html</a></span> lists the values it returns and describes the packet formats that correspond to those values.
<p class="level1">Do <span Class="bold">NOT</span> assume that the packets for a given capture or ``savefile`` will have any given link-layer header type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. For example, the &quot;any&quot; device on Linux will have a link-layer header type of <span Class="bold">DLT_LINUX_SLL</span> even if all devices on the system at the time the &quot;any&quot; device is opened have some other data link type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet.
<p class="level1">To obtain the <span Class="bold">FILE\ *</span> corresponding to a <span Class="bold">pcap_t</span> opened for a ``savefile&#39;&#39;, call <span Class="bold">pcap_file</span>().
<p class="level1"><span Class="bold">Routines</span>
<p class="level2">
<p class="level2"><a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP) get a <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) activate a <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_findalldevs.html">pcap_findalldevs</a>(3PCAP) get a list of devices that can be opened for a live capture
<p class="level2"><span Class="bold">pcap_freealldevs</span>(3PCAP) free list of devices
<p class="level2"><a Class="bold" href="./pcap_lookupdev.html">pcap_lookupdev</a>(3PCAP) get first non-loopback device on that list
<p class="level2"><a Class="bold" href="./pcap_open_offline.html">pcap_open_offline</a>(3PCAP) open a <span Class="bold">pcap_t</span> for a ``savefile&#39;&#39;, given a pathname
<p class="level2"><span Class="bold">pcap_open_offline_with_tstamp_precision</span>(3PCAP) open a <span Class="bold">pcap_t</span> for a ``savefile&#39;&#39;, given a pathname, and specify the precision to provide for packet time stamps
<p class="level2"><span Class="bold">pcap_fopen_offline</span>(3PCAP) open a <span Class="bold">pcap_t</span> for a ``savefile&#39;&#39;, given a <span Class="bold">FILE\ *</span>
<p class="level2"><span Class="bold">pcap_fopen_offline_with_tstamp_precision</span>(3PCAP) open a <span Class="bold">pcap_t</span> for a ``savefile&#39;&#39;, given a <span Class="bold">FILE\ *</span>, and specify the precision to provide for packet time stamps
<p class="level2"><a Class="bold" href="./pcap_open_dead.html">pcap_open_dead</a>(3PCAP) create a ``fake&#39;&#39; <span Class="bold">pcap_t</span>
<p class="level2"><a Class="bold" href="./pcap_close.html">pcap_close</a>(3PCAP) close a <span Class="bold">pcap_t</span>
<p class="level2"><a Class="bold" href="./pcap_set_snaplen.html">pcap_set_snaplen</a>(3PCAP) set the snapshot length for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_snapshot.html">pcap_snapshot</a>(3PCAP) get the snapshot length for a <span Class="bold">pcap_t</span>
<p class="level2"><a Class="bold" href="./pcap_set_promisc.html">pcap_set_promisc</a>(3PCAP) set promiscuous mode for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_set_protocol_linux.html">pcap_set_protocol_linux</a>(3PCAP) set capture protocol for a not-yet-activated <span Class="bold">pcap_t</span> for live capture (Linux only)
<p class="level2"><a Class="bold" href="./pcap_set_rfmon.html">pcap_set_rfmon</a>(3PCAP) set monitor mode for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_can_set_rfmon.html">pcap_can_set_rfmon</a>(3PCAP) determine whether monitor mode can be set for a <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_set_timeout.html">pcap_set_timeout</a>(3PCAP) set packet buffer timeout for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><span Class="bold">pcap_set_immediate_mode</span>(3PCAP) set immediate mode for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_set_buffer_size.html">pcap_set_buffer_size</a>(3PCAP) set buffer size for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_set_tstamp_type.html">pcap_set_tstamp_type</a>(3PCAP) set time stamp type for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_list_tstamp_types.html">pcap_list_tstamp_types</a>(3PCAP) get list of available time stamp types for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><span Class="bold">pcap_free_tstamp_types</span>(3PCAP) free list of available time stamp types
<p class="level2"><a Class="bold" href="./pcap_tstamp_type_val_to_name.html">pcap_tstamp_type_val_to_name</a>(3PCAP) get name for a time stamp type
<p class="level2"><span Class="bold">pcap_tstamp_type_val_to_description</span>(3PCAP) get description for a time stamp type
<p class="level2"><a Class="bold" href="./pcap_tstamp_type_name_to_val.html">pcap_tstamp_type_name_to_val</a>(3PCAP) get time stamp type corresponding to a name
<p class="level2"><a Class="bold" href="./pcap_set_tstamp_precision.html">pcap_set_tstamp_precision</a>(3PCAP) set time stamp precision for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_get_tstamp_precision.html">pcap_get_tstamp_precision</a>(3PCAP) get the time stamp precision of a <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_datalink.html">pcap_datalink</a>(3PCAP) get link-layer header type for a <span Class="bold">pcap_t</span>
<p class="level2"><a Class="bold" href="./pcap_file.html">pcap_file</a>(3PCAP) get the <span Class="bold">FILE\ *</span> for a <span Class="bold">pcap_t</span> opened for a ``savefile&#39;&#39;
<p class="level2"><a Class="bold" href="./pcap_is_swapped.html">pcap_is_swapped</a>(3PCAP) determine whether a ``savefile&#39;&#39; being read came from a machine with the opposite byte order
<p class="level2"><a Class="bold" href="./pcap_major_version.html">pcap_major_version</a>(3PCAP)
<p class="level2">
<p class="level2"><span Class="bold">pcap_minor_version</span>(3PCAP) get the major and minor version of the file format version for a ``savefile&#39;&#39;
<p class="level2">
<p class="level1"><a name="Selecting"></a><h2 class="nroffsh">Selecting a link-layer header type for a live capture</h2>
<p class="level0">Some devices may provide more than one link-layer header type. To obtain a list of all link-layer header types provided by a device, call <span Class="bold">pcap_list_datalinks</span>() on an activated <span Class="bold">pcap_t</span> for the device. To free a list of link-layer header types, call <span Class="bold">pcap_free_datalinks</span>(). To set the link-layer header type for a device, call <span Class="bold">pcap_set_datalink</span>(). This should be done after the device has been activated but before any packets are read and before any filters are compiled or installed.
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_list_datalinks.html">pcap_list_datalinks</a>(3PCAP) get a list of link-layer header types for a device
<p class="level1"><span Class="bold">pcap_free_datalinks</span>(3PCAP) free list of link-layer header types
<p class="level1"><a Class="bold" href="./pcap_set_datalink.html">pcap_set_datalink</a>(3PCAP) set link-layer header type for a device
<p class="level1"><a Class="bold" href="./pcap_datalink_val_to_name.html">pcap_datalink_val_to_name</a>(3PCAP) get name for a link-layer header type
<p class="level1"><span Class="bold">pcap_datalink_val_to_description</span>(3PCAP) get description for a link-layer header type
<p class="level1"><a Class="bold" href="./pcap_datalink_name_to_val.html">pcap_datalink_name_to_val</a>(3PCAP) get link-layer header type corresponding to a name
<p class="level0"><a name="Reading"></a><h2 class="nroffsh">Reading packets</h2>
<p class="level0">Packets are read with <span Class="bold">pcap_dispatch</span>() or <span Class="bold">pcap_loop</span>(), which process one or more packets, calling a callback routine for each packet, or with <span Class="bold">pcap_next</span>() or <span Class="bold">pcap_next_ex</span>(), which return the next packet. The callback for <span Class="bold">pcap_dispatch</span>() and <span Class="bold">pcap_loop</span>() is supplied a pointer to a <span Class="emphasis">struct pcap_pkthdr</span>, which includes the following members:
<p class="level1">
<p class="level1"><span Class="bold">ts</span> a <span Class="emphasis">struct timeval</span> containing the time when the packet was captured
<p class="level1"><span Class="bold">caplen</span> a <span Class="emphasis">bpf_u_int32</span> giving the number of bytes of the packet that are available from the capture
<p class="level1"><span Class="bold">len</span> a <span Class="emphasis">bpf_u_int32</span> giving the length of the packet, in bytes (which might be more than the number of bytes available from the capture, if the length of the packet is larger than the maximum number of bytes to capture).
<p class="level0">
<p class="level0">The callback is also supplied a <span Class="emphasis">const u_char</span> pointer to the first <span Class="bold">caplen</span> (as given in the <span Class="emphasis">struct pcap_pkthdr</span> mentioned above) bytes of data from the packet. This won&#39;t necessarily be the entire packet; to capture the entire packet, you will have to provide a value for <span Class="emphasis">snaplen</span> in your call to <span Class="bold">pcap_set_snaplen</span>() that is sufficiently large to get all of the packet&#39;s data - a value of 65535 should be sufficient on most if not all networks). When reading from a ``savefile&#39;&#39;, the snapshot length specified when the capture was performed will limit the amount of packet data available.
<p class="level0"><span Class="bold">pcap_next</span>() is passed an argument that points to a <span Class="emphasis">struct pcap_pkthdr</span> structure, and fills it in with the time stamp and length values for the packet. It returns a <span Class="emphasis">const u_char</span> to the first <span Class="bold">caplen</span> bytes of the packet on success, and NULL on error.
<p class="level0"><span Class="bold">pcap_next_ex</span>() is passed two pointer arguments, one of which points to a <span Class="emphasis">struct</span>pcap_pkthdr<a class="emphasis" href="#">*</a> and one of which points to a <span Class="emphasis">const u_char</span>*. It sets the first pointer to point to a <span Class="emphasis">struct pcap_pkthdr</span> structure with the time stamp and length values for the packet, and sets the second pointer to point to the first <span Class="bold">caplen</span> bytes of the packet.
<p class="level0">To force the loop in <span Class="bold">pcap_dispatch</span>() or <span Class="bold">pcap_loop</span>() to terminate, call <span Class="bold">pcap_breakloop</span>().
<p class="level0">By default, when reading packets from an interface opened for a live capture, <span Class="bold">pcap_dispatch</span>(), <span Class="bold">pcap_next</span>(), and <span Class="bold">pcap_next_ex</span>() will, if no packets are currently available to be read, block waiting for packets to become available. On some, but <span Class="emphasis">not</span> all, platforms, if a packet buffer timeout was specified, the wait will terminate after the packet buffer timeout expires; applications should be prepared for this, as it happens on some platforms, but should not rely on it, as it does not happen on other platforms. Note that the wait might, or might not, terminate even if no packets are available; applications should be prepared for this to happen, but must not rely on it happening.
<p class="level0">A handle can be put into ``non-blocking mode&#39;&#39;, so that those routines will, rather than blocking, return an indication that no packets are available to read. Call <span Class="bold">pcap_setnonblock</span>() to put a handle into non-blocking mode or to take it out of non-blocking mode; call <span Class="bold">pcap_getnonblock</span>() to determine whether a handle is in non-blocking mode. Note that non-blocking mode does not work correctly in Mac OS X 10.6.
<p class="level0">Non-blocking mode is often combined with routines such as <span Class="bold">select</span>(2) or <span Class="bold">poll</span>(2) or other routines a platform offers to wait for any of a set of descriptors to be ready to read. To obtain, for a handle, a descriptor that can be used in those routines, call <span Class="bold">pcap_get_selectable_fd</span>(). If the routine indicates that data is available to read on the descriptor, an attempt should be made to read from the device.
