gh0s7/NE_YuR
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tcp/quic lab finished

Browse Source
This commit is contained in:
CGH0S7
2025-12-25 14:33:29 +08:00
parent ac5b4bc15d
commit 200566e8fe
261 changed files with 2664 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

540
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap-filter.html Normal file
View File

@@ -0,0 +1,540 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>PCAP-FILTER man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap-filter - packet filter syntax <br>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">
<p class="level0"><span Class="bold">pcap_compile()</span> is used to compile a string into a filter program. The resulting filter program can then be applied to some stream of packets to determine which packets will be supplied to <a Class="bold" href="./pcap_loop.html">pcap_loop</a>, <span Class="bold">pcap_dispatch(3PCAP)</span>, <span Class="bold">pcap_next(3PCAP)</span>, or <a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a>.
<p class="level0">The <span Class="emphasis">filter expression</span> consists of one or more <span Class="emphasis">primitives</span>. Primitives usually consist of an <span Class="emphasis">id</span> (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier:
<p class="level0"><a name="fItypefP"></a><span class="nroffip">type</span>
<p class="level1"><span Class="emphasis">type</span> qualifiers say what kind of thing the id name or number refers to. Possible types are <span Class="bold">host</span>, <span Class="bold">net ,</span> <span Class="bold">port</span> and <span Class="bold">portrange</span>. E.g., `host foo&#39;, `net 128.3&#39;, `port 20&#39;, `portrange 6000-6008&#39;. If there is no type qualifier, <span Class="bold">host</span> is assumed.
<p class="level0"><a name="fIdirfP"></a><span class="nroffip">dir</span>
<p class="level1"><span Class="emphasis">dir</span> qualifiers specify a particular transfer direction to and/or from <span Class="emphasis">id</span>. Possible directions are <span Class="bold">src</span>, <span Class="bold">dst</span>, <span Class="bold">src or dst</span>, <span Class="bold">src and dst</span>, <span Class="bold">ra</span>, <span Class="bold">ta</span>, <span Class="bold">addr1</span>, <span Class="bold">addr2</span>, <span Class="bold">addr3</span>, and <span Class="bold">addr4</span>. E.g., `src foo&#39;, `dst net 128.3&#39;, `src or dst port ftp-data&#39;. If there is no dir qualifier, <span Class="bold">src or dst</span> is assumed. The <span Class="bold">ra</span>, <span Class="bold">ta</span>, <span Class="bold">addr1</span>, <span Class="bold">addr2</span>, <span Class="bold">addr3</span>, and <span Class="bold">addr4</span> qualifiers are only valid for IEEE 802.11 Wireless LAN link layers.
<p class="level0"><a name="fIprotofP"></a><span class="nroffip">proto</span>
<p class="level1"><span Class="emphasis">proto</span> qualifiers restrict the match to a particular protocol. Possible protos are: <span Class="bold">ether</span>, <span Class="bold">fddi</span>, <span Class="bold">tr</span>, <span Class="bold">wlan</span>, <span Class="bold">ip</span>, <span Class="bold">ip6</span>, <span Class="bold">arp</span>, <span Class="bold">rarp</span>, <span Class="bold">decnet</span>, <span Class="bold">tcp</span> and <span Class="bold">udp</span>. E.g., `ether src foo&#39;, `arp net 128.3&#39;, `tcp port 21&#39;, `udp portrange 7000-7009&#39;, `wlan addr2 0:2:3:4:5:6&#39;. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g., `src foo&#39; means `(ip or arp or rarp) src foo&#39; (except the latter is not legal syntax), `net bar&#39; means `(ip or arp or rarp) net bar&#39; and `port 53&#39; means `(tcp or udp) port 53&#39;.
<p class="level1">[`fddi&#39; is actually an alias for `ether&#39;; the parser treats them identically as meaning ``the data link level used on the specified network interface.&#39;&#39; FDDI headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ethernet fields. FDDI headers also contain other fields, but you cannot name them explicitly in a filter expression.
<p class="level1">Similarly, `tr&#39; and `wlan&#39; are aliases for `ether&#39;; the previous paragraph&#39;s statements about FDDI headers also apply to Token Ring and 802.11 wireless LAN headers. For 802.11 headers, the destination address is the DA field and the source address is the SA field; the BSSID, RA, and TA fields aren&#39;t tested.]
<p class="level1">In addition to the above, there are some special `primitive&#39; keywords that don&#39;t follow the pattern: <span Class="bold">gateway</span>, <span Class="bold">broadcast</span>, <span Class="bold">less</span>, <span Class="bold">greater</span> and arithmetic expressions. All of these are described below.
<p class="level1">More complex filter expressions are built up by using the words <span Class="bold">and</span>, <span Class="bold">or</span> and <span Class="bold">not</span> to combine primitives. E.g., `host foo and not port ftp and not port ftp-data&#39;. To save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain&#39; is exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain&#39;.
<p class="level1">Allowable primitives are:
<p class="level0"><a name="fBdst"></a><span class="nroffip">dst host host</span>
<p class="level1">True if the IPv4/v6 destination field of the packet is <span Class="emphasis">host</span>, which may be either an address or a name.
<p class="level0"><a name="fBsrc"></a><span class="nroffip">src host host</span>
<p class="level1">True if the IPv4/v6 source field of the packet is <span Class="emphasis">host</span>.
<p class="level0"><a name="fBhost"></a><span class="nroffip">host host</span>
<p class="level1">True if either the IPv4/v6 source or destination of the packet is <span Class="emphasis">host</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Any of the above host expressions can be prepended with the keywords, <span Class="bold">ip</span>, <span Class="bold">arp</span>, <span Class="bold">rarp</span>, or <span Class="bold">ip6</span> as in:
<p class="level1"><pre class="level1">
<span class="bold">ip host <span class="emphasis">host</span>
</pre>
<p class="level1">
<p class="level1">which is equivalent to:
<p class="level1"><pre class="level1">
<span class="bold">ether proto <span class="emphasis">\ip<span class="bold"> and host <span class="emphasis">host</span>
</pre>
<p class="level1">
<p class="level1">If <span Class="emphasis">host</span> is a name with multiple IP addresses, each address will be checked for a match.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether dst ehost</span>
<p class="level1">True if the Ethernet destination address is <span Class="emphasis">ehost</span>. <span Class="emphasis">Ehost</span> may be either a name from /etc/ethers or a numerical MAC address of the form &quot;xx:xx:xx:xx:xx:xx&quot;, &quot;xx.xx.xx.xx.xx.xx&quot;, &quot;xx-xx-xx-xx-xx-xx&quot;, &quot;xxxx.xxxx.xxxx&quot;, &quot;xxxxxxxxxxxx&quot;, or various mixes of &#39;:&#39;, &#39;.&#39;, and &#39;-&#39;, where each &quot;x&quot; is a hex digit (0-9, a-f, or A-F).
<p class="level0"><a name="fBether"></a><span class="nroffip">ether src ehost</span>
<p class="level1">True if the Ethernet source address is <span Class="emphasis">ehost</span>.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether host ehost</span>
<p class="level1">True if either the Ethernet source or destination address is <span Class="emphasis">ehost</span>.
<p class="level0"><a name="fBgatewayfP"></a><span class="nroffip">gateway host</span>
<p class="level1">True if the packet used <span Class="emphasis">host</span> as a gateway. I.e., the Ethernet source or destination address was <span Class="emphasis">host</span> but neither the IP source nor the IP destination was <span Class="emphasis">host</span>. <span Class="emphasis">Host</span> must be a name and must be found both by the machine&#39;s host-name-to-IP-address resolution mechanisms (host name file, DNS, NIS, etc.) and by the machine&#39;s host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.). (An equivalent expression is
<p class="level1"><pre class="level1">
<span class="bold">ether host <span class="emphasis">ehost <span class="bold">and not host <span class="emphasis">host</span>
</pre>
<p class="level1">
<p class="level1">which can be used with either names or numbers for <span Class="emphasis">host / ehost</span>.) This syntax does not work in IPv6-enabled configuration at this moment.