<p class="level0">Not all handles have such a descriptor available; <span Class="bold">pcap_get_selectable_fd</span>() will return <span Class="bold">PCAP_ERROR</span> if no such descriptor is available. If no such descriptor is available, this may be because the device must be polled periodically for packets; in that case, <span Class="bold">pcap_get_required_select_timeout</span>() will return a pointer to a <span Class="bold">struct timeval</span> whose value can be used as a timeout in those routines. When the routine returns, an attmept should be made to read packets from the device. If <span Class="bold">pcap_get_required_select_timeout</span>() returns NULL, no such timeout is available, and those routines cannot be used with the device.
<p class="level0">In addition, for various reasons, one or more of those routines will not work properly with the descriptor; the documentation for <span Class="bold">pcap_get_selectable_fd</span>() gives details. Note that, just as an attempt to read packets from a <span Class="bold">pcap_t</span> may not return any packets if the packet buffer timeout expires, a <span Class="bold">select</span>(), <span Class="bold">poll</span>(), or other such call may, if the packet buffer timeout expires, indicate that a descriptor is ready to read even if there are no packets available to read.
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><span Class="bold">pcap_dispatch</span>(3PCAP) read a bufferful of packets from a <span Class="bold">pcap_t</span> open for a live capture or the full set of packets from a <span Class="bold">pcap_t</span> open for a ``savefile&#39;&#39;
<p class="level1"><a Class="bold" href="./pcap_loop.html">pcap_loop</a>(3PCAP) read packets from a <span Class="bold">pcap_t</span> until an interrupt or error occurs
<p class="level1"><span Class="bold">pcap_next</span>(3PCAP) read the next packet from a <span Class="bold">pcap_t</span> without an indication whether an error occurred
<p class="level1"><a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a>(3PCAP) read the next packet from a <span Class="bold">pcap_t</span> with an error indication on an error
<p class="level1"><a Class="bold" href="./pcap_breakloop.html">pcap_breakloop</a>(3PCAP) prematurely terminate the loop in <span Class="bold">pcap_dispatch</span>() or <span Class="bold">pcap_loop</span>()
<p class="level1"><a Class="bold" href="./pcap_setnonblock.html">pcap_setnonblock</a>(3PCAP) set or clear non-blocking mode on a <span Class="bold">pcap_t</span>
<p class="level1"><span Class="bold">pcap_getnonblock</span>(3PCAP) get the state of non-blocking mode for a <span Class="bold">pcap_t</span>
<p class="level1"><a Class="bold" href="./pcap_get_selectable_fd.html">pcap_get_selectable_fd</a>(3PCAP) attempt to get a descriptor for a <span Class="bold">pcap_t</span> that can be used in calls such as <span Class="bold">select</span>(2) and <span Class="bold">poll</span>(2)
<p class="level1"><a Class="bold" href="./pcap_get_required_select_timeout.html">pcap_get_required_select_timeout</a>(3PCAP) if no descriptor usable with <span Class="bold">select</span>(2) and <span Class="bold">poll</span>(2) is available for the <span Class="bold">pcap_t</span>, attempt to get a timeout usable with those routines
<p class="level0"><a name="Filters"></a><h2 class="nroffsh">Filters</h2>
<p class="level0">In order to cause only certain packets to be returned when reading packets, a filter can be set on a handle. For a live capture, the filtering will be performed in kernel mode, if possible, to avoid copying ``uninteresting&#39;&#39; packets from the kernel to user mode.
<p class="level0">A filter can be specified as a text string; the syntax and semantics of the string are as described by <a Class="bold" href="./pcap-filter.html">pcap-filter</a>(7). A filter string is compiled into a program in a pseudo-machine-language by <span Class="bold">pcap_compile</span>() and the resulting program can be made a filter for a handle with <span Class="bold">pcap_setfilter</span>(). The result of <span Class="bold">pcap_compile</span>() can be freed with a call to <span Class="bold">pcap_freecode</span>(). <span Class="bold">pcap_compile</span>() may require a network mask for certain expressions in the filter string; <span Class="bold">pcap_lookupnet</span>() can be used to find the network address and network mask for a given capture device.
<p class="level0">A compiled filter can also be applied directly to a packet that has been read using <span Class="bold">pcap_offline_filter</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_compile.html">pcap_compile</a>(3PCAP) compile filter expression to a pseudo-machine-language code program
<p class="level1"><a Class="bold" href="./pcap_freecode.html">pcap_freecode</a>(3PCAP) free a filter program
<p class="level1"><a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>(3PCAP) set filter for a <span Class="bold">pcap_t</span>
<p class="level1"><a Class="bold" href="./pcap_lookupnet.html">pcap_lookupnet</a>(3PCAP) get network address and network mask for a capture device
<p class="level1"><a Class="bold" href="./pcap_offline_filter.html">pcap_offline_filter</a>(3PCAP) apply a filter program to a packet
<p class="level0"><a name="Incoming"></a><h2 class="nroffsh">Incoming and outgoing packets</h2>
<p class="level0">By default, libpcap will attempt to capture both packets sent by the machine and packets received by the machine. To limit it to capturing only packets received by the machine or, if possible, only packets sent by the machine, call <span Class="bold">pcap_setdirection</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_setdirection.html">pcap_setdirection</a>(3PCAP) specify whether to capture incoming packets, outgoing packets, or both
<p class="level0"><a name="Capture"></a><h2 class="nroffsh">Capture statistics</h2>
<p class="level0">To get statistics about packets received and dropped in a live capture, call <span Class="bold">pcap_stats</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_stats.html">pcap_stats</a>(3PCAP) get capture statistics
<p class="level0"><a name="Opening"></a><h2 class="nroffsh">Opening a handle for writing captured packets</h2>
<p class="level0">To open a ``savefile`` to which to write packets, given the pathname the ``savefile&#39;&#39; should have, call <span Class="bold">pcap_dump_open</span>(). To open a ``savefile`` to which to write packets, given the pathname the ``savefile&#39;&#39; should have, call <span Class="bold">pcap_dump_open</span>(); to set up a handle for a ``savefile&#39;&#39;, given a <span Class="bold">FILE\ *</span> referring to a file already opened for writing, call <span Class="bold">pcap_dump_fopen</span>(). They each return pointers to a <span Class="bold">pcap_dumper_t</span>, which is the handle used for writing packets to the ``savefile&#39;&#39;. If it succeeds, it will have created the file if it doesn&#39;t exist and truncated the file if it does exist. To close a <span Class="bold">pcap_dumper_t</span>, call <span Class="bold">pcap_dump_close</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>(3PCAP) open a <span Class="bold">pcap_dumper_t</span> for a ``savefile``, given a pathname
<p class="level1"><span Class="bold">pcap_dump_fopen</span>(3PCAP) open a <span Class="bold">pcap_dumper_t</span> for a ``savefile``, given a <span Class="bold">FILE\ *</span>
<p class="level1"><a Class="bold" href="./pcap_dump_close.html">pcap_dump_close</a>(3PCAP) close a <span Class="bold">pcap_dumper_t</span>
<p class="level1"><a Class="bold" href="./pcap_dump_file.html">pcap_dump_file</a>(3PCAP) get the <span Class="bold">FILE\ *</span> for a <span Class="bold">pcap_dumper_t</span> opened for a ``savefile&#39;&#39;
<p class="level0"><a name="Writing"></a><h2 class="nroffsh">Writing packets</h2>
<p class="level0">To write a packet to a <span Class="bold">pcap_dumper_t</span>, call <span Class="bold">pcap_dump</span>(). Packets written with <span Class="bold">pcap_dump</span>() may be buffered, rather than being immediately written to the ``savefile&#39;&#39;. Closing the <span Class="bold">pcap_dumper_t</span> will cause all buffered-but-not-yet-written packets to be written to the ``savefile&#39;&#39;. To force all packets written to the <span Class="bold">pcap_dumper_t</span>, and not yet written to the ``savefile&#39;&#39; because they&#39;re buffered by the <span Class="bold">pcap_dumper_t</span>, to be written to the ``savefile&#39;&#39;, without closing the <span Class="bold">pcap_dumper_t</span>, call <span Class="bold">pcap_dump_flush</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_dump.html">pcap_dump</a>(3PCAP) write packet to a <span Class="bold">pcap_dumper_t</span>
<p class="level1"><a Class="bold" href="./pcap_dump_flush.html">pcap_dump_flush</a>(3PCAP) flush buffered packets written to a <span Class="bold">pcap_dumper_t</span> to the ``savefile&#39;&#39;
<p class="level1"><a Class="bold" href="./pcap_dump_ftell.html">pcap_dump_ftell</a>(3PCAP) get current file position for a <span Class="bold">pcap_dumper_t</span>
<p class="level0"><a name="Injecting"></a><h2 class="nroffsh">Injecting packets</h2>
<p class="level0">If you have the required privileges, you can inject packets onto a network with a <span Class="bold">pcap_t</span> for a live capture, using <span Class="bold">pcap_inject</span>() or <span Class="bold">pcap_sendpacket</span>(). (The two routines exist for compatibility with both OpenBSD and WinPcap; they perform the same function, but have different return values.)
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_inject.html">pcap_inject</a>(3PCAP)
<p class="level1">
<p class="level1"><span Class="bold">pcap_sendpacket</span>(3PCAP) transmit a packet
<p class="level1">
<p class="level0"><a name="Reporting"></a><h2 class="nroffsh">Reporting errors</h2>
<p class="level0">Some routines return error or warning status codes; to convert them to a string, use <span Class="bold">pcap_statustostr</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_statustostr.html">pcap_statustostr</a>(3PCAP) get a string for an error or warning status code
<p class="level0"><a name="Getting"></a><h2 class="nroffsh">Getting library version information</h2>
<p class="level0">To get a string giving version information about libpcap, call <span Class="bold">pcap_lib_version</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_lib_version.html">pcap_lib_version</a>(3PCAP) get library version string
<p class="level0"><a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">In versions of libpcap prior to 1.0, the <span Class="bold">pcap.h</span> header file was not in a <span Class="bold">pcap</span> directory on most platforms; if you are writing an application that must work on versions of libpcap prior to 1.0, include <span Class="bold">&lt;pcap.h&gt;</span>, which will include <span Class="bold">&lt;pcap/pcap.h&gt;</span> for you, rather than including <span Class="bold">&lt;pcap/pcap.h&gt;</span>.
<p class="level0"><span Class="bold">pcap_create</span>() and <span Class="bold">pcap_activate</span>() were not available in versions of libpcap prior to 1.0; if you are writing an application that must work on versions of libpcap prior to 1.0, either use <span Class="bold">pcap_open_live</span>() to get a handle for a live capture or, if you want to be able to use the additional capabilities offered by using <span Class="bold">pcap_create</span>() and <span Class="bold">pcap_activate</span>(), use an <span Class="bold">autoconf</span>(1) script or some other configuration script to check whether the libpcap 1.0 APIs are available and use them only if they are. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><span Class="bold">autoconf</span>(1), <span Class="bold">tcpdump</span>(1), <span Class="bold">tcpslice</span>(1), <a Class="bold" href="./pcap-filter.html">pcap-filter</a>(7), <span Class="bold">pfconfig</span>(8), <span Class="bold">usermod</span>(@MAN_ADMIN_COMMANDS@) <a name="AUTHORS"></a><h2 class="nroffsh">AUTHORS</h2>
<p class="level0">The original authors of libpcap are:
<p class="level0">Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
<p class="level0">The current version is available from &quot;The Tcpdump Group&quot;&#39;s Web site at
<p class="level0">
<p class="level1"><span Class="emphasis"><a href="https://www.tcpdump.org/">https://www.tcpdump.org/</a></span>
<p class="level0"><a name="BUGS"></a><h2 class="nroffsh">BUGS</h2>
<p class="level0">To report a security issue please send an e-mail to security@tcpdump.org.
<p class="level0">To report bugs and other problems, contribute patches, request a feature, provide generic feedback etc please see the file <span Class="emphasis">CONTRIBUTING</span> in the libpcap source tree root. <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

79
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_activate.html Normal file
View File

@ -0,0 +1,79 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_activate - activate a capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_activate(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_activate()</span> is used to activate a packet capture handle to look at packets on the network, with the options that were set on the handle being in effect. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_activate()</span> returns 0 on success without warnings, a non-zero positive value on success with warnings, and a negative value on error. A non-zero return value indicates what warning or error condition occurred.
<p class="level0">The possible warning values are:
<p class="level0"><span Class="bold">PCAP_WARNING_PROMISC_NOTSUP</span> Promiscuous mode was requested, but the capture source doesn&#39;t support promiscuous mode.
<p class="level0"><span Class="bold">PCAP_WARNING_TSTAMP_TYPE_NOTSUP</span> The time stamp type specified in a previous <a Class="bold" href="./pcap_set_tstamp_type.html">pcap_set_tstamp_type</a> call isn&#39;t supported by the capture source (the time stamp type is left as the default),
<p class="level0"><span Class="bold">PCAP_WARNING</span> Another warning condition occurred; <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display a message describing the warning condition.
<p class="level0">The possible error values are:
<p class="level0"><span Class="bold">PCAP_ERROR_ACTIVATED</span> The handle has already been activated.
<p class="level0"><span Class="bold">PCAP_ERROR_NO_SUCH_DEVICE</span> The capture source specified when the handle was created doesn&#39;t exist.
<p class="level0"><span Class="bold">PCAP_ERROR_PERM_DENIED</span> The process doesn&#39;t have permission to open the capture source.
<p class="level0"><span Class="bold">PCAP_ERROR_PROMISC_PERM_DENIED</span> The process has permission to open the capture source but doesn&#39;t have permission to put it into promiscuous mode.
<p class="level0"><span Class="bold">PCAP_ERROR_RFMON_NOTSUP</span> Monitor mode was specified but the capture source doesn&#39;t support monitor mode.
<p class="level0"><span Class="bold">PCAP_ERROR_IFACE_NOT_UP</span> The capture source device is not up.
<p class="level0"><span Class="bold">PCAP_ERROR</span> Another error occurred. <span Class="bold">pcap_geterr()</span> or <span Class="bold">pcap_perror()</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display a message describing the error.
<p class="level0">If <span Class="bold">PCAP_WARNING_PROMISC_NOTSUP</span>, <span Class="bold">PCAP_ERROR_NO_SUCH_DEVICE</span>, or <span Class="bold">PCAP_ERROR_PERM_DENIED</span> is returned, <span Class="bold">pcap_geterr()</span> or <span Class="bold">pcap_perror()</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display an message giving additional details about the problem that might be useful for debugging the problem if it&#39;s unexpected.
<p class="level0">Additional warning and error codes may be added in the future; a program should check for positive, negative, and zero return codes, and treat all positive return codes as warnings and all negative return codes as errors. <a Class="bold" href="./pcap_statustostr.html">pcap_statustostr</a> can be called, with a warning or error code as an argument, to fetch a message describing the warning or error code. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_breakloop.html Normal file
View File

@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_breakloop - force a pcap_dispatch() or pcap_loop() call to return <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_breakloop(pcap_t *);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_breakloop()</span> sets a flag that will force <span Class="bold">pcap_dispatch(3PCAP)</span> or <a Class="bold" href="./pcap_loop.html">pcap_loop</a> to return rather than looping; they will return the number of packets that have been processed so far, or <span Class="bold">PCAP_ERROR_BREAK</span> if no packets have been processed so far.
<p class="level0">This routine is safe to use inside a signal handler on UNIX or a console control handler on Windows, as it merely sets a flag that is checked within the loop.
<p class="level0">The flag is checked in loops reading packets from the OS - a signal by itself will not necessarily terminate those loops - as well as in loops processing a set of packets returned by the OS. Note that if you are catching signals on UNIX systems that support restarting system calls after a signal, and calling pcap_breakloop() in the signal handler, you must specify, when catching those signals, that system calls should NOT be restarted by that signal. Otherwise, if the signal interrupted a call reading packets in a live capture, when your signal handler returns after calling pcap_breakloop(), the call will be restarted, and the loop will not terminate until more packets arrive and the call completes.
<p class="level0">Note also that, in a multi-threaded application, if one thread is blocked in pcap_dispatch(), pcap_loop(), pcap_next(3PCAP), or pcap_next_ex(3PCAP), a call to pcap_breakloop() in a different thread will not unblock that thread. You will need to use whatever mechanism the OS provides for breaking a thread out of blocking calls in order to unblock the thread, such as thread cancellation or thread signalling in systems that support POSIX threads, or <span Class="bold">SetEvent()</span> on the result of <span Class="bold">pcap_getevent()</span> on a <span Class="bold">pcap_t</span> on which the thread is blocked on Windows. Asynchronous procedure calls will not work on Windows, as a thread blocked on a <span Class="bold">pcap_t</span> will not be in an alertable state.
<p class="level0">Note that <span Class="bold">pcap_next()</span> and <span Class="bold">pcap_next_ex()</span> will, on some platforms, loop reading packets from the OS; that loop will not necessarily be terminated by a signal, so <span Class="bold">pcap_breakloop()</span> should be used to terminate packet processing even if <span Class="bold">pcap_next()</span> or <span Class="bold">pcap_next_ex()</span> is being used.
<p class="level0"><span Class="bold">pcap_breakloop()</span> does not guarantee that no further packets will be processed by <span Class="bold">pcap_dispatch()</span> or <span Class="bold">pcap_loop()</span> after it is called; at most one more packet might be processed.
<p class="level0">If <span Class="bold">PCAP_ERROR_BREAK</span> is returned from <span Class="bold">pcap_dispatch()</span> or <span Class="bold">pcap_loop()</span>, the flag is cleared, so a subsequent call will resume reading packets. If a positive number is returned, the flag is not cleared, so a subsequent call will return <span Class="bold">PCAP_ERROR_BREAK</span> and clear the flag. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_can_set_rfmon.html Normal file
View File

@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_can_set_rfmon - check whether monitor mode can be set for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_can_set_rfmon(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_can_set_rfmon()</span> checks whether monitor mode could be set on a capture handle when the handle is activated. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_can_set_rfmon()</span> returns 0 if monitor mode could not be set, 1 if monitor mode could be set, and a negative value on error. A negative return value indicates what error condition occurred. The possible error values are:
<p class="level0"><span Class="bold">PCAP_ERROR_NO_SUCH_DEVICE</span> The capture source specified when the handle was created doesn&#39;t exist.
<p class="level0"><span Class="bold">PCAP_ERROR_PERM_DENIED</span> The process doesn&#39;t have permission to check whether monitor mode could be supported.
<p class="level0"><span Class="bold">PCAP_ERROR_ACTIVATED</span> The capture handle has already been activated.
<p class="level0"><span Class="bold">PCAP_ERROR</span> Another error occurred. <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">\%pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display a message describing the error.
<p class="level0">Additional error codes may be added in the future; a program should check for 0, 1, and negative, return codes, and treat all negative return codes as errors. <a Class="bold" href="./pcap_statustostr.html">pcap_statustostr</a> can be called, with a warning or error code as an argument, to fetch a message describing the warning or error code. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP), <a Class="bold" href="./pcap_set_rfmon.html">pcap_set_rfmon</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_close.html Normal file
View File

@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_close - close a capture device or savefile <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_close(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_close()</span> closes the files associated with <span Class="emphasis">p</span> and deallocates resources. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

69
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_compile.html Normal file
View File

@ -0,0 +1,69 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_compile - compile a filter expression <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_compile(pcap_t *p, struct bpf_program *fp,
&nbsp;&nbsp;&nbsp;&nbsp;const char *str, int optimize, bpf_u_int32 netmask);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_compile()</span> is used to compile the string <span Class="emphasis">str</span> into a filter program. See <a Class="bold" href="./pcap-filter.html">pcap-filter</a>(7) for the syntax of that string. <span Class="emphasis">program</span> is a pointer to a <span Class="emphasis">bpf_program</span> struct and is filled in by <span Class="bold">pcap_compile()</span>. <span Class="emphasis">optimize</span> controls whether optimization on the resulting code is performed. <span Class="emphasis">netmask</span> specifies the IPv4 netmask of the network on which packets are being captured; it is used only when checking for IPv4 broadcast addresses in the filter program. If the netmask of the network on which packets are being captured isn&#39;t known to the program, or if packets are being captured on the Linux &quot;any&quot; pseudo-interface that can capture on more than one network, a value of <span Class="bold">PCAP_NETMASK_UNKNOWN</span> can be supplied; tests for IPv4 broadcast addresses will fail to compile, but all other tests in the filter program will be OK.
<p class="level0">NOTE: in libpcap 1.8.0 and later, <span Class="bold">pcap_compile()</span> can be used in multiple threads within a single process. However, in earlier versions of libpcap, it is <span Class="emphasis">not</span> safe to use <span Class="bold">pcap_compile()</span> in multiple threads in a single process without some form of mutual exclusion allowing only one thread to call it at any given time. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_compile()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">The <span Class="bold">PCAP_NETMASK_UNKNOWN</span> constant became available in libpcap release 1.1.0. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>(3PCAP), <a Class="bold" href="./pcap_freecode.html">pcap_freecode</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_create.html Normal file
View File

@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_create - create a live capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap_create(const char *source, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_create()</span> is used to create a packet capture handle to look at packets on the network. <span Class="emphasis">source</span> is a string that specifies the network device to open; on Linux systems with 2.2 or later kernels, a <span Class="emphasis">source</span> argument of &quot;any&quot; or <span Class="bold">NULL</span> can be used to capture packets from all interfaces.
<p class="level0">The returned handle must be activated with <a Class="bold" href="./pcap_activate.html">pcap_activate</a> before packets can be captured with it; options for the capture, such as promiscuous mode, can be set on the handle before activating it. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_create()</span> returns a <span Class="emphasis">pcap_t *</span> on success and <span Class="bold">NULL</span> on failure. If <span Class="bold">NULL</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_datalink.html Normal file
View File

@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_datalink - get the link-layer header type <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_datalink(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_datalink()</span> returns the link-layer header type for the live capture or ``savefile&#39;&#39; specified by <span Class="emphasis">p</span>.
<p class="level0">It must not be called on a pcap descriptor created by <span Class="bold">\%pcap_create(3PCAP)</span> that has not yet been activated by <span Class="bold">\%pcap_activate(3PCAP)</span>.
<p class="level0"><span Class="emphasis"><a href="https://www.tcpdump.org/linktypes.html">https://www.tcpdump.org/linktypes.html</a></span> lists the values <span Class="bold">pcap_datalink()</span> can return and describes the packet formats that correspond to those values.
<p class="level0">Do <span Class="bold">NOT</span> assume that the packets for a given capture or ``savefile`` will have any given link-layer header type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. For example, the &quot;any&quot; device on Linux will have a link-layer header type of <span Class="bold">DLT_LINUX_SLL</span> even if all devices on the system at the time the &quot;any&quot; device is opened have some other data link type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_datalink()</span> returns the link-layer header type on success and <span Class="bold">PCAP_ERROR_NOT_ACTIVATED</span> if called on a capture handle that has been created but not activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap-linktype.html">pcap-linktype</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_datalink_name_to_val.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_datalink_name_to_val - get the link-layer header type value corresponding to a header type name <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_datalink_name_to_val(const char *name);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_datalink_name_to_val()</span> translates a link-layer header type name, which is a <span Class="bold">DLT_</span> name with the <span Class="bold">DLT_</span> removed, to the corresponding link-layer header type value. The translation is case-insensitive. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_datalink_name_to_val()</span> returns the type value on success and <span Class="bold">PCAP_ERROR</span> if the name is not a known type name.. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_datalink_val_to_name.html Normal file
View File

@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_datalink_val_to_name, pcap_datalink_val_to_description, pcap_datalink_val_to_description_or_dlt - get a name or description for a link-layer header type value <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap.h&gt;
const char *pcap_datalink_val_to_name(int dlt);
const char *pcap_datalink_val_to_description(int dlt);
const char *pcap_datalink_val_to_description_or_dlt(int dlt);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_datalink_val_to_name()</span> translates a link-layer header type value to the corresponding link-layer header type name, which is the <span Class="bold">DLT_</span> name for the link-layer header type value with the <span Class="bold">DLT_</span> removed. <span Class="bold">NULL</span> is returned if the type value does not correspond to a known <span Class="bold">DLT_</span> value.
<p class="level0"><span Class="bold">pcap_datalink_val_to_description()</span> translates a link-layer header type value to a short description of that link-layer header type. <span Class="bold">NULL</span> is returned if the type value does not correspond to a known <span Class="bold">DLT_</span> value.
<p class="level0"><span Class="bold">pcap_datalink_val_to_description_or_dlt()</span> translates a link-layer header type value to a short description of that link-layer header type just like pcap_datalink_val_to_description. If the type value does not correspond to a known <span Class="bold">DLT_</span> value, the string &quot;DLT n&quot; is returned, where n is the value of the dlt argument. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump - write a packet to a capture file <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_dump(u_char *user, struct pcap_pkthdr *h,
&nbsp;&nbsp;&nbsp;&nbsp;u_char *sp);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump()</span> outputs a packet to the ``savefile&#39;&#39; opened with <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>. Note that its calling arguments are suitable for use with <span Class="bold">pcap_dispatch(3PCAP)</span> or <a Class="bold" href="./pcap_loop.html">pcap_loop</a>. If called directly, the <span Class="emphasis">user</span> parameter is of type <span Class="bold">pcap_dumper_t</span> as returned by <span Class="bold">pcap_dump_open()</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_close.html Normal file
View File