<p class="level0"><a name="fBdst"></a><span class="nroffip">dst net net</span>
<p class="level1">True if the IPv4/v6 destination address of the packet has a network number of <span Class="emphasis">net</span>. <span Class="emphasis">Net</span> may be either a name from the networks database (/etc/networks, etc.) or a network number. An IPv4 network number can be written as a dotted quad (e.g., 192.168.1.0), dotted triple (e.g., 192.168.1), dotted pair (e.g, 172.16), or single number (e.g., 10); the netmask is 255.255.255.255 for a dotted quad (which means that it&#39;s really a host match), 255.255.255.0 for a dotted triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for a single number. An IPv6 network number must be written out fully; the netmask is ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 &quot;network&quot; matches are really always host matches, and a network match requires a netmask length.
<p class="level0"><a name="fBsrc"></a><span class="nroffip">src net net</span>
<p class="level1">True if the IPv4/v6 source address of the packet has a network number of <span Class="emphasis">net</span>.
<p class="level0"><a name="fBnet"></a><span class="nroffip">net net</span>
<p class="level1">True if either the IPv4/v6 source or destination address of the packet has a network number of <span Class="emphasis">net</span>.
<p class="level0"><a name="fBnet"></a><span class="nroffip">net net mask netmask</span>
<p class="level1">True if the IPv4 address matches <span Class="emphasis">net</span> with the specific <span Class="emphasis">netmask</span>. May be qualified with <span Class="bold">src</span> or <span Class="bold">dst</span>. Note that this syntax is not valid for IPv6 <span Class="emphasis">net</span>.
<p class="level0"><a name="fBnet"></a><span class="nroffip">net net/len</span>
<p class="level1">True if the IPv4/v6 address matches <span Class="emphasis">net</span> with a netmask <span Class="emphasis">len</span> bits wide. May be qualified with <span Class="bold">src</span> or <span Class="bold">dst</span>.
<p class="level0"><a name="fBdst"></a><span class="nroffip">dst port port</span>
<p class="level1">True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of <span Class="emphasis">port</span>. The <span Class="emphasis">port</span> can be a number or a name used in /etc/services (see <span Class="emphasis">tcp</span>(4P) and <span Class="emphasis">udp</span>(4P)). If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (e.g., <span Class="bold">dst port 513</span> will print both tcp/login traffic and udp/who traffic, and <span Class="bold">port domain</span> will print both tcp/domain and udp/domain traffic).
<p class="level0"><a name="fBsrc"></a><span class="nroffip">src port port</span>
<p class="level1">True if the packet has a source port value of <span Class="emphasis">port</span>.
<p class="level0"><a name="fBport"></a><span class="nroffip">port port</span>
<p class="level1">True if either the source or destination port of the packet is <span Class="emphasis">port</span>.
<p class="level0"><a name="fBdst"></a><span class="nroffip">dst portrange port1-port2</span>
<p class="level1">True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value between <span Class="emphasis">port1</span> and <span Class="emphasis">port2</span>. <span Class="emphasis">port1</span> and <span Class="emphasis">port2</span> are interpreted in the same fashion as the <span Class="emphasis">port</span> parameter for <span Class="bold">port</span>.
<p class="level0"><a name="fBsrc"></a><span class="nroffip">src portrange port1-port2</span>
<p class="level1">True if the packet has a source port value between <span Class="emphasis">port1</span> and <span Class="emphasis">port2</span>.
<p class="level0"><a name="fBportrange"></a><span class="nroffip">portrange port1-port2</span>
<p class="level1">True if either the source or destination port of the packet is between <span Class="emphasis">port1</span> and <span Class="emphasis">port2</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Any of the above port or port range expressions can be prepended with the keywords, <span Class="bold">tcp</span> or <span Class="bold">udp</span>, as in:
<p class="level1"><pre class="level1">
<span class="bold">tcp src port <span class="emphasis">port</span>
</pre>
<p class="level1">
<p class="level1">which matches only tcp packets whose source port is <span Class="emphasis">port</span>.
<p class="level0"><a name="fBless"></a><span class="nroffip">less length</span>
<p class="level1">True if the packet has a length less than or equal to <span Class="emphasis">length</span>. This is equivalent to:
<p class="level1"><pre class="level1">
<span class="bold">len &lt;= <span class="emphasis">length</span>.
</pre>
<p class="level1">
<p class="level1">
<p class="level0"><a name="fBgreater"></a><span class="nroffip">greater length</span>
<p class="level1">True if the packet has a length greater than or equal to <span Class="emphasis">length</span>. This is equivalent to:
<p class="level1"><pre class="level1">
<span class="bold">len &gt;= <span class="emphasis">length</span>.
</pre>
<p class="level1">
<p class="level1">
<p class="level0"><a name="fBip"></a><span class="nroffip">ip proto protocol</span>
<p class="level1">True if the packet is an IPv4 packet (see <span Class="emphasis">ip</span>(4P)) of protocol type <span Class="emphasis">protocol</span>. <span Class="emphasis">Protocol</span> can be a number or one of the names <span Class="bold">icmp</span>, <span Class="bold">icmp6</span>, <span Class="bold">igmp</span>, <span Class="bold">igrp</span>, <span Class="bold">pim</span>, <span Class="bold">ah</span>, <span Class="bold">esp</span>, <span Class="bold">vrrp</span>, <span Class="bold">udp</span>, or <span Class="bold">tcp</span>. Note that the identifiers <span Class="bold">tcp</span>, <span Class="bold">udp</span>, and <span Class="bold">icmp</span> are also keywords and must be escaped via backslash (\). Note that this primitive does not chase the protocol header chain.
<p class="level0"><a name="fBip6"></a><span class="nroffip">ip6 proto protocol</span>
<p class="level1">True if the packet is an IPv6 packet of protocol type <span Class="emphasis">protocol</span>. Note that this primitive does not chase the protocol header chain.
<p class="level0"><a name="fBproto"></a><span class="nroffip">proto protocol</span>
<p class="level1">True if the packet is an IPv4 or IPv6 packet of protocol type <span Class="emphasis">protocol</span>. Note that this primitive does not chase the protocol header chain.
<p class="level0"><a name="fBtcpfR"></a><span class="nroffip">tcp, udp, icmp</span>
<p class="level1">Abbreviations for:
<p class="level1"><pre class="level1">
<span class="bold">proto <span class="emphasis">p</span><span class="bold">
</pre>
<p class="level1">
<p class="level1">where <span Class="emphasis">p</span> is one of the above protocols.
<p class="level0"><a name="fBip6"></a><span class="nroffip">ip6 protochain protocol</span>
<p class="level1">True if the packet is IPv6 packet, and contains protocol header with type <span Class="emphasis">protocol</span> in its protocol header chain. For example,
<p class="level1"><pre class="level1">
<span class="bold">ip6 protochain 6</span>
</pre>
<p class="level1">
<p class="level1">matches any IPv6 packet with TCP protocol header in the protocol header chain. The packet may contain, for example, authentication header, routing header, or hop-by-hop option header, between IPv6 header and TCP header. The BPF code emitted by this primitive is complex and cannot be optimized by the BPF optimizer code, and is not supported by filter engines in the kernel, so this can be somewhat slow, and may cause more packets to be dropped.
<p class="level0"><a name="fBip"></a><span class="nroffip">ip protochain protocol</span>
<p class="level1">Equivalent to <span class="bold">ip6 protochain <span Class="emphasis">protocol</span>, but this is for IPv4.
<p class="level0"><a name="fBprotochain"></a><span class="nroffip">protochain protocol</span>
<p class="level1">True if the packet is an IPv4 or IPv6 packet of protocol type <span Class="emphasis">protocol</span>. Note that this primitive chases the protocol header chain.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether broadcast</span>
<p class="level1">True if the packet is an Ethernet broadcast packet. The <span Class="emphasis">ether</span> keyword is optional.