@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_close - close a savefile being written to <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_dump_close(pcap_dumper_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_close()</span> closes the ``savefile.&#39;&#39; <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>(3PCAP), <a Class="bold" href="./pcap_dump.html">pcap_dump</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_file.html Normal file
View File

@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_file - get the standard I/O stream for a savefile being written <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
FILE *pcap_dump_file(pcap_dumper_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_file()</span> returns the standard I/O stream of the ``savefile&#39;&#39; opened by <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_flush.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_flush - flush to a savefile packets dumped <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_dump_flush(pcap_dumper_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_flush()</span> flushes the output buffer to the ``savefile,&#39;&#39; so that any packets written with <a Class="bold" href="./pcap_dump.html">pcap_dump</a> but not yet written to the ``savefile&#39;&#39; will be written. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_dump_flush()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_ftell.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_ftell, pcap_dump_ftell64 - get the current file offset for a savefile being written <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
long pcap_dump_ftell(pcap_dumper_t *p);
int64_t pcap_dump_ftell64(pcap_dumper_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_ftell()</span> returns the current file position for the ``savefile&#39;&#39;, representing the number of bytes written by <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a> and <a Class="bold" href="./pcap_dump.html">pcap_dump</a>. <span Class="bold">PCAP_ERROR</span> is returned on error. If the current file position does not fit in a <span Class="bold">long</span>, it will be truncated; this can happen on 32-bit UNIX-like systems with large file support and on Windows. <span Class="bold">pcap_dump_ftell64()</span> returns the current file position in a <span Class="bold">int64_t</span>, so if file offsets that don&#39;t fit in a <span Class="bold">long</span> but that fit in a <span Class="bold">int64_t</span> are supported, this will return the file offset without truncation. <span Class="bold">PCAP_ERROR</span> is returned on error. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

73
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_open.html Normal file
View File

@ -0,0 +1,73 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_open, pcap_dump_fopen - open a file to which to write packets <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname);
pcap_dumper_t *pcap_dump_open_append(pcap_t *p, const char *fname);
pcap_dumper_t *pcap_dump_fopen(pcap_t *p, FILE *fp);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_open()</span> is called to open a ``savefile&#39;&#39; for writing. <span Class="emphasis">fname</span> specifies the name of the file to open. The file will have the same format as those used by <span Class="bold">tcpdump</span>(1) and <span Class="bold">tcpslice</span>(1). The name &quot;-&quot; is a synonym for <span Class="bold">stdout</span>.
<p class="level0"><span Class="bold">pcap_dump_fopen()</span> is called to write data to an existing open stream <span Class="emphasis">fp</span>; this stream will be closed by a subsequent call to <a Class="bold" href="./pcap_dump_close.html">pcap_dump_close</a>. Note that on Windows, that stream should be opened in binary mode.
<p class="level0"><span Class="emphasis">p</span> is a capture or ``savefile&#39;&#39; handle returned by an earlier call to <a Class="bold" href="./pcap_create.html">pcap_create</a> and activated by an earlier call to <span Class="bold">\%pcap_activate(3PCAP)</span>, or returned by an earlier call to <span Class="bold">\%pcap_open_offline(3PCAP)</span>, <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>, or <a Class="bold" href="./pcap_open_dead.html">pcap_open_dead</a>. The time stamp precision, link-layer type, and snapshot length from <span Class="emphasis">p</span> are used as the link-layer type and snapshot length of the output file.
<p class="level0"><span Class="bold">pcap_dump_open_append()</span> is like <span Class="bold">pcap_dump_open()</span> but does not create the file if it does not exist and, if it does already exist, and is a pcap file with the same byte order as the host opening the file, and has the same time stamp precision, link-layer header type, and snapshot length as <span Class="emphasis">p</span>, it will write new packets at the end of the file. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUES</h2>
<p class="level0">A pointer to a <span Class="bold">pcap_dumper_t</span> structure to use in subsequent <a Class="bold" href="./pcap_dump.html">pcap_dump</a> and <a Class="bold" href="./pcap_dump_close.html">pcap_dump_close</a> calls is returned on success. <span Class="bold">NULL</span> is returned on failure. If <span Class="bold">NULL</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> can be used to get the error text. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">The <span Class="bold">pcap_dump_open_append()</span> function became available in libpcap release 1.7.2. In previous releases, there is no support for appending packets to an existing savefile. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <span Class="bold">\%pcap-savefile</span>(5) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_file.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_file - get the standard I/O stream for a savefile being read <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
FILE *pcap_file(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_file()</span> returns the standard I/O stream of the ``savefile,&#39;&#39; if a ``savefile&#39;&#39; was opened with <a Class="bold" href="./pcap_open_offline.html">pcap_open_offline</a>, or <span Class="bold">NULL</span>, if a network device was opened with <a Class="bold" href="./pcap_create.html">pcap_create</a> and <span Class="bold">\%pcap_activate(3PCAP)</span>, or with <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>.
<p class="level0">Note that the Packet Capture library is usually built with large file support, so the standard I/O stream of the ``savefile&#39;&#39; might refer to a file larger than 2 gigabytes; applications that use <span Class="bold">pcap_file()</span> should, if possible, use calls that support large files on the return value of <span Class="bold">pcap_file()</span> or the value returned by <span Class="bold">fileno(3)</span> when passed the return value of <span Class="bold">pcap_file()</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_fileno.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_fileno - get the file descriptor for a live capture <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_fileno(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">If <span Class="emphasis">p</span> refers to a network device that was opened for a live capture using a combination of <a Class="bold" href="./pcap_create.html">pcap_create</a> and <a Class="bold" href="./pcap_activate.html">pcap_activate</a>, or using <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>, <span Class="bold">pcap_fileno()</span> returns the file descriptor from which captured packets are read.
<p class="level0">If <span Class="emphasis">p</span> refers to a ``savefile&#39;&#39; that was opened using functions such as <a Class="bold" href="./pcap_open_offline.html">pcap_open_offline</a> or <span Class="bold">pcap_fopen_offline(3PCAP)</span>, a ``dead&#39;&#39; <span Class="bold">pcap_t</span> opened using <a Class="bold" href="./pcap_open_dead.html">pcap_open_dead</a>, or a <span Class="bold">pcap_t</span> that was created with <span Class="bold">pcap_create()</span> but that has not yet been activated with <span Class="bold">pcap_activate()</span>, it returns <span Class="bold">PCAP_ERROR</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

99
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_findalldevs.html Normal file
View File

@ -0,0 +1,99 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_findalldevs, pcap_freealldevs - get a list of capture devices, and free that list <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf);
void pcap_freealldevs(pcap_if_t *alldevs);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_findalldevs()</span> constructs a list of network devices that can be opened with <a Class="bold" href="./pcap_create.html">pcap_create</a> and <a Class="bold" href="./pcap_activate.html">pcap_activate</a> or with <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>. (Note that there may be network devices that cannot be opened by the process calling <span Class="bold">pcap_findalldevs()</span>, because, for example, that process does not have sufficient privileges to open them for capturing; if so, those devices will not appear on the list.) If <span Class="bold">pcap_findalldevs()</span> succeeds, the pointer pointed to by <span Class="emphasis">alldevsp</span> is set to point to the first element of the list, or to <span Class="bold">NULL</span> if no devices were found (this is considered success). Each element of the list is of type <span Class="bold">pcap_if_t</span>, and has the following members:
<p class="level1">
<p class="level1"><span Class="bold">next</span> if not <span Class="bold">NULL</span>, a pointer to the next element in the list; <span Class="bold">NULL</span> for the last element of the list
<p class="level1"><span Class="bold">name</span> a pointer to a string giving a name for the device to pass to <span Class="bold">pcap_open_live()</span>
<p class="level1"><span Class="bold">description</span> if not <span Class="bold">NULL</span>, a pointer to a string giving a human-readable description of the device
<p class="level1"><span Class="bold">addresses</span> a pointer to the first element of a list of network addresses for the device, or <span Class="bold">NULL</span> if the device has no addresses
<p class="level1"><span Class="bold">flags</span> device flags:
<p class="level2">
<p class="level2"><span Class="bold">PCAP_IF_LOOPBACK</span> set if the device is a loopback interface
<p class="level2"><span Class="bold">PCAP_IF_UP</span> set if the device is up
<p class="level2"><span Class="bold">PCAP_IF_RUNNING</span> set if the device is running
<p class="level2"><span Class="bold">PCAP_IF_WIRELESS</span> set if the device is a wireless interface; this includes IrDA as well as radio-based networks such as IEEE 802.15.4 and IEEE 802.11, so it doesn&#39;t just mean Wi-Fi
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS</span> a bitmask for an indication of whether the adapter is connected or not; for wireless interfaces, &quot;connected&quot; means &quot;associated with a network&quot;
<p class="level2">The possible values for the connection status bits are:
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS_UNKNOWN</span> it&#39;s unknown whether the adapter is connected or not
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS_CONNECTED</span> the adapter is connected
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS_DISCONNECTED</span> the adapter is disconnected
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE</span> the notion of &quot;connected&quot; and &quot;disconnected&quot; don&#39;t apply to this interface; for example, it doesn&#39;t apply to a loopback device
<p class="level1">
<p class="level0">
<p class="level0">Each element of the list of addresses is of type <span Class="bold">pcap_addr_t</span>, and has the following members:
<p class="level1">
<p class="level1"><span Class="bold">next</span> if not <span Class="bold">NULL</span>, a pointer to the next element in the list; <span Class="bold">NULL</span> for the last element of the list
<p class="level1"><span Class="bold">addr</span> a pointer to a <span Class="bold">struct sockaddr</span> containing an address
<p class="level1"><span Class="bold">netmask</span> if not <span Class="bold">NULL</span>, a pointer to a <span Class="bold">struct sockaddr</span> that contains the netmask corresponding to the address pointed to by <span Class="bold">addr</span>
<p class="level1"><span Class="bold">broadaddr</span> if not <span Class="bold">NULL</span>, a pointer to a <span Class="bold">struct sockaddr</span> that contains the broadcast address corresponding to the address pointed to by <span Class="bold">addr</span>; may be null if the device doesn&#39;t support broadcasts
<p class="level1"><span Class="bold">dstaddr</span> if not <span Class="bold">NULL</span>, a pointer to a <span Class="bold">struct sockaddr</span> that contains the destination address corresponding to the address pointed to by <span Class="bold">addr</span>; may be null if the device isn&#39;t a point-to-point interface
<p class="level0">
<p class="level0">Note that the addresses in the list of addresses might be IPv4 addresses, IPv6 addresses, or some other type of addresses, so you must check the <span Class="bold">sa_family</span> member of the <span Class="bold">struct sockaddr</span> before interpreting the contents of the address; do not assume that the addresses are all IPv4 addresses, or even all IPv4 or IPv6 addresses. IPv4 addresses have the value <span Class="bold">AF_INET</span>, IPv6 addresses have the value <span Class="bold">AF_INET6</span> (which older operating systems that don&#39;t support IPv6 might not define), and other addresses have other values. Whether other addresses are returned, and what types they might have is platform-dependent. For IPv4 addresses, the <span Class="bold">struct sockaddr</span> pointer can be interpreted as if it pointed to a <span Class="bold">struct sockaddr_in</span>; for IPv6 addresses, it can be interpreted as if it pointed to a <span Class="bold">struct sockaddr_in6</span>.
<p class="level0">The list of devices must be freed with <span Class="bold">pcap_freealldevs(3PCAP)</span>, which frees the list pointed to by <span Class="emphasis">alldevs</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_findalldevs()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure; as indicated, finding no devices is considered success, rather than failure, so 0 will be returned in that case. If <span Class="bold">PCAP_ERROR</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">The <span Class="bold">PCAP_IF_UP</span> and <span Class="bold">PCAP_IF_RUNNING</span> constants became available in libpcap release 1.6.1. The <span Class="bold">PCAP_IF_WIRELESS</span>, <span Class="bold">PCAP_IF_CONNECTION_STATUS</span>, <span Class="bold">PCAP_IF_CONNECTION_STATUS_UNKNOWN</span>, <span Class="bold">PCAP_IF_CONNECTION_STATUS_CONNECTED</span>, <span Class="bold">PCAP_IF_CONNECTION_STATUS_DISCONNECTED</span>, and <span Class="bold">PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE</span> constants became available in libpcap release 1.9.0. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_freecode.html Normal file
View File