<p class="level0"><a name="fBip"></a><span class="nroffip">ip broadcast</span>
<p class="level1">True if the packet is an IPv4 broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions, and looks up the subnet mask on the interface on which the capture is being done.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If the subnet mask of the interface on which the capture is being done is not available, either because the interface on which capture is being done has no netmask or because the capture is being done on the Linux &quot;any&quot; interface, which can capture on more than one interface, this check will not work correctly.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether multicast</span>
<p class="level1">True if the packet is an Ethernet multicast packet. The <span Class="bold">ether</span> keyword is optional. This is shorthand for `<span Class="bold">ether[0] &amp; 1 != 0</span>&#39;.
<p class="level0"><a name="fBip"></a><span class="nroffip">ip multicast</span>
<p class="level1">True if the packet is an IPv4 multicast packet.
<p class="level0"><a name="fBip6"></a><span class="nroffip">ip6 multicast</span>
<p class="level1">True if the packet is an IPv6 multicast packet.
<p class="level0"><a name="fBether"></a><span class="nroffip">ether proto protocol</span>
<p class="level1">True if the packet is of ether type <span Class="emphasis">protocol</span>. <span Class="emphasis">Protocol</span> can be a number or one of the names <span Class="bold">ip</span>, <span Class="bold">ip6</span>, <span Class="bold">arp</span>, <span Class="bold">rarp</span>, <span Class="bold">atalk</span>, <span Class="bold">aarp</span>, <span Class="bold">decnet</span>, <span Class="bold">sca</span>, <span Class="bold">lat</span>, <span Class="bold">mopdl</span>, <span Class="bold">moprc</span>, <span Class="bold">iso</span>, <span Class="bold">stp</span>, <span Class="bold">ipx</span>, or <span Class="bold">netbeui</span>. Note these identifiers are also keywords and must be escaped via backslash (\).
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">[In the case of FDDI (e.g., `<span Class="bold">fddi proto arp</span>&#39;), Token Ring (e.g., `<span Class="bold">tr proto arp</span>&#39;), and IEEE 802.11 wireless LANS (e.g., `<span Class="bold">wlan proto arp</span>&#39;), for most of those protocols, the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI, Token Ring, or 802.11 header.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">When filtering for most protocol identifiers on FDDI, Token Ring, or 802.11, the filter checks only the protocol ID field of an LLC header in so-called SNAP format with an Organizational Unit Identifier (OUI) of 0x000000, for encapsulated Ethernet; it doesn&#39;t check whether the packet is in SNAP format with an OUI of 0x000000. The exceptions are:
<p class="level2">
<p class="level2"><span Class="bold">iso</span> the filter checks the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) fields of the LLC header;
<p class="level2"><span Class="bold">stp</span> and <span Class="bold">netbeui</span> the filter checks the DSAP of the LLC header;
<p class="level2"><span Class="bold">atalk</span> the filter checks for a SNAP-format packet with an OUI of 0x080007 and the AppleTalk etype.
<p class="level1">
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">In the case of Ethernet, the filter checks the Ethernet type field for most of those protocols. The exceptions are:
<p class="level2">
<p class="level2"><span Class="bold">iso</span>, <span Class="bold">stp</span>, and <span Class="bold">netbeui</span> the filter checks for an 802.3 frame and then checks the LLC header as it does for FDDI, Token Ring, and 802.11;
<p class="level2"><span Class="bold">atalk</span> the filter checks both for the AppleTalk etype in an Ethernet frame and for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;
<p class="level2"><span Class="bold">aarp</span> the filter checks for the AppleTalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame with an OUI of 0x000000;
<p class="level2"><span Class="bold">ipx</span> the filter checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of IPX, and the IPX etype in a SNAP frame.
<p class="level1">
<p class="level0"><a name="fBipfR"></a><span class="nroffip">ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui</span>
<p class="level1">Abbreviations for:
<p class="level1"><pre class="level1">
<span class="bold">ether proto <span class="emphasis">p</span>
</pre>
<p class="level1">
<p class="level1">where <span Class="emphasis">p</span> is one of the above protocols.
<p class="level0"><a name="fBlatfR"></a><span class="nroffip">lat, moprc, mopdl</span>
<p class="level1">Abbreviations for:
<p class="level1"><pre class="level1">
<span class="bold">ether proto <span class="emphasis">p</span>
</pre>
<p class="level1">
<p class="level1">where <span Class="emphasis">p</span> is one of the above protocols. Note that not all applications using <a Class="bold" href="./pcap.html">pcap</a>(3PCAP) currently know how to parse these protocols.
<p class="level0"><a name="fBdecnet"></a><span class="nroffip">decnet src host</span>
<p class="level1">True if the DECNET source address is <span Class="emphasis">host</span>, which may be an address of the form ``10.123&#39;&#39;, or a DECNET host name. [DECNET host name support is only available on ULTRIX systems that are configured to run DECNET.]
<p class="level0"><a name="fBdecnet"></a><span class="nroffip">decnet dst host</span>
<p class="level1">True if the DECNET destination address is <span Class="emphasis">host</span>.
<p class="level0"><a name="fBdecnet"></a><span class="nroffip">decnet host host</span>
<p class="level1">True if either the DECNET source or destination address is <span Class="emphasis">host</span>.
<p class="level0"><a name="fBllcfP"></a><span class="nroffip">llc</span>
<p class="level1">True if the packet has an 802.2 LLC header. This includes:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Ethernet packets with a length field rather than a type field that aren&#39;t raw NetWare-over-802.3 packets;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">IEEE 802.11 data packets;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Token Ring packets (no check is done for LLC frames);
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">FDDI packets (no check is done for LLC frames);
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">LLC-encapsulated ATM packets, for SunATM on Solaris.
<p class="level0"><a name="fBllcfP"></a><span class="nroffip">llc \Fitype</span>
<p class="level1">True if the packet has an 802.2 LLC header and has the specified <span Class="emphasis">type</span>. <span Class="emphasis">type</span> can be one of:
<p class="level2">
<p class="level2"><span Class="bold">i</span> Information (I) PDUs
<p class="level2"><span Class="bold">s</span> Supervisory (S) PDUs
<p class="level2"><span Class="bold">u</span> Unnumbered (U) PDUs
<p class="level2"><span Class="bold">rr</span> Receiver Ready (RR) S PDUs
<p class="level2"><span Class="bold">rnr</span> Receiver Not Ready (RNR) S PDUs
<p class="level2"><span Class="bold">rej</span> Reject (REJ) S PDUs
<p class="level2"><span Class="bold">ui</span> Unnumbered Information (UI) U PDUs
<p class="level2"><span Class="bold">ua</span> Unnumbered Acknowledgment (UA) U PDUs
<p class="level2"><span Class="bold">disc</span> Disconnect (DISC) U PDUs
<p class="level2"><span Class="bold">sabme</span> Set Asynchronous Balanced Mode Extended (SABME) U PDUs
<p class="level2"><span Class="bold">test</span> Test (TEST) U PDUs
<p class="level2"><span Class="bold">xid</span> Exchange Identification (XID) U PDUs
<p class="level2"><span Class="bold">frmr</span> Frame Reject (FRMR) U PDUs
<p class="level1">
<p class="level0"><a name="fBinboundfP"></a><span class="nroffip">inbound</span>
<p class="level1">Packet was received by the host performing the capture rather than being sent by that host. This is only supported for certain link-layer types, such as SLIP and the ``cooked&#39;&#39; Linux capture mode used for the ``any&#39;&#39; device and for some other device types.
<p class="level0"><a name="fBoutboundfP"></a><span class="nroffip">outbound</span>
<p class="level1">Packet was sent by the host performing the capture rather than being received by that host. This is only supported for certain link-layer types, such as SLIP and the ``cooked&#39;&#39; Linux capture mode used for the ``any&#39;&#39; device and for some other device types.
<p class="level0"><a name="fBifname"></a><span class="nroffip">ifname interface</span>
<p class="level1">True if the packet was logged as coming from the specified interface (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBon"></a><span class="nroffip">on interface</span>
<p class="level1">Synonymous with the <span Class="bold">ifname</span> modifier.