@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_freecode - free a BPF program <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_freecode(struct bpf_program *);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_freecode()</span> is used to free up allocated memory pointed to by a <span Class="emphasis">bpf_program</span> struct generated by <a Class="bold" href="./pcap_compile.html">pcap_compile</a> when that BPF program is no longer needed, for example after it has been made the filter program for a pcap structure by a call to <a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_get_required_select_timeout.html Normal file
View File

@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_get_required_select_timeout - get a file descriptor on which a select() can be done for a live capture <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
struct timeval *pcap_get_required_select_timeout(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_get_required_select_timeout()</span> returns, on UNIX, a pointer to a <span Class="bold">struct timeval</span> containing a value that must be used as the minimum timeout in <span Class="bold">select(2)</span>, <span Class="bold">poll(2)</span>, <span Class="bold">epoll_wait(2)</span>, and <span Class="bold">kevent()</span> calls if <a Class="bold" href="./pcap_get_selectable_fd.html">pcap_get_selectable_fd</a> returns <span Class="bold">PCAP_ERROR</span>.
<p class="level0">The timeout that should be used in those calls must be no larger than the smallest of all timeouts returned by <span Class="bold">\%pcap_get_required_select_timeout()</span> for devices from which packets will be captured.
<p class="level0">The device for which <span Class="bold">pcap_get_selectable_fd()</span> returned <span Class="bold">PCAP_ERROR</span> must be put in non-blocking mode with <a Class="bold" href="./pcap_setnonblock.html">pcap_setnonblock</a>, and an attempt must always be made to read packets from the device when the <span Class="bold">select()</span>, <span Class="bold">poll()</span>, <span Class="bold">epoll_wait()</span>, or <span Class="bold">kevent()</span> call returns.
<p class="level0">Note that a device on which a read can be done without blocking may, on some platforms, not have any packets to read if the packet buffer timeout has expired. A call to <span Class="bold">pcap_dispatch(3PCAP)</span> or <a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a> will return 0 in this case, but will not block.
<p class="level0"><span Class="bold">pcap_get_required_select_timeout()</span> is not available on Windows. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0">A pointer to a <span Class="bold">struct timeval</span> is returned if the timeout is required; otherwise <span Class="bold">NULL</span> is returned. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">This function became available in libpcap release 1.9.0. In previous releases, <span Class="bold">select()</span>, <span Class="bold">poll()</span>, <span Class="bold">epoll_wait()</span>, and <span Class="bold">kevent()</span> cannot be used on any capture source for which <span Class="bold">pcap_get_selectable_fd</span> returns -1. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_get_selectable_fd.html">pcap_get_selectable_fd</a>(3PCAP), <span Class="bold">select</span>(2), <span Class="bold">poll</span>(2), <span Class="bold">epoll_wait</span>(2), <span Class="bold">kqueue</span>(2) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

79
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_get_selectable_fd.html Normal file
View File

@ -0,0 +1,79 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_get_selectable_fd - get a file descriptor on which a select() can be done for a live capture <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_get_selectable_fd(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_get_selectable_fd()</span> returns, on UNIX, a file descriptor number for a file descriptor on which one can do a <span Class="bold">select(2)</span>, <span Class="bold">poll(2)</span>, <span Class="bold">epoll_wait(2)</span>, <span Class="bold">kevent()</span>, or other such call to wait for it to be possible to read packets without blocking, if such a descriptor exists, or <span Class="bold">PCAP_ERROR</span>, if no such descriptor exists.
<p class="level0">Some network devices opened with <a Class="bold" href="./pcap_create.html">pcap_create</a> and <a Class="bold" href="./pcap_activate.html">pcap_activate</a>, or with <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>, do not support those calls (for example, regular network devices on FreeBSD 4.3 and 4.4, and Endace DAG devices), so <span Class="bold">PCAP_ERROR</span> is returned for those devices. In that case, those calls must be given a timeout less than or equal to the timeout returned by <a Class="bold" href="./pcap_get_required_select_timeout.html">pcap_get_required_select_timeout</a> for the device for which <span Class="bold">pcap_get_selectable_fd()</span> returned <span Class="bold">PCAP_ERROR</span>, the device must be put in non-blocking mode with a call to <span Class="bold">\%pcap_setnonblock(3PCAP)</span>, and an attempt must always be made to read packets from the device when the call returns. If <span Class="bold">\%pcap_get_required_select_timeout()</span> returns <span Class="bold">NULL</span>, it is not possible to wait for packets to arrive on the device in an event loop.
<p class="level0">Note that a device on which a read can be done without blocking may, on some platforms, not have any packets to read if the packet buffer timeout has expired. A call to <span Class="bold">pcap_dispatch(3PCAP)</span> or <a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a> will return 0 in this case, but will not block.
<p class="level0">Note that in:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">FreeBSD prior to FreeBSD 4.6;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">NetBSD prior to NetBSD 3.0;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">OpenBSD prior to OpenBSD 2.4;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Mac OS X prior to Mac OS X 10.7;
<p class="level1"><span Class="bold">select()</span>, <span Class="bold">poll()</span>, and <span Class="bold">kevent()</span> do not work correctly on BPF devices; <span Class="bold">pcap_get_selectable_fd()</span> will return a file descriptor on most of those versions (the exceptions being FreeBSD 4.3 and 4.4), but a simple <span Class="bold">select()</span>, <span Class="bold">poll()</span>, or <span Class="bold">kevent()</span> call will not indicate that the descriptor is readable until a full buffer&#39;s worth of packets is received, even if the packet timeout expires before then. To work around this, code that uses those calls to wait for packets to arrive must put the <span Class="bold">pcap_t</span> in non-blocking mode, and must arrange that the call have a timeout less than or equal to the packet buffer timeout, and must try to read packets after that timeout expires, regardless of whether the call indicated that the file descriptor for the <span Class="bold">pcap_t</span> is ready to be read or not. (That workaround will not work in FreeBSD 4.3 and later; however, in FreeBSD 4.6 and later, those calls work correctly on BPF devices, so the workaround isn&#39;t necessary, although it does no harm.)
<p class="level1">Note also that <span Class="bold">poll()</span> and <span Class="bold">kevent()</span> doesn&#39;t work on character special files, including BPF devices, in Mac OS X 10.4 and 10.5, so, while <span Class="bold">select()</span> can be used on the descriptor returned by <span Class="bold">pcap_get_selectable_fd()</span>, <span Class="bold">poll()</span> and <span Class="bold">kevent()</span> cannot be used on it those versions of Mac OS X. <span Class="bold">poll()</span>, but not <span Class="bold">kevent()</span>, works on that descriptor in Mac OS X releases prior to 10.4; <span Class="bold">poll()</span> and <span Class="bold">kevent()</span> work on that descriptor in Mac OS X 10.6 and later.
<p class="level1"><span Class="bold">pcap_get_selectable_fd()</span> is not available on Windows. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0">A selectable file descriptor is returned if one exists; otherwise, <span Class="bold">PCAP_ERROR</span> is returned. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <span Class="bold">kqueue</span>(2) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

75
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_get_tstamp_precision.html Normal file
View File

@ -0,0 +1,75 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_get_tstamp_precision - get the time stamp precision returned in captures <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_get_tstamp_precision(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_get_tstamp_precision()</span> returns the precision of the time stamp returned in packet captures on the pcap descriptor. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_get_tstamp_precision()</span> returns <span Class="bold">PCAP_TSTAMP_PRECISION_MICRO</span> or <span Class="bold">PCAP_TSTAMP_PRECISION_NANO</span>, which indicates that pcap captures contains time stamps in microseconds or nanoseconds respectively. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">This function became available in libpcap release 1.5.1. In previous releases, time stamps from a capture device or savefile are always given in seconds and microseconds. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_set_tstamp_precision.html">pcap_set_tstamp_precision</a>(3PCAP), <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_geterr.html Normal file
View File

@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_geterr, pcap_perror - get or print libpcap error message text <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
char *pcap_geterr(pcap_t *p);
void pcap_perror(pcap_t *p, const char *prefix);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_geterr()</span> returns the error text pertaining to the last pcap library error. <span Class="bold">NOTE</span>: the pointer it returns will no longer point to a valid error message string after the <span Class="bold">pcap_t</span> passed to it is closed; you must use or copy the string before closing the <span Class="bold">pcap_t</span>.
<p class="level0"><span Class="bold">pcap_perror()</span> prints the text of the last pcap library error on <span Class="bold">stderr</span>, prefixed by <span Class="emphasis">prefix</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

71
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_inject.html Normal file
View File

@ -0,0 +1,71 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_inject, pcap_sendpacket - transmit a packet <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_inject(pcap_t *p, const void *buf, size_t size);
int pcap_sendpacket(pcap_t *p, const u_char *buf, int size);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_inject()</span> sends a raw packet through the network interface; <span Class="emphasis">buf</span> points to the data of the packet, including the link-layer header, and <span Class="emphasis">size</span> is the number of bytes in the packet.
<p class="level0">Note that, even if you successfully open the network interface, you might not have permission to send packets on it, or it might not support sending packets; as <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a> doesn&#39;t have a flag to indicate whether to open for capturing, sending, or capturing and sending, you cannot request an open that supports sending and be notified at open time whether sending will be possible. Note also that some devices might not support sending packets.
<p class="level0">Note that, on some platforms, the link-layer header of the packet that&#39;s sent might not be the same as the link-layer header of the packet supplied to <span Class="bold">pcap_inject()</span>, as the source link-layer address, if the header contains such an address, might be changed to be the address assigned to the interface on which the packet it sent, if the platform doesn&#39;t support sending completely raw and unchanged packets. Even worse, some drivers on some platforms might change the link-layer type field to whatever value libpcap used when attaching to the device, even on platforms that <span Class="emphasis">do</span> nominally support sending completely raw and unchanged packets.
<p class="level0"><span Class="bold">pcap_sendpacket()</span> is like <span Class="bold">pcap_inject()</span>, but it returns 0 on success, rather than returning the number of bytes written. (<span Class="bold">pcap_inject()</span> comes from OpenBSD; <span Class="bold">pcap_sendpacket()</span> comes from WinPcap. Both are provided for compatibility.) <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_inject()</span> returns the number of bytes written on success and <span Class="bold">PCAP_ERROR</span> on failure.
<p class="level0"><span Class="bold">pcap_sendpacket()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure.
<p class="level0">If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_is_swapped.html Normal file
View File

@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_is_swapped - find out whether a savefile has the native byte order <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_is_swapped(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_is_swapped()</span> returns true (1) if <span Class="emphasis">p</span> refers to a ``savefile&#39;&#39; that uses a different byte order than the current system. For a live capture, it always returns false (0).
<p class="level0">It must not be called on a pcap descriptor created by <span Class="bold">\%pcap_create(3PCAP)</span> that has not yet been activated by <span Class="bold">\%pcap_activate(3PCAP)</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_is_swapped()</span> returns true (1) or false (0) on success and <span Class="bold">PCAP_ERROR_NOT_ACTIVATED</span> if called on a capture handle that has been created but not activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_lib_version.html Normal file
View File

@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_lib_version - get the version information for libpcap <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
const char *pcap_lib_version(void);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_lib_version()</span> returns a pointer to a string giving information about the version of the libpcap library being used; note that it contains more information than just a version number. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_list_datalinks.html Normal file
View File