<p class="level0"><a name="fBrnr"></a><span class="nroffip">rnr num</span>
<p class="level1">True if the packet was logged as matching the specified PF rule number (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBrulenum"></a><span class="nroffip">rulenum num</span>
<p class="level1">Synonymous with the <span Class="bold">rnr</span> modifier.
<p class="level0"><a name="fBreason"></a><span class="nroffip">reason code</span>
<p class="level1">True if the packet was logged with the specified PF reason code. The known codes are: <span Class="bold">match</span>, <span Class="bold">bad-offset</span>, <span Class="bold">fragment</span>, <span Class="bold">short</span>, <span Class="bold">normalize</span>, and <span Class="bold">memory</span> (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBrset"></a><span class="nroffip">rset name</span>
<p class="level1">True if the packet was logged as matching the specified PF ruleset name of an anchored ruleset (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBruleset"></a><span class="nroffip">ruleset name</span>
<p class="level1">Synonymous with the <span Class="bold">rset</span> modifier.
<p class="level0"><a name="fBsrnr"></a><span class="nroffip">srnr num</span>
<p class="level1">True if the packet was logged as matching the specified PF rule number of an anchored ruleset (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBsubrulenum"></a><span class="nroffip">subrulenum num</span>
<p class="level1">Synonymous with the <span Class="bold">srnr</span> modifier.
<p class="level0"><a name="fBaction"></a><span class="nroffip">action act</span>
<p class="level1">True if PF took the specified action when the packet was logged. Known actions are: <span Class="bold">pass</span> and <span Class="bold">block</span> and, with later versions of <span Class="bold">pf</span>(4), <span Class="bold">nat</span>, <span Class="bold">rdr</span>, <span Class="bold">binat</span> and <span Class="bold">scrub</span> (applies only to packets logged by OpenBSD&#39;s or FreeBSD&#39;s <span Class="bold">pf</span>(4)).
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan ra ehost</span>
<p class="level1">True if the IEEE 802.11 RA is <span Class="emphasis">ehost</span>. The RA field is used in all frames except for management frames.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan ta ehost</span>
<p class="level1">True if the IEEE 802.11 TA is <span Class="emphasis">ehost</span>. The TA field is used in all frames except for management frames and CTS (Clear To Send) and ACK (Acknowledgment) control frames.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan addr1 ehost</span>
<p class="level1">True if the first IEEE 802.11 address is <span Class="emphasis">ehost</span>.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan addr2 ehost</span>
<p class="level1">True if the second IEEE 802.11 address, if present, is <span Class="emphasis">ehost</span>. The second address field is used in all frames except for CTS (Clear To Send) and ACK (Acknowledgment) control frames.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan addr3 ehost</span>
<p class="level1">True if the third IEEE 802.11 address, if present, is <span Class="emphasis">ehost</span>. The third address field is used in management and data frames, but not in control frames.
<p class="level0"><a name="fBwlan"></a><span class="nroffip">wlan addr4 ehost</span>
<p class="level1">True if the fourth IEEE 802.11 address, if present, is <span Class="emphasis">ehost</span>. The fourth address field is only used for WDS (Wireless Distribution System) frames.
<p class="level0"><a name="fBtype"></a><span class="nroffip">type wlan_type</span>
<p class="level1">True if the IEEE 802.11 frame type matches the specified <span Class="emphasis">wlan_type</span>. Valid <span Class="emphasis">wlan_type</span>s are: <span Class="bold">mgt</span>, <span Class="bold">ctl</span> and <span Class="bold">data</span>.
<p class="level0"><a name="fBtype"></a><span class="nroffip">type wlan_type subtype wlan_subtype</span>
<p class="level1">True if the IEEE 802.11 frame type matches the specified <span Class="emphasis">wlan_type</span> and frame subtype matches the specified <span Class="emphasis">wlan_subtype</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If the specified <span Class="emphasis">wlan_type</span> is <span Class="bold">mgt</span>, then valid <span Class="emphasis">wlan_subtype</span>s are: <span Class="bold">assoc-req</span>, <span Class="bold">assoc-resp</span>, <span Class="bold">reassoc-req</span>, <span Class="bold">reassoc-resp</span>, <span Class="bold">probe-req</span>, <span Class="bold">probe-resp</span>, <span Class="bold">beacon</span>, <span Class="bold">atim</span>, <span Class="bold">disassoc</span>, <span Class="bold">auth</span> and <span Class="bold">deauth</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If the specified <span Class="emphasis">wlan_type</span> is <span Class="bold">ctl</span>, then valid <span Class="emphasis">wlan_subtype</span>s are: <span Class="bold">ps-poll</span>, <span Class="bold">rts</span>, <span Class="bold">cts</span>, <span Class="bold">ack</span>, <span Class="bold">cf-end</span> and <span Class="bold">cf-end-ack</span>.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If the specified <span Class="emphasis">wlan_type</span> is <span Class="bold">data</span>, then valid <span Class="emphasis">wlan_subtype</span>s are: <span Class="bold">data</span>, <span Class="bold">data-cf-ack</span>, <span Class="bold">data-cf-poll</span>, <span Class="bold">data-cf-ack-poll</span>, <span Class="bold">null</span>, <span Class="bold">cf-ack</span>, <span Class="bold">cf-poll</span>, <span Class="bold">cf-ack-poll</span>, <span Class="bold">qos-data</span>, <span Class="bold">qos-data-cf-ack</span>, <span Class="bold">qos-data-cf-poll</span>, <span Class="bold">qos-data-cf-ack-poll</span>, <span Class="bold">qos</span>, <span Class="bold">qos-cf-poll</span> and <span Class="bold">qos-cf-ack-poll</span>.
<p class="level0"><a name="fBsubtype"></a><span class="nroffip">subtype wlan_subtype</span>
<p class="level1">True if the IEEE 802.11 frame subtype matches the specified <span Class="emphasis">wlan_subtype</span> and frame has the type to which the specified <span Class="emphasis">wlan_subtype</span> belongs.
<p class="level0"><a name="fBdir"></a><span class="nroffip">dir dir</span>
<p class="level1">True if the IEEE 802.11 frame direction matches the specified <span Class="emphasis">dir</span>. Valid directions are: <span Class="bold">nods</span>, <span Class="bold">tods</span>, <span Class="bold">fromds</span>, <span Class="bold">dstods</span>, or a numeric value.
<p class="level0"><a name="fBvlan"></a><span class="nroffip">vlan [vlan_id]</span>
<p class="level1">True if the packet is an IEEE 802.1Q VLAN packet. If <span Class="emphasis">[vlan_id]</span> is specified, only true if the packet has the specified <span Class="emphasis">vlan_id</span>. Note that the first <span Class="bold">vlan</span> keyword encountered in <span Class="emphasis">expression</span> changes the decoding offsets for the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is a VLAN packet. The <span class="bold">vlan <span Class="emphasis">[vlan_id]</span> expression may be used more than once, to filter on VLAN hierarchies. Each use of that expression increments the filter offsets by 4.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For example:
<p class="level1"><pre class="level1">
<span class="bold">vlan 100 &amp;&amp; vlan 200</span>
</pre>
<p class="level1">
<p class="level1">filters on VLAN 200 encapsulated within VLAN 100, and
<p class="level1"><pre class="level1">
<span class="bold">vlan &amp;&amp; vlan 300 &amp;&amp; ip</span>
</pre>
<p class="level1">
<p class="level1">filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any higher order VLAN.
<p class="level0"><a name="fBmpls"></a><span class="nroffip">mpls [label_num]</span>
<p class="level1">True if the packet is an MPLS packet. If <span Class="emphasis">[label_num]</span> is specified, only true is the packet has the specified <span Class="emphasis">label_num</span>. Note that the first <span Class="bold">mpls</span> keyword encountered in <span Class="emphasis">expression</span> changes the decoding offsets for the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is a MPLS-encapsulated IP packet. The <span class="bold">mpls <span Class="emphasis">[label_num]</span> expression may be used more than once, to filter on MPLS hierarchies. Each use of that expression increments the filter offsets by 4.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For example:
<p class="level1"><pre class="level1">
<span class="bold">mpls 100000 &amp;&amp; mpls 1024</span>
</pre>
<p class="level1">
<p class="level1">filters packets with an outer label of 100000 and an inner label of 1024, and
<p class="level1"><pre class="level1">
<span class="bold">mpls &amp;&amp; mpls 1024 &amp;&amp; host 192.9.200.1</span>
</pre>
<p class="level1">
<p class="level1">filters packets to or from 192.9.200.1 with an inner label of 1024 and any outer label.
<p class="level0"><a name="fBpppoedfP"></a><span class="nroffip">pppoed</span>
<p class="level1">True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet type 0x8863).
<p class="level0"><a name="fBpppoes"></a><span class="nroffip">pppoes [session_id]</span>
<p class="level1">True if the packet is a PPP-over-Ethernet Session packet (Ethernet type 0x8864). If <span Class="emphasis">[session_id]</span> is specified, only true if the packet has the specified <span Class="emphasis">session_id</span>. Note that the first <span Class="bold">pppoes</span> keyword encountered in <span Class="emphasis">expression</span> changes the decoding offsets for the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is a PPPoE session packet.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For example:
<p class="level1"><pre class="level1">
<span class="bold">pppoes 0x27 &amp;&amp; ip</span>
</pre>
<p class="level1">
<p class="level1">filters IPv4 protocols encapsulated in PPPoE session id 0x27.
<p class="level0"><a name="fBgeneve"></a><span class="nroffip">geneve [vni]</span>
<p class="level1">True if the packet is a Geneve packet (UDP port 6081). If <span Class="emphasis">[vni]</span> is specified, only true if the packet has the specified <span Class="emphasis">vni</span>. Note that when the <span Class="bold">geneve</span> keyword is encountered in <span Class="emphasis">expression</span>, it changes the decoding offsets for the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is a Geneve packet.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For example:
<p class="level1"><pre class="level1">
<span class="bold">geneve 0xb &amp;&amp; ip</span>
</pre>
<p class="level1">
<p class="level1">filters IPv4 protocols encapsulated in Geneve with VNI 0xb. This will match both IP directly encapsulated in Geneve as well as IP contained inside an Ethernet frame.
<p class="level0"><a name="fBiso"></a><span class="nroffip">iso proto protocol</span>
<p class="level1">True if the packet is an OSI packet of protocol type <span Class="emphasis">protocol</span>. <span Class="emphasis">Protocol</span> can be a number or one of the names <span Class="bold">clnp</span>, <span Class="bold">esis</span>, or <span Class="bold">isis</span>.
<p class="level0"><a name="fBclnpfR"></a><span class="nroffip">clnp, esis, isis</span>
<p class="level1">Abbreviations for:
<p class="level1"><pre class="level1">
<span class="bold">iso proto <span class="emphasis">p</span>
</pre>
<p class="level1">
<p class="level1">where <span Class="emphasis">p</span> is one of the above protocols.
<p class="level0"><a name="fBl1fR"></a><span class="nroffip">l1, l2, iih, lsp, snp, csnp, psnp</span>
<p class="level1">Abbreviations for IS-IS PDU types.
<p class="level0"><a name="fBvpifP"></a><span class="nroffip">vpi n</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, with a virtual path identifier of <span Class="emphasis">n</span>.
<p class="level0"><a name="fBvcifP"></a><span class="nroffip">vci n</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, with a virtual channel identifier of <span Class="emphasis">n</span>.
<p class="level0"><a name="fBlanefP"></a><span class="nroffip">lane</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is an ATM LANE packet. Note that the first <span Class="bold">lane</span> keyword encountered in <span Class="emphasis">expression</span> changes the tests done in the remainder of <span Class="emphasis">expression</span> on the assumption that the packet is either a LANE emulated Ethernet packet or a LANE LE Control packet. If <span Class="bold">lane</span> isn&#39;t specified, the tests are done under the assumption that the packet is an LLC-encapsulated packet.
<p class="level0"><a name="fBoamf4sfP"></a><span class="nroffip">oamf4s</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is a segment OAM F4 flow cell (VPI=0 &amp; VCI=3).
<p class="level0"><a name="fBoamf4efP"></a><span class="nroffip">oamf4e</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is an end-to-end OAM F4 flow cell (VPI=0 &amp; VCI=4).
<p class="level0"><a name="fBoamf4fP"></a><span class="nroffip">oamf4</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 &amp; (VCI=3 | VCI=4)).
<p class="level0"><a name="fBoamfP"></a><span class="nroffip">oam</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 &amp; (VCI=3 | VCI=4)).
<p class="level0"><a name="fBmetacfP"></a><span class="nroffip">metac</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit (VPI=0 &amp; VCI=1).
<p class="level0"><a name="fBbccfP"></a><span class="nroffip">bcc</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a broadcast signaling circuit (VPI=0 &amp; VCI=2).
<p class="level0"><a name="fBscfP"></a><span class="nroffip">sc</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit (VPI=0 &amp; VCI=5).
<p class="level0"><a name="fBilmicfP"></a><span class="nroffip">ilmic</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on an ILMI circuit (VPI=0 &amp; VCI=16).
<p class="level0"><a name="fBconnectmsgfP"></a><span class="nroffip">connectmsg</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Connect Ack, Release, or Release Done message.
<p class="level0"><a name="fBmetaconnectfP"></a><span class="nroffip">metaconnect</span>
<p class="level1">True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Release, or Release Done message.
<p class="level0"><a name="fIexpr"></a><span class="nroffip">expr relop expr</span>
<p class="level1">True if the relation holds, where <span Class="emphasis">relop</span> is one of &gt;, &lt;, &gt;=, &lt;=, =, !=, and <span Class="emphasis">expr</span> is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, %, &amp;, |, ^, &lt;&lt;, &gt;&gt;], a length operator, and special packet data accessors. Note that all comparisons are unsigned, so that, for example, 0x80000000 and 0xffffffff are &gt; 0.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The % and ^ operators are currently only supported for filtering in the kernel on Linux with 3.7 and later kernels; on all other systems, if those operators are used, filtering will be done in user mode, which will increase the overhead of capturing packets and may cause more packets to be dropped.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">To access data inside the packet, use the following syntax:
<p class="level1"><pre class="level1">
<span class="emphasis">proto<span class="bold"> [ <span class="emphasis">expr<span class="bold"> : <span class="emphasis">size<span class="bold"> ]</span>
</pre>
<p class="level1">
<p class="level1"><span Class="emphasis">Proto</span> is one of <span class="bold">ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6</span> or <span Class="bold">radio</span>, and indicates the protocol layer for the index operation. (<span Class="bold">ether, fddi, wlan, tr, ppp, slip</span> and <span Class="bold">link</span> all refer to the link layer. <span Class="bold">radio</span> refers to the &quot;radio header&quot; added to some 802.11 captures.) Note that <span Class="emphasis">tcp, udp</span> and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by <span Class="emphasis">expr</span>. <span Class="emphasis">Size</span> is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword <span Class="bold">len</span>, gives the length of the packet.
<p class="level1">For example, `<span Class="bold">ether[0] &amp; 1 != 0</span>&#39; catches all multicast traffic. The expression `<span Class="bold">ip[0] &amp; 0xf != 5</span>&#39; catches all IPv4 packets with options. The expression `<span Class="bold">ip[6:2] &amp; 0x1fff = 0</span>&#39; catches only unfragmented IPv4 datagrams and frag zero of fragmented IPv4 datagrams. This check is implicitly applied to the <span Class="bold">tcp</span> and <span Class="bold">udp</span> index operations. For instance, <span Class="bold">tcp[0]</span> always means the first byte of the TCP <span Class="emphasis">header</span>, and never means the first byte of an intervening fragment.