@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_list_datalinks, pcap_free_datalinks - get a list of link-layer header types supported by a capture device, and free that list <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_list_datalinks(pcap_t *p, int **dlt_buf);
void pcap_free_datalinks(int *dlt_list);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_list_datalinks()</span> is used to get a list of the supported link-layer header types of the interface associated with the pcap descriptor. <span Class="bold">pcap_list_datalinks()</span> allocates an array to hold the list and sets <span Class="emphasis">*dlt_buf</span> to point to that array.
<p class="level0">The caller is responsible for freeing the array with <span Class="bold">pcap_free_datalinks()</span>, which frees the list of link-layer header types pointed to by <span Class="emphasis">dlt_list</span>.
<p class="level0">It must not be called on a pcap descriptor created by <span Class="bold">\%pcap_create(3PCAP)</span> that has not yet been activated by <span Class="bold">\%pcap_activate(3PCAP)</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_list_datalinks()</span> returns the number of link-layer header types in the array on success, <span Class="bold">PCAP_ERROR_NOT_ACTIVATED</span> if called on a capture handle that has been created but not activated, and <span Class="bold">PCAP_ERROR</span> on other errors. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">\%pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_datalink_val_to_name.html">pcap_datalink_val_to_name</a>(3PCAP), <a Class="bold" href="./pcap-linktype.html">pcap-linktype</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

69
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_list_tstamp_types.html Normal file
View File

@ -0,0 +1,69 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_list_tstamp_types, pcap_free_tstamp_types - get a list of time stamp types supported by a capture device, and free that list <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_list_tstamp_types(pcap_t *p, int **tstamp_typesp);
void pcap_free_tstamp_types(int *tstamp_types);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_list_tstamp_types()</span> is used to get a list of the supported time stamp types of the interface associated with the pcap descriptor. <span Class="bold">pcap_list_tstamp_types()</span> allocates an array to hold the list and sets <span Class="emphasis">*tstamp_typesp</span> to point to the array. See <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) for a list of all the time stamp types.
<p class="level0">The caller is responsible for freeing the array with <span Class="bold">pcap_free_tstamp_types()</span>, which frees the list pointed to by <span Class="emphasis">tstamp_types</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_list_tstamp_types()</span> returns the number of time stamp types in the array on success and <span Class="bold">PCAP_ERROR</span> on failure. A return value of one means that the only time stamp type supported is the one in the list, which is the capture device&#39;s default time stamp type. A return value of zero means that the only time stamp type supported is <span Class="bold">PCAP_TSTAMP_HOST</span>, which is the capture device&#39;s default time stamp type (only older versions of libpcap will return that; newer versions will always return one or more types). If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">These functions became available in libpcap release 1.2.1. In previous releases, the time stamp type cannot be set; only the default time stamp type offered by a capture source is available. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_tstamp_type_val_to_name.html">pcap_tstamp_type_val_to_name</a>(3PCAP), <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_lookupdev.html Normal file
View File

@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_lookupdev - find the default device on which to capture <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
[DEPRECATED] char *pcap_lookupdev(char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">This interface is obsoleted by</span> <a Class="bold" href="./pcap_findalldevs.html">pcap_findalldevs</a>(3PCAP). To find a default device on which to capture, call <span Class="bold">pcap_findalldevs()</span> and, if the list it returns is not empty, use the first device in the list. (If the list is empty, there are no devices on which capture is possible.)
<p class="level0"><span Class="bold">pcap_lookupdev()</span> returns a pointer to a string giving the name of a network device suitable for use with <a Class="bold" href="./pcap_create.html">pcap_create</a> and <span Class="bold">\%pcap_activate(3PCAP)</span>, or with <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>, and with <a Class="bold" href="./pcap_lookupnet.html">pcap_lookupnet</a>. If there is an error, <span Class="bold">NULL</span> is returned and <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <a name="BUGS"></a><h2 class="nroffsh">BUGS</h2>
<p class="level0">The pointer returned by <span Class="bold">pcap_lookupdev()</span> points to a static buffer; subsequent calls to <span Class="bold">pcap_lookupdev()</span> in the same thread, or calls to <span Class="bold">pcap_lookupdev()</span> in another thread, may overwrite that buffer.
<p class="level0">In WinPcap, this function may return a UTF-16 string rather than an ASCII or UTF-8 string.
<p class="level0"><p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_lookupnet.html Normal file
View File

@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_lookupnet - find the IPv4 network number and netmask for a device <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
int pcap_lookupnet(const char *device, bpf_u_int32 *netp,
&nbsp;&nbsp;&nbsp;&nbsp;bpf_u_int32 *maskp, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_lookupnet()</span> is used to determine the IPv4 network number and mask associated with the network device <span Class="emphasis">device</span>. Both <span Class="emphasis">netp</span> and <span Class="emphasis">maskp</span> are <span Class="emphasis">bpf_u_int32</span> pointers. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_lookupnet()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

78
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_loop.html Normal file
View File

@ -0,0 +1,78 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_loop, pcap_dispatch - process packets from a live capture or savefile <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h,
&nbsp;&nbsp;&nbsp;&nbsp; const u_char *bytes);
int pcap_loop(pcap_t *p, int cnt,
&nbsp;&nbsp;&nbsp;&nbsp;pcap_handler callback, u_char *user);
int pcap_dispatch(pcap_t *p, int cnt,
&nbsp;&nbsp;&nbsp;&nbsp;pcap_handler callback, u_char *user);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_loop()</span> processes packets from a live capture or ``savefile&#39;&#39; until <span Class="emphasis">cnt</span> packets are processed, the end of the ``savefile&#39;&#39; is reached when reading from a ``savefile&#39;&#39;, <a Class="bold" href="./pcap_breakloop.html">pcap_breakloop</a> is called, or an error occurs. It does <span Class="bold">not</span> return when live packet buffer timeouts occur. A value of -1 or 0 for <span Class="emphasis">cnt</span> is equivalent to infinity, so that packets are processed until another ending condition occurs.
<p class="level0"><span Class="bold">pcap_dispatch()</span> processes packets from a live capture or ``savefile&#39;&#39; until <span Class="emphasis">cnt</span> packets are processed, the end of the current bufferful of packets is reached when doing a live capture, the end of the ``savefile&#39;&#39; is reached when reading from a ``savefile&#39;&#39;, <span Class="bold">pcap_breakloop()</span> is called, or an error occurs. Thus, when doing a live capture, <span Class="emphasis">cnt</span> is the maximum number of packets to process before returning, but is not a minimum number; when reading a live capture, only one bufferful of packets is read at a time, so fewer than <span Class="emphasis">cnt</span> packets may be processed. A value of -1 or 0 for <span Class="emphasis">cnt</span> causes all the packets received in one buffer to be processed when reading a live capture, and causes all the packets in the file to be processed when reading a ``savefile&#39;&#39;.
<p class="level0">Note that, when doing a live capture on some platforms, if the read timeout expires when there are no packets available, <span Class="bold">pcap_dispatch()</span> will return 0, even when not in non-blocking mode, as there are no packets to process. Applications should be prepared for this to happen, but must not rely on it happening.
<p class="level0">(In older versions of libpcap, the behavior when <span Class="emphasis">cnt</span> was 0 was undefined; different platforms and devices behaved differently, so code that must work with older versions of libpcap should use -1, not 0, as the value of <span Class="emphasis">cnt</span>.)
<p class="level0"><span Class="emphasis">callback</span> specifies a <span Class="emphasis">pcap_handler</span> routine to be called with three arguments: a <span Class="emphasis">u_char</span> pointer which is passed in the <span Class="emphasis">user</span> argument to <span Class="bold">pcap_loop()</span> or <span Class="bold">pcap_dispatch()</span>, a <span Class="emphasis">const struct pcap_pkthdr</span> pointer pointing to the packet time stamp and lengths, and a <span Class="emphasis">const u_char</span> pointer to the first <span Class="bold">caplen</span> (as given in the <span Class="emphasis">struct pcap_pkthdr</span> a pointer to which is passed to the callback routine) bytes of data from the packet. The <span Class="emphasis">struct pcap_pkthdr</span> and the packet data are not to be freed by the callback routine, and are not guaranteed to be valid after the callback routine returns; if the code needs them to be valid after the callback, it must make a copy of them.
<p class="level0">The bytes of data from the packet begin with a link-layer header. The format of the link-layer header is indicated by the return value of the <a Class="bold" href="./pcap_datalink.html">pcap_datalink</a> routine when handed the <span Class="bold">pcap_t</span> value also passed to <span Class="bold">pcap_loop()</span> or <span Class="bold">pcap_dispatch()</span>. <span Class="emphasis"><a href="https://www.tcpdump.org/linktypes.html">https://www.tcpdump.org/linktypes.html</a></span> lists the values <span Class="bold">pcap_datalink()</span> can return and describes the packet formats that correspond to those values. The value it returns will be valid for all packets received unless and until <a Class="bold" href="./pcap_set_datalink.html">pcap_set_datalink</a> is called; after a successful call to <span Class="bold">pcap_set_datalink()</span>, all subsequent packets will have a link-layer header of the type specified by the link-layer header type value passed to <span Class="bold">pcap_set_datalink()</span>.
<p class="level0">Do <span Class="bold">NOT</span> assume that the packets for a given capture or ``savefile`` will have any given link-layer header type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. For example, the &quot;any&quot; device on Linux will have a link-layer header type of <span Class="bold">DLT_LINUX_SLL</span> even if all devices on the system at the time the &quot;any&quot; device is opened have some other data link type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_loop()</span> returns 0 if <span Class="emphasis">cnt</span> is exhausted or if, when reading from a ``savefile&#39;&#39;, no more packets are available. It returns <span Class="bold">PCAP_ERROR</span> if an error occurs or <span Class="bold">PCAP_ERROR_BREAK</span> if the loop terminated due to a call to <span Class="bold">pcap_breakloop()</span> before any packets were processed. It does <span Class="bold">not</span> return when live packet buffer timeouts occur; instead, it attempts to read more packets.
<p class="level0"><span Class="bold">pcap_dispatch()</span> returns the number of packets processed on success; this can be 0 if no packets were read from a live capture (if, for example, they were discarded because they didn&#39;t pass the packet filter, or if, on platforms that support a packet buffer timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read) or if no more packets are available in a ``savefile.&#39;&#39; It returns <span Class="bold">PCAP_ERROR</span> if an error occurs or <span Class="bold">PCAP_ERROR_BREAK</span> if the loop terminated due to a call to <span Class="bold">pcap_breakloop()</span> before any packets were processed. If your application uses pcap_breakloop(), make sure that you explicitly check for PCAP_ERROR and PCAP_ERROR_BREAK, rather than just checking for a return value &lt; 0.
<p class="level0">If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_major_version.html Normal file
View File

@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_major_version, pcap_minor_version - get the version number of a savefile <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_major_version(pcap_t *p);
int pcap_minor_version(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">If <span Class="emphasis">p</span> refers to a ``savefile&#39;&#39;, <span Class="bold">pcap_major_version()</span> returns the major number of the file format of the ``savefile&#39;&#39; and <span Class="bold">pcap_minor_version()</span> returns the minor number of the file format of the ``savefile&#39;&#39;. The version number is stored in the ``savefile&#39;&#39;; note that the meaning of its values depends on the type of ``savefile&#39;&#39; (for example, pcap or pcapng).
<p class="level0">If <span Class="emphasis">p</span> refers to a live capture, the values returned by <span Class="bold">pcap_major_version()</span> and <span Class="bold">pcap_minor_version()</span> are not meaningful. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

71
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_next_ex.html Normal file
View File