<p class="level1">Some offsets and field values may be expressed as names rather than as numeric values. The following protocol header field offsets are available: <span Class="bold">icmptype</span> (ICMP type field), <span class="bold">icmp6type (ICMP v6 type field) <span Class="bold">icmpcode</span> (ICMP code field), <span Class="bold">icmp6code</span> (ICMP v6 code field), and <span Class="bold">tcpflags</span> (TCP flags field).
<p class="level1">The following ICMP type field values are available: <span Class="bold">icmp-echoreply</span>, <span Class="bold">icmp-unreach</span>, <span Class="bold">icmp-sourcequench</span>, <span Class="bold">icmp-redirect</span>, <span Class="bold">icmp-echo</span>, <span Class="bold">icmp-routeradvert</span>, <span Class="bold">icmp-routersolicit</span>, <span Class="bold">icmp-timxceed</span>, <span Class="bold">icmp-paramprob</span>, <span Class="bold">icmp-tstamp</span>, <span Class="bold">icmp-tstampreply</span>, <span Class="bold">icmp-ireq</span>, <span Class="bold">icmp-ireqreply</span>, <span Class="bold">icmp-maskreq</span>, <span Class="bold">icmp-maskreply</span>.
<p class="level1">The following ICMPv6 type fields are available: <span Class="bold">icmp6-echo</span>, <span Class="bold">icmp6-echoreply</span>, <span Class="bold">icmp6-multicastlistenerquery</span>, <span Class="bold">icmp6-multicastlistenerreportv1</span>, <span Class="bold">icmp6-multicastlistenerdone</span>, <span Class="bold">icmp6-routersolicit</span>, <span Class="bold">icmp6-routeradvert</span>, <span Class="bold">icmp6-neighborsolicit</span>, <span Class="bold">icmp6-neighboradvert</span>, <span Class="bold">icmp6-redirect</span>, <span Class="bold">icmp6-routerrenum</span>, <span Class="bold">icmp6-nodeinformationquery</span>, <span Class="bold">icmp6-nodeinformationresponse</span>, <span Class="bold">icmp6-ineighbordiscoverysolicit</span>, <span Class="bold">icmp6-ineighbordiscoveryadvert</span>, <span Class="bold">icmp6-multicastlistenerreportv2</span>, <span Class="bold">icmp6-homeagentdiscoveryrequest</span>, <span Class="bold">icmp6-homeagentdiscoveryreply</span>, <span Class="bold">icmp6-mobileprefixsolicit</span>, <span Class="bold">icmp6-mobileprefixadvert</span>, <span Class="bold">icmp6-certpathsolicit</span>, <span Class="bold">icmp6-certpathadvert</span>, <span Class="bold">icmp6-multicastrouteradvert</span>, <span Class="bold">icmp6-multicastroutersolicit</span>, <span Class="bold">icmp6-multicastrouterterm</span>.
<p class="level1">The following TCP flags field values are available: <span Class="bold">tcp-fin</span>, <span Class="bold">tcp-syn</span>, <span Class="bold">tcp-rst</span>, <span Class="bold">tcp-push</span>, <span Class="bold">tcp-ack</span>, <span Class="bold">tcp-urg</span>, <span Class="bold">tcp-ece</span>, <span Class="bold">tcp-cwr</span>.
<p class="level1">Primitives may be combined using:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A parenthesized group of primitives and operators.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Negation (`<a class="bold" href="#">!</a>&#39; or `<span Class="bold">not</span>&#39;).
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Concatenation (`<span Class="bold">&amp;&amp;</span>&#39; or `<span Class="bold">and</span>&#39;).
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Alternation (`<a class="bold" href="#">||</a>&#39; or `<span Class="bold">or</span>&#39;).
<p class="level1">Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right. Note that explicit <span Class="bold">and</span> tokens, not juxtaposition, are now required for concatenation.
<p class="level1">If an identifier is given without a keyword, the most recent keyword is assumed. For example,
<p class="level1"><pre class="level1">
<span class="bold">not host vs and ace</span>
</pre>
<p class="level1">
<p class="level1">is short for
<p class="level1"><pre class="level1">
<span class="bold">not host vs and host ace</span>
</pre>
<p class="level1">
<p class="level1">which should not be confused with
<p class="level1"><pre class="level1">
<span class="bold">not ( host vs or ace )</span>
</pre>
<p class="level1">
<p class="level1"><a name="EXAMPLES"></a><h2 class="nroffsh">EXAMPLES</h2>
<p class="level0">
<p class="level0">To select all packets arriving at or departing from <span Class="emphasis">sundown</span>:
<p class="level1"><pre class="level1">
<span class="bold">host sundown</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select traffic between <span Class="emphasis">helios</span> and either <span Class="emphasis">hot</span> or <span Class="emphasis">ace</span>:
<p class="level1"><pre class="level1">
<span class="bold">host helios and \( hot or ace \)</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all IP packets between <span Class="emphasis">ace</span> and any host except <span Class="emphasis">helios</span>:
<p class="level1"><pre class="level1">
<span class="bold">ip host ace and not helios</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all traffic between local hosts and hosts at Berkeley:
<p class="level1"><pre class="level1">
<span class="bold"></span>
net ucb-ether
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all ftp traffic through internet gateway <span Class="emphasis">snup</span>:
<p class="level1"><pre class="level1">
<span class="bold"></span>
gateway snup and (port ftp or ftp-data)
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).
<p class="level1"><pre class="level1">
<span class="bold"></span>
ip and not net <span class="emphasis">localnet</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
<p class="level1"><pre class="level1">
<span class="bold"></span>
tcp[tcpflags] &amp; (tcp-syn|tcp-fin) != 0 and not src and dst net <span class="emphasis">localnet</span>
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)
<p class="level1"><pre class="level1">
<span class="bold"></span>
tcp port 80 and (((ip[2:2] - ((ip[0]&amp;0xf)&lt;&lt;2)) - ((tcp[12]&amp;0xf0)&gt;&gt;2)) != 0)
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select IP packets longer than 576 bytes sent through gateway <span Class="emphasis">snup</span>:
<p class="level1"><pre class="level1">
<span class="bold"></span>
gateway snup and ip[2:2] &gt; 576
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select IP broadcast or multicast packets that were <span Class="emphasis">not</span> sent via Ethernet broadcast or multicast:
<p class="level1"><pre class="level1">
<span class="bold"></span>
ether[0] &amp; 1 = 0 and ip[16] &gt;= 224
</pre>
<p class="level1">
<p class="level0">
<p class="level0">To select all ICMP packets that are not echo requests/replies (i.e., not ping packets):
<p class="level1"><pre class="level1">
<span class="bold"></span>
icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
</pre>
<p class="level1">
<p class="level0"><a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <a name="BUGS"></a><h2 class="nroffsh">BUGS</h2>
<p class="level0">To report a security issue please send an e-mail to security@tcpdump.org.
<p class="level0">To report bugs and other problems, contribute patches, request a feature, provide generic feedback etc please see the file <span Class="emphasis">CONTRIBUTING</span> in the libpcap source tree root.
<p class="level0">Filter expressions on fields other than those in Token Ring headers will not correctly handle source-routed Token Ring packets.
<p class="level0">Filter expressions on fields other than those in 802.11 headers will not correctly handle 802.11 data packets with both To DS and From DS set.
<p class="level0"><span Class="bold">ip6 proto</span> should chase header chain, but at this moment it does not. <span Class="bold">ip6 protochain</span> is supplied for this behavior.
<p class="level0">Arithmetic expression against transport layer headers, like <span Class="bold">tcp[0]</span>, does not work against IPv6 packets. It only looks at IPv4 packets. <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

60
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap-linktype.html Normal file
View File

@@ -0,0 +1,60 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>PCAP-LINKTYPE man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap-linktype - link-layer header types supported by libpcap <a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">For a live capture or ``savefile&#39;&#39;, libpcap supplies, as the return value of the <a Class="bold" href="./pcap_datalink.html">pcap_datalink</a>(3PCAP) routine, a value that indicates the type of link-layer header at the beginning of the packets it provides. This is not necessarily the type of link-layer header that the packets being captured have on the network from which they&#39;re being captured; for example, packets from an IEEE 802.11 network might be provided by libpcap with Ethernet headers that the network adapter or the network adapter driver generates from the 802.11 headers. The names for those values begin with <span Class="bold">DLT_</span>, so they are sometimes called &quot;DLT_ values&quot;.