@ -0,0 +1,71 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_next_ex, pcap_next - read the next packet from a pcap_t <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header,
&nbsp;&nbsp;&nbsp;&nbsp;const u_char **pkt_data);
const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_next_ex()</span> reads the next packet and returns a success/failure indication. If the packet was read without problems, the pointer pointed to by the <span Class="emphasis">pkt_header</span> argument is set to point to the <span Class="emphasis">pcap_pkthdr</span> struct for the packet, and the pointer pointed to by the <span Class="emphasis">pkt_data</span> argument is set to point to the data in the packet. The <span Class="emphasis">struct pcap_pkthdr</span> and the packet data are not to be freed by the caller, and are not guaranteed to be valid after the next call to <span Class="bold">pcap_next_ex()</span>, <span Class="bold">pcap_next()</span>, <a Class="bold" href="./pcap_loop.html">pcap_loop</a>, or <span Class="bold">pcap_dispatch(3PCAP)</span>; if the code needs them to remain valid, it must make a copy of them.
<p class="level0"><span Class="bold">pcap_next()</span> reads the next packet (by calling <span Class="bold">pcap_dispatch()</span> with a <span Class="emphasis">cnt</span> of 1) and returns a <span Class="emphasis">u_char</span> pointer to the data in that packet. The packet data is not to be freed by the caller, and is not guaranteed to be valid after the next call to <span Class="bold">pcap_next_ex()</span>, <span Class="bold">pcap_next()</span>, <span Class="bold">pcap_loop()</span>, or <span Class="bold">pcap_dispatch()</span>; if the code needs it to remain valid, it must make a copy of it. The <span Class="emphasis">pcap_pkthdr</span> structure pointed to by <span Class="emphasis">h</span> is filled in with the appropriate values for the packet.
<p class="level0">The bytes of data from the packet begin with a link-layer header. The format of the link-layer header is indicated by the return value of the <span Class="bold">pcap_datalink(PCAP)</span> routine when handed the <span Class="bold">pcap_t</span> value also passed to <span Class="bold">pcap_loop()</span> or <span Class="bold">pcap_dispatch()</span>. <span Class="emphasis"><a href="https://www.tcpdump.org/linktypes.html">https://www.tcpdump.org/linktypes.html</a></span> lists the values <span Class="bold">pcap_datalink()</span> can return and describes the packet formats that correspond to those values. The value it returns will be valid for all packets received unless and until <a Class="bold" href="./pcap_set_datalink.html">pcap_set_datalink</a> is called; after a successful call to <span Class="bold">pcap_set_datalink()</span>, all subsequent packets will have a link-layer header of the type specified by the link-layer header type value passed to <span Class="bold">pcap_set_datalink()</span>.
<p class="level0">Do <span Class="bold">NOT</span> assume that the packets for a given capture or ``savefile`` will have any given link-layer header type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. For example, the &quot;any&quot; device on Linux will have a link-layer header type of <span Class="bold">DLT_LINUX_SLL</span> even if all devices on the system at the time the &quot;any&quot; device is opened have some other data link type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_next_ex()</span> returns 1 if the packet was read without problems, 0 if packets are being read from a live capture and the packet buffer timeout expired, <span Class="bold">PCAP_ERROR</span> if an error occurred while reading the packet, and <span Class="bold">PCAP_ERROR_BREAK</span> if packets are being read from a ``savefile&#39;&#39; and there are no more packets to read from the savefile. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text.
<p class="level0"><span Class="bold">pcap_next()</span> returns a pointer to the packet data on success, and returns <span Class="bold">NULL</span> if an error occurred, or if no packets were read from a live capture (if, for example, they were discarded because they didn&#39;t pass the packet filter, or if, on platforms that support a packet buffer timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read), or if no more packets are available in a ``savefile.&#39;&#39; Unfortunately, there is no way to determine whether an error occurred or not. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_offline_filter.html Normal file
View File

@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_offline_filter - check whether a filter matches a packet <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_offline_filter(const struct bpf_program *fp,
&nbsp;&nbsp;&nbsp;&nbsp;const struct pcap_pkthdr *h, const u_char *pkt)
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_offline_filter()</span> checks whether a filter matches a packet. <span Class="emphasis">fp</span> is a pointer to a <span Class="emphasis">bpf_program</span> struct, usually the result of a call to <a Class="bold" href="./pcap_compile.html">pcap_compile</a>. <span Class="emphasis">h</span> points to the <span Class="emphasis">pcap_pkthdr</span> structure for the packet, and <span Class="emphasis">pkt</span> points to the data in the packet. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_offline_filter()</span> returns the return value of the filter program. This will be zero if the packet doesn&#39;t match the filter and non-zero if the packet matches the filter. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_open_dead.html Normal file
View File

@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_open_dead, pcap_open_dead_with_tstamp_precision - open a fake pcap_t for compiling filters or opening a capture for output <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
pcap_t *pcap_open_dead(int linktype, int snaplen);
pcap_t *pcap_open_dead_with_tstamp_precision(int linktype, int snaplen,
&nbsp; u_int precision);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">
<p class="level0"><span Class="bold">pcap_open_dead()</span> and <span Class="bold">pcap_open_dead_with_tstamp_precision()</span> are used for creating a <span Class="bold">pcap_t</span> structure to use when calling the other functions in libpcap. It is typically used when just using libpcap for compiling BPF code; it can also be used if using <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>, <a Class="bold" href="./pcap_dump.html">pcap_dump</a>, and <a Class="bold" href="./pcap_dump_close.html">pcap_dump_close</a> to write a savefile if there is no <span Class="bold">pcap_t</span> that supplies the packets to be written.
<p class="level0"><span Class="emphasis">linktype</span> specifies the link-layer type for the <span Class="bold">pcap_t</span>.
<p class="level0"><span Class="emphasis">snaplen</span> specifies the snapshot length for the <span Class="bold">pcap_t</span>.
<p class="level0">When <span Class="bold">pcap_open_dead_with_tstamp_precision()</span>, is used to create a <span Class="bold">pcap_t</span> for use with <span Class="bold">pcap_dump_open()</span>, <span Class="emphasis">precision</span> specifies the time stamp precision for packets; <span Class="bold">PCAP_TSTAMP_PRECISION_MICRO</span> should be specified if the packets to be written have time stamps in seconds and microseconds, and <span Class="bold">PCAP_TSTAMP_PRECISION_NANO</span> should be specified if the packets to be written have time stamps in seconds and nanoseconds. Its value does not affect <a Class="bold" href="./pcap_compile.html">pcap_compile</a>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <span Class="bold">\%pcap-linktype</span>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

71
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_open_live.html Normal file
View File

@ -0,0 +1,71 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_open_live - open a device for capturing <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap_open_live(const char *device, int snaplen,
&nbsp;&nbsp;&nbsp;&nbsp;int promisc, int to_ms, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_open_live()</span> is used to obtain a packet capture handle to look at packets on the network. <span Class="emphasis">device</span> is a string that specifies the network device to open; on Linux systems with 2.2 or later kernels, a <span Class="emphasis">device</span> argument of &quot;any&quot; or <span Class="bold">NULL</span> can be used to capture packets from all interfaces.
<p class="level0"><span Class="emphasis">snaplen</span> specifies the snapshot length to be set on the handle.
<p class="level0"><span Class="emphasis">promisc</span> specifies if the interface is to be put into promiscuous mode.
<p class="level0"><span Class="emphasis">to_ms</span> specifies the packet buffer timeout, as a non-negative value, in milliseconds. (See <a Class="bold" href="./pcap.html">pcap</a>(3PCAP) for an explanation of the packet buffer timeout.) <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_open_live()</span> returns a <span Class="emphasis">pcap_t *</span> on success and <span Class="bold">NULL</span> on failure. If <span Class="bold">NULL</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> may also be set to warning text when <span Class="bold">pcap_open_live()</span> succeeds; to detect this case the caller should store a zero-length string in <span Class="emphasis">errbuf</span> before calling <span Class="bold">pcap_open_live()</span> and display the warning to the user if <span Class="emphasis">errbuf</span> is no longer a zero-length string. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

76
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_open_offline.html Normal file
View File

@ -0,0 +1,76 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_open_offline, pcap_open_offline_with_tstamp_precision, pcap_fopen_offline, pcap_fopen_offline_with_tstamp_precision - open a saved capture file for reading <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap_open_offline(const char *fname, char *errbuf);
pcap_t *pcap_open_offline_with_tstamp_precision(const char *fname,
&nbsp; u_int precision, char *errbuf);
pcap_t *pcap_fopen_offline(FILE *fp, char *errbuf);
pcap_t *pcap_fopen_offline_with_tstamp_precision(FILE *fp,
&nbsp; u_int precision, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_open_offline()</span> and <span Class="bold">pcap_open_offline_with_tstamp_precision()</span> are called to open a ``savefile&#39;&#39; for reading.
<p class="level0"><span Class="emphasis">fname</span> specifies the name of the file to open. The file can have the pcap file format as described in <a Class="bold" href="./pcap-savefile.html">pcap-savefile</a>(5), which is the file format used by, among other programs, <span Class="bold">tcpdump</span>(1) and <span Class="bold">tcpslice</span>(1), or can have the pcapng file format, although not all pcapng files can be read. The name &quot;-&quot; is a synonym for <span Class="bold">stdin</span>.
<p class="level0"><span Class="bold">pcap_open_offline_with_tstamp_precision()</span> takes an additional <span Class="emphasis">precision</span> argument specifying the time stamp precision desired; if <span Class="bold">PCAP_TSTAMP_PRECISION_MICRO</span> is specified, packet time stamps will be supplied in seconds and microseconds, and if <span Class="bold">PCAP_TSTAMP_PRECISION_NANO</span> is specified, packet time stamps will be supplied in seconds and nanoseconds. If the time stamps in the file do not have the same precision as the requested precision, they will be scaled up or down as necessary before being supplied.
<p class="level0">Alternatively, you may call <span Class="bold">pcap_fopen_offline()</span> or <span Class="bold">pcap_fopen_offline_with_tstamp_precision()</span> to read dumped data from an existing open stream <span Class="emphasis">fp</span>. <span Class="bold">pcap_fopen_offline_with_tstamp_precision()</span> takes an additional <span Class="emphasis">precision</span> argument as described above. Note that on Windows, that stream should be opened in binary mode. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_open_offline()</span>, <span Class="bold">pcap_open_offline_with_tstamp_precision()</span>, <span Class="bold">pcap_fopen_offline()</span>, and <span Class="bold">pcap_fopen_offline_with_tstamp_precision()</span> return a <span Class="emphasis">pcap_t *</span> on success and <span Class="bold">NULL</span> on failure. If <span Class="bold">NULL</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0"><span Class="bold">pcap_open_offline_with_tstamp_precision</span> and <span Class="bold">pcap_fopen_offline_with_tstamp_precision</span> became available in libpcap release 1.5.1. In previous releases, time stamps from a savefile are always given in seconds and microseconds. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap-savefile.html">pcap-savefile</a>(5) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_buffer_size.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_buffer_size - set the buffer size for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_buffer_size(pcap_t *p, int buffer_size);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_buffer_size()</span> sets the buffer size that will be used on a capture handle when the handle is activated to <span Class="emphasis">buffer_size</span>, which is in units of bytes. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_buffer_size()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_datalink.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_datalink - set the link-layer header type to be used by a capture device <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_datalink(pcap_t *p, int dlt);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_datalink()</span> is used to set the current link-layer header type of the pcap descriptor to the type specified by <span Class="emphasis">dlt</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_datalink()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_datalink_name_to_val.html">pcap_datalink_name_to_val</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_promisc.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_promisc - set promiscuous mode for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_promisc(pcap_t *p, int promisc);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_promisc()</span> sets whether promiscuous mode should be set on a capture handle when the handle is activated. If <span Class="emphasis">promisc</span> is non-zero, promiscuous mode will be set, otherwise it will not be set. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_promisc()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_protocol_linux.html Normal file
View File

@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_protocol_linux - set capture protocol for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_protocol_linux(pcap_t *p, int protocol);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">On network interface devices on Linux, <span Class="bold">pcap_set_protocol_linux()</span> sets the protocol to be used in the <span Class="bold">socket</span>(2) call to create a capture socket when the handle is activated. The argument is a link-layer protocol value, such as the values in the <span Class="bold">&lt;linux/if_ether.h&gt;</span> header file, specified in host byte order. If <span Class="emphasis">protocol</span> is non-zero, packets of that protocol will be captured when the handle is activated, otherwise, all packets will be captured. This function is only provided on Linux, and, if it is used on any device other than a network interface, it will have no effect.
<p class="level0">It should not be used in portable code; instead, a filter should be specified with <a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>.
<p class="level0">If a given network interface provides a standard link-layer header, with a standard packet type, but provides some packet types with a different socket-layer protocol type from the one in the link-layer header, that packet type cannot be filtered with a filter specified with <span Class="bold">pcap_setfilter()</span> but can be filtered by specifying the socket-layer protocol type using <span Class="bold">pcap_set_protocol_linux()</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_protocol_linux()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">This function became available in libpcap release 1.9.0. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_rfmon.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_rfmon - set monitor mode for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_rfmon(pcap_t *p, int rfmon);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_rfmon()</span> sets whether monitor mode should be set on a capture handle when the handle is activated. If <span Class="emphasis">rfmon</span> is non-zero, monitor mode will be set, otherwise it will not be set. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_rfmon()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP), <a Class="bold" href="./pcap_can_set_rfmon.html">pcap_can_set_rfmon</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_snaplen.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_snaplen - set the snapshot length for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_snaplen(pcap_t *p, int snaplen);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_snaplen()</span> sets the snapshot length to be used on a capture handle when the handle is activated to <span Class="emphasis">snaplen</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_snaplen()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_timeout.html Normal file
View File