<p class="level0">The values stored in the link-layer header type field in the savefile header are, in most but not all cases, the same as the values returned by <span Class="bold">pcap_datalink()</span>. The names for those values begin with <span Class="bold">LINKTYPE_</span>.
<p class="level0">The link-layer header types supported by libpcap are described at <a href="https://www.tcpdump.org/linktypes.html.">https://www.tcpdump.org/linktypes.html.</a> <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

84
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap-savefile.html Normal file
View File

@@ -0,0 +1,84 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>PCAP-SAVEFILE man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap-savefile - libpcap savefile format <a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">NOTE: applications and libraries should, if possible, use libpcap to read savefiles, rather than having their own code to read savefiles. If, in the future, a new file format is supported by libpcap, applications and libraries using libpcap to read savefiles will be able to read the new format of savefiles, but applications and libraries using their own code to read savefiles will have to be changed to support the new file format.
<p class="level0">``Savefiles&#39;&#39; read and written by libpcap and applications using libpcap start with a per-file header. The format of the per-file header is:
<p class="level1">
<p class="level1">box; c s c | c c s. Magic number _ Major version Minor version _ Time zone offset _ Time stamp accuracy _ Snapshot length _ Link-layer header type
<p class="level1">
<p class="level0">
<p class="level0">All fields in the per-file header are in the byte order of the host writing the file. Normally, the first field in the per-file header is a 4-byte magic number, with the value 0xa1b2c3d4. The magic number, when read by a host with the same byte order as the host that wrote the file, will have the value 0xa1b2c3d4, and, when read by a host with the opposite byte order as the host that wrote the file, will have the value 0xd4c3b2a1. That allows software reading the file to determine whether the byte order of the host that wrote the file is the same as the byte order of the host on which the file is being read, and thus whether the values in the per-file and per-packet headers need to be byte-swapped.
<p class="level0">If the magic number has the value 0xa1b23c4d (with the two nibbles of the two lower-order bytes of the magic number swapped), which would be read as 0xa1b23c4d by a host with the same byte order as the host that wrote the file and as 0x4d3cb2a1 by a host with the opposite byte order as the host that wrote the file, the file format is the same as for regular files, except that the time stamps for packets are given in seconds and nanoseconds rather than seconds and microseconds.
<p class="level0">Following this are:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 2-byte file format major version number; the current version number is 2.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 2-byte file format minor version number; the current version number is 4.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 4-byte time zone offset; this is always 0.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 4-byte number giving the accuracy of time stamps in the file; this is always 0.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A 4-byte number giving the &quot;snapshot length&quot; of the capture; packets longer than the snapshot length are truncated to the snapshot length, so that, if the snapshot length is <span Class="emphasis">N</span>, only the first <span Class="emphasis">N</span> bytes of a packet longer than <span Class="emphasis">N</span> bytes will be saved in the capture.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">a 4-byte number giving the link-layer header type for packets in the capture; see <a Class="bold" href="./pcap-linktype.html">pcap-linktype</a>(7) for the <span Class="bold">LINKTYPE_</span> values that can appear in this field.
<p class="level1">Following the per-file header are zero or more packets; each packet begins with a per-packet header, which is immediately followed by the raw packet data. The format of the per-packet header is:
<p class="level2">
<p class="level2">box; c. Time stamp, seconds value _ Time stamp, microseconds or nanoseconds value _ Length of captured packet data _ Un-truncated length of the packet data
<p class="level2">
<p class="level1">
<p class="level1">All fields in the per-packet header are in the byte order of the host writing the file. The per-packet header begins with a time stamp giving the approximate time the packet was captured; the time stamp consists of a 4-byte value, giving the time in seconds since January 1, 1970, 00:00:00 UTC, followed by a 4-byte value, giving the time in microseconds or nanoseconds since that second, depending on the magic number in the file header. Following that are a 4-byte value giving the number of bytes of captured data that follow the per-packet header and a 4-byte value giving the number of bytes that would have been present had the packet not been truncated by the snapshot length. The two lengths will be equal if the number of bytes of packet data are less than or equal to the snapshot length. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

82
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap-tstamp.html Normal file
View File

@@ -0,0 +1,82 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>PCAP-TSTAMP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap-tstamp - packet time stamps in libpcap <a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">When capturing traffic, each packet is given a time stamp representing, for incoming packets, the arrival time of the packet and, for outgoing packets, the transmission time of the packet. This time is an approximation of the arrival or transmission time. If it is supplied by the operating system running on the host on which the capture is being done, there are several reasons why it might not precisely represent the arrival or transmission time:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">if the time stamp is applied to the packet when the networking stack receives the packet, the networking stack might not see the packet until an interrupt is delivered for the packet or a timer event causes the networking device driver to poll for packets, and the time stamp might not be applied until the packet has had some processing done by other code in the networking stack, so there might be a significant delay between the time when the last bit of the packet is received by the capture device and when the networking stack time-stamps the packet;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">the timer used to generate the time stamps might have low resolution, for example, it might be a timer updated once per host operating system timer tick, with the host operating system timer ticking once every few milliseconds;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">a high-resolution timer might use a counter that runs at a rate dependent on the processor clock speed, and that clock speed might be adjusted upwards or downwards over time and the timer might not be able to compensate for all those adjustments;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">the host operating system&#39;s clock might be adjusted over time to match a time standard to which the host is being synchronized, which might be done by temporarily slowing down or speeding up the clock or by making a single adjustment;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">different CPU cores on a multi-core or multi-processor system might be running at different speeds, or might not have time counters all synchronized, so packets time-stamped by different cores might not have consistent time stamps.
<p class="level1">In addition, packets time-stamped by different cores might be time-stamped in one order and added to the queue of packets for libpcap to read in another order, so time stamps might not be monotonically increasing.
<p class="level1">Some capture devices on some platforms can provide time stamps for packets; those time stamps are usually high-resolution time stamps, and are usually applied to the packet when the first or last bit of the packet arrives, and are thus more accurate than time stamps provided by the host operating system. Those time stamps might not, however, be synchronized with the host operating system&#39;s clock, so that, for example, the time stamp of a packet might not correspond to the time stamp of an event on the host triggered by the arrival of that packet.
<p class="level1">Depending on the capture device and the software on the host, libpcap might allow different types of time stamp to be used. The <a Class="bold" href="./pcap_list_tstamp_types.html">pcap_list_tstamp_types</a>(3PCAP) routine provides, for a packet capture handle created by <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP) but not yet activated by <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP), a list of time stamp types supported by the capture device for that handle. The list might be empty, in which case no choice of time stamp type is offered for that capture device. If the list is not empty, the <a Class="bold" href="./pcap_set_tstamp_type.html">pcap_set_tstamp_type</a>(3PCAP) routine can be used after a <span Class="bold">pcap_create()</span> call and before a <span Class="bold">pcap_activate()</span> call to specify the type of time stamp to be used on the device. The time stamp types are listed here; the first value is the &#35;define to use in code, the second value is the value returned by <a Class="bold" href="./pcap_tstamp_type_val_to_name.html">pcap_tstamp_type_val_to_name</a> and accepted by <a Class="bold" href="./pcap_tstamp_type_name_to_val.html">pcap_tstamp_type_name_to_val</a>.
<p class="level2">
<p class="level2"><span Class="bold">PCAP_TSTAMP_HOST</span> - <span Class="bold">host</span> Time stamp provided by the host on which the capture is being done. The precision of this time stamp is unspecified; it might or might not be synchronized with the host operating system&#39;s clock.
<p class="level2"><span Class="bold">PCAP_TSTAMP_HOST_LOWPREC</span> - <span Class="bold">host_lowprec</span> Time stamp provided by the host on which the capture is being done. This is a low-precision time stamp, synchronized with the host operating system&#39;s clock.