@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_timeout - set the packet buffer timeout for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_timeout(pcap_t *p, int to_ms);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_timeout()</span> sets the packet buffer timeout that will be used on a capture handle when the handle is activated to <span Class="emphasis">to_ms</span>, which is in units of milliseconds. (See <a Class="bold" href="./pcap.html">pcap</a>(3PCAP) for an explanation of the packet buffer timeout.)
<p class="level0">The behavior, if the timeout isn&#39;t specified, is undefined, as is the behavior if the timeout is set to zero or to a negative value. We recommend always setting the timeout to a non-zero value unless immediate mode is set, in which case the timeout has no effect. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_timeout()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP), <span Class="bold">\%pcap_set_immediate_mode</span>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

75
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_tstamp_precision.html Normal file
View File

@ -0,0 +1,75 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_tstamp_precision - set the time stamp precision returned in captures <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_tstamp_precision(pcap_t *p, int tstamp_precision);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_tstamp_precision()</span> sets the precision of the time stamp desired for packets captured on the pcap descriptor to the type specified by <span Class="emphasis">tstamp_precision</span>. It must be called on a pcap descriptor created by <a Class="bold" href="./pcap_create.html">pcap_create</a> that has not yet been activated by <a Class="bold" href="./pcap_activate.html">pcap_activate</a>. Two time stamp precisions are supported, microseconds and nanoseconds. One can use options <span Class="bold">PCAP_TSTAMP_PRECISION_MICRO and</span> <span Class="bold">PCAP_TSTAMP_PRECISION_NANO</span> to request desired precision. By default, time stamps are in microseconds. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_tstamp_precision()</span> returns 0 on success if the specified time stamp precision is expected to be supported by the capture device, <span Class="bold">PCAP_ERROR_TSTAMP_PRECISION_NOTSUP</span> if the capture device does not support the requested time stamp precision, <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">This function became available in libpcap release 1.5.1. In previous releases, time stamps from a capture device or savefile are always given in seconds and microseconds. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_get_tstamp_precision.html">pcap_get_tstamp_precision</a>(3PCAP), <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

67
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_tstamp_type.html Normal file
View File

@ -0,0 +1,67 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_tstamp_type - set the time stamp type to be used by a capture device <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_tstamp_type(pcap_t *p, int tstamp_type);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_tstamp_type()</span> sets the type of time stamp desired for packets captured on the pcap descriptor to the type specified by <span Class="emphasis">tstamp_type</span>. It must be called on a pcap descriptor created by <a Class="bold" href="./pcap_create.html">pcap_create</a> that has not yet been activated by <a Class="bold" href="./pcap_activate.html">pcap_activate</a>. <a Class="bold" href="./pcap_list_tstamp_types.html">pcap_list_tstamp_types</a> will give a list of the time stamp types supported by a given capture device. See <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) for a list of all the time stamp types. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_tstamp_type()</span> returns 0 on success if the specified time stamp type is expected to be supported by the capture device, <span Class="bold">PCAP_WARNING_TSTAMP_TYPE_NOTSUP</span> if the specified time stamp type is not supported by the capture device, <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated, and <span Class="bold">PCAP_ERROR_CANTSET_TSTAMP_TYPE</span> if the capture device doesn&#39;t support setting the time stamp type (only older versions of libpcap will return that; newer versions will always allow the time stamp type to be set to the default type). <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">This function became available in libpcap release 1.2.1. In previous releases, the time stamp type cannot be set; only the default time stamp type offered by a capture source is available. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_tstamp_type_name_to_val.html">pcap_tstamp_type_name_to_val</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

67
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_setdirection.html Normal file
View File

@ -0,0 +1,67 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_setdirection - set the direction for which packets will be captured <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_setdirection(pcap_t *p, pcap_direction_t d);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_setdirection()</span> is used to specify a direction that packets will be captured. <span Class="emphasis">d</span> is one of the constants <span Class="bold">PCAP_D_IN</span>, <span Class="bold">PCAP_D_OUT</span> or <span Class="bold">PCAP_D_INOUT</span>. <span Class="bold">PCAP_D_IN</span> will only capture packets received by the device, <span Class="bold">PCAP_D_OUT</span> will only capture packets sent by the device and <span Class="bold">PCAP_D_INOUT</span> will capture packets received by or sent by the device. <span Class="bold">PCAP_D_INOUT</span> is the default setting if this function is not called.
<p class="level0"><span Class="bold">pcap_setdirection()</span> isn&#39;t necessarily fully supported on all platforms; some platforms might return an error for all values, and some other platforms might not support <span Class="bold">PCAP_D_OUT</span>.
<p class="level0">This operation is not supported if a ``savefile&#39;&#39; is being read. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_setdirection()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_setfilter.html Normal file
View File

@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_setfilter - set the filter <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_setfilter(pcap_t *p, struct bpf_program *fp);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_setfilter()</span> is used to specify a filter program. <span Class="emphasis">fp</span> is a pointer to a <span Class="emphasis">bpf_program</span> struct, usually the result of a call to <span Class="bold">\%pcap_compile(3PCAP)</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_setfilter()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_setnonblock.html Normal file
View File

@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_setnonblock, pcap_getnonblock - set or get the state of non-blocking mode on a capture device <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
int pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf);
int pcap_getnonblock(pcap_t *p, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_setnonblock()</span> puts a capture handle into ``non-blocking&#39;&#39; mode, or takes it out of ``non-blocking&#39;&#39; mode, depending on whether the <span Class="emphasis">nonblock</span> argument is non-zero or zero. It has no effect on ``savefiles&#39;&#39;. If there is an error, <span Class="bold">PCAP_ERROR</span> is returned and <span Class="emphasis">errbuf</span> is filled in with an appropriate error message; otherwise, 0 is returned. In ``non-blocking&#39;&#39; mode, an attempt to read from the capture descriptor with <span Class="bold">pcap_dispatch(3PCAP)</span> will, if no packets are currently available to be read, return 0 immediately rather than blocking waiting for packets to arrive. <a Class="bold" href="./pcap_loop.html">pcap_loop</a> and <span Class="bold">pcap_next(3PCAP)</span> will not work in ``non-blocking&#39;&#39; mode.
<p class="level0">When first activated with <a Class="bold" href="./pcap_activate.html">pcap_activate</a> or opened with <span Class="bold">pcap_open_live(3PCAP) ,</span> a capture handle is not in ``non-blocking mode&#39;&#39;; a call to <span Class="bold">pcap_setnonblock()</span> is required in order to put it into ``non-blocking&#39;&#39; mode. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_getnonblock()</span> returns the current ``non-blocking&#39;&#39; state of the capture descriptor; it always returns 0 on ``savefiles&#39;&#39;. If there is an error, <span Class="bold">PCAP_ERROR</span> is returned and <span Class="emphasis">errbuf</span> is filled in with an appropriate error message.
<p class="level0"><span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a>(3PCAP), <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_snapshot.html Normal file
View File

@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_snapshot - get the snapshot length <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_snapshot(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_snapshot()</span> returns the snapshot length specified when <a Class="bold" href="./pcap_set_snaplen.html">pcap_set_snaplen</a> or <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a> was called, for a live capture, or the snapshot length from the capture file, for a ``savefile&#39;&#39;.
<p class="level0">It must not be called on a pcap descriptor created by <span Class="bold">\%pcap_create(3PCAP)</span> that has not yet been activated by <span Class="bold">\%pcap_activate(3PCAP)</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_snapshot()</span> returns the snapshot length on success and <span Class="bold">PCAP_ERROR_NOT_ACTIVATED</span> if called on a capture handle that has been created but not activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

73
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_stats.html Normal file
View File

@ -0,0 +1,73 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_stats - get capture statistics <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_stats(pcap_t *p, struct pcap_stat *ps);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_stats()</span> fills in the <span Class="bold">struct pcap_stat</span> pointed to by its second argument. The values represent packet statistics from the start of the run to the time of the call.
<p class="level0"><span Class="bold">pcap_stats()</span> is supported only on live captures, not on ``savefiles&#39;&#39;; no statistics are stored in ``savefiles&#39;&#39;, so no statistics are available when reading from a ``savefile&#39;&#39;.
<p class="level0">A <span Class="bold">struct pcap_stat</span> has the following members:
<p class="level1">
<p class="level1"><span Class="bold">ps_recv</span> number of packets received;
<p class="level1"><span Class="bold">ps_drop</span> number of packets dropped because there was no room in the operating system&#39;s buffer when they arrived, because packets weren&#39;t being read fast enough;
<p class="level1"><span Class="bold">ps_ifdrop</span> number of packets dropped by the network interface or its driver.
<p class="level0">
<p class="level0">The statistics do not behave the same way on all platforms. <span Class="bold">ps_recv</span> might count packets whether they passed any filter set with <a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>(3PCAP) or not, or it might count only packets that pass the filter. It also might, or might not, count packets dropped because there was no room in the operating system&#39;s buffer when they arrived. <span Class="bold">ps_drop</span> is not available on all platforms; it is zero on platforms where it&#39;s not available. If packet filtering is done in libpcap, rather than in the operating system, it would count packets that don&#39;t pass the filter. Both <span Class="bold">ps_recv</span> and <span Class="bold">ps_drop</span> might, or might not, count packets not yet read from the operating system and thus not yet seen by the application. <span Class="bold">ps_ifdrop</span> might, or might not, be implemented; if it&#39;s zero, that might mean that no packets were dropped by the interface, or it might mean that the statistic is unavailable, so it should not be treated as an indication that the interface did not drop any packets. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_stats()</span> returns 0 on success and returns <span Class="bold">PCAP_ERROR</span> if there is an error or if <span Class="emphasis">p</span> doesn&#39;t support packet statistics. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_statustostr.html Normal file
View File

@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_statustostr - convert a PCAP_ERROR_ or PCAP_WARNING_ value to a string <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
const char *pcap_statustostr(int error);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_statustostr()</span> converts a <span Class="bold">PCAP_ERROR_</span> or <span Class="bold">PCAP_WARNING_</span> value returned by a libpcap routine to an error string. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_strerror.html Normal file
View File

@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_strerror - convert an errno value to a string <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
const char *pcap_strerror(int error);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_strerror()</span> is provided in case <span Class="bold">strerror</span>(3) isn&#39;t available. It returns an error message string corresponding to <span Class="emphasis">error</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

67
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_tstamp_type_name_to_val.html Normal file
View File

@ -0,0 +1,67 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_tstamp_type_name_to_val - get the time stamp type value corresponding to a time stamp type name <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_tstamp_type_name_to_val(const char *name);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_tstamp_type_name_to_val()</span> translates a time stamp type name to the corresponding time stamp type value. The translation is case-insensitive. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_tstamp_type_name_to_val()</span> returns time stamp type value on success and <span Class="bold">PCAP_ERROR</span> on failure. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">This function became available in libpcap release 1.2.1. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_tstamp_type_val_to_name.html">pcap_tstamp_type_val_to_name</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_tstamp_type_val_to_name.html Normal file
View File

@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_tstamp_type_val_to_name, pcap_tstamp_type_val_to_description - get a name or description for a time stamp type value <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap.h&gt;
const char *pcap_tstamp_type_val_to_name(int tstamp_type);
const char *pcap_tstamp_type_val_to_description(int tstamp_type);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_tstamp_type_val_to_name()</span> translates a time stamp type value to the corresponding time stamp type name. <span Class="bold">NULL</span> is returned on failure.
<p class="level0"><span Class="bold">pcap_tstamp_type_val_to_description()</span> translates a time stamp type value to a short description of that time stamp type. <span Class="bold">NULL</span> is returned on failure. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">These functions became available in libpcap release 1.2.1. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_tstamp_type_name_to_val.html">pcap_tstamp_type_name_to_val</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>