<p class="level2"><span Class="bold">PCAP_TSTAMP_HOST_HIPREC</span> - <span Class="bold">host_hiprec</span> Time stamp provided by the host on which the capture is being done. This is a high-precision time stamp; it might or might not be synchronized with the host operating system&#39;s clock. It might be more expensive to fetch than <span Class="bold">PCAP_TSTAMP_HOST_LOWPREC</span>.
<p class="level2"><span Class="bold">PCAP_TSTAMP_ADAPTER</span> - <span Class="bold">adapter</span> Time stamp provided by the network adapter on which the capture is being done. This is a high-precision time stamp, synchronized with the host operating system&#39;s clock.
<p class="level2"><span Class="bold">PCAP_TSTAMP_ADAPTER_UNSYNCED</span> - <span Class="bold">adapter_unsynced</span> Time stamp provided by the network adapter on which the capture is being done. This is a high-precision time stamp; it is not synchronized with the host operating system&#39;s clock.
<p class="level1">
<p class="level1">By default, when performing a live capture or reading from a savefile, time stamps are supplied as seconds since January 1, 1970, 00:00:00 UTC, and microseconds since that seconds value, even if higher-resolution time stamps are available from the capture device or in the savefile. If, when reading a savefile, the time stamps in the file have a higher resolution than one microsecond, the additional digits of resolution are discarded.
<p class="level1">The <a Class="bold" href="./pcap_set_tstamp_precision.html">pcap_set_tstamp_precision</a>(3PCAP) routine can be used after a <span Class="bold">pcap_create()</span> call and after a <span Class="bold">pcap_activate()</span> call to specify the resolution of the time stamps to get for the device. If the hardware or software cannot supply a higher-resolution time stamp, the <span Class="bold">pcap_set_tstamp_precision()</span> call will fail, and the time stamps supplied after the <span Class="bold">pcap_activate()</span> call will have microsecond resolution.
<p class="level1">When opening a savefile, the <span Class="bold">\%pcap_open_offline_with_tstamp_precision</span>(3PCAP) and <span Class="bold">\%pcap_fopen_offline_with_tstamp_precision</span>(3PCAP) routines can be used to specify the resolution of time stamps to be read from the file; if the time stamps in the file have a lower resolution, the fraction-of-a-second portion of the time stamps will be scaled to the specified resolution.
<p class="level1">The <a Class="bold" href="./pcap_get_tstamp_precision.html">pcap_get_tstamp_precision</a>(3PCAP) routine returns the resolution of time stamps that will be supplied; when capturing packets, this does not reflect the actual precision of the time stamp supplied by the hardware or operating system and, when reading a savefile, this does not indicate the actual precision of time stamps in the file. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

269
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap.html Normal file
View File

@@ -0,0 +1,269 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap - Packet Capture library <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">The Packet Capture library provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism. It also supports saving captured packets to a ``savefile&#39;&#39;, and reading packets from a ``savefile&#39;&#39;. <a name="Opening"></a><h2 class="nroffsh">Opening a capture handle for reading</h2>
<p class="level0">To open a handle for a live capture, given the name of the network or other interface on which the capture should be done, call <span Class="bold">pcap_create</span>(), set the appropriate options on the handle, and then activate it with <span Class="bold">pcap_activate</span>().
<p class="level0">To obtain a list of devices that can be opened for a live capture, call <span Class="bold">pcap_findalldevs</span>(); to free the list returned by <span Class="bold">pcap_findalldevs</span>(), call <span Class="bold">pcap_freealldevs</span>(). <span Class="bold">pcap_lookupdev</span>() will return the first device on that list that is not a ``loopback`` network interface.
<p class="level0">To open a handle for a ``savefile&#39;&#39; from which to read packets, given the pathname of the ``savefile&#39;&#39;, call <span Class="bold">pcap_open_offline</span>(); to set up a handle for a ``savefile&#39;&#39;, given a <span Class="bold">FILE\ *</span> referring to a file already opened for reading, call <span Class="bold">pcap_fopen_offline</span>().
<p class="level0">In order to get a ``fake&#39;&#39; <span Class="bold">pcap_t</span> for use in routines that require a <span Class="bold">pcap_t</span> as an argument, such as routines to open a ``savefile&#39;&#39; for writing and to compile a filter expression, call <span Class="bold">pcap_open_dead</span>().
<p class="level0"><span Class="bold">pcap_create</span>(), <span Class="bold">pcap_open_offline</span>(), <span Class="bold">pcap_fopen_offline</span>(), and <span Class="bold">pcap_open_dead</span>() return a pointer to a <span Class="bold">pcap_t</span>, which is the handle used for reading packets from the capture stream or the ``savefile&#39;&#39;, and for finding out information about the capture stream or ``savefile&#39;&#39;. To close a handle, use <span Class="bold">pcap_close</span>().
<p class="level0">The options that can be set on a capture handle include
<p class="level0"><a name="snapshot"></a><span class="nroffip">snapshot length</span>
<p class="level1">If, when capturing, you capture the entire contents of the packet, that requires more CPU time to copy the packet to your application, more disk and possibly network bandwidth to write the packet data to a file, and more disk space to save the packet. If you don&#39;t need the entire contents of the packet - for example, if you are only interested in the TCP headers of packets - you can set the &quot;snapshot length&quot; for the capture to an appropriate value. If the snapshot length is set to <span Class="emphasis">snaplen</span>, and <span Class="emphasis">snaplen</span> is less than the size of a packet that is captured, only the first <span Class="emphasis">snaplen</span> bytes of that packet will be captured and provided as packet data.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">A snapshot length of 65535 should be sufficient, on most if not all networks, to capture all the data available from the packet.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The snapshot length is set with <span Class="bold">pcap_set_snaplen</span>().
<p class="level0"><a name="promiscuous"></a><span class="nroffip">promiscuous mode</span>
<p class="level1">On broadcast LANs such as Ethernet, if the network isn&#39;t switched, or if the adapter is connected to a &quot;mirror port&quot; on a switch to which all packets passing through the switch are sent, a network adapter receives all packets on the LAN, including unicast or multicast packets not sent to a network address that the network adapter isn&#39;t configured to recognize.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Normally, the adapter will discard those packets; however, many network adapters support &quot;promiscuous mode&quot;, which is a mode in which all packets, even if they are not sent to an address that the adapter recognizes, are provided to the host. This is useful for passively capturing traffic between two or more other hosts for analysis.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Note that even if an application does not set promiscuous mode, the adapter could well be in promiscuous mode for some other reason.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">For now, this doesn&#39;t work on the &quot;any&quot; device; if an argument of &quot;any&quot; or NULL is supplied, the setting of promiscuous mode is ignored.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Promiscuous mode is set with <span Class="bold">pcap_set_promisc</span>().
<p class="level0"><a name="monitor"></a><span class="nroffip">monitor mode</span>
<p class="level1">On IEEE 802.11 wireless LANs, even if an adapter is in promiscuous mode, it will supply to the host only frames for the network with which it&#39;s associated. It might also supply only data frames, not management or control frames, and might not provide the 802.11 header or radio information pseudo-header for those frames.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">In &quot;monitor mode&quot;, sometimes also called &quot;rfmon mode&quot; (for &quot;Radio Frequency MONitor&quot;), the adapter will supply all frames that it receives, with 802.11 headers, and might supply a pseudo-header with radio information about the frame as well.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Note that in monitor mode the adapter might disassociate from the network with which it&#39;s associated, so that you will not be able to use any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Monitor mode is set with <span Class="bold">pcap_set_rfmon</span>(), and <span Class="bold">pcap_can_set_rfmon</span>() can be used to determine whether an adapter can be put into monitor mode.
<p class="level0"><a name="packet"></a><span class="nroffip">packet buffer timeout</span>
<p class="level1">If, when capturing, packets are delivered as soon as they arrive, the application capturing the packets will be woken up for each packet as it arrives, and might have to make one or more calls to the operating system to fetch each packet.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">If, instead, packets are not delivered as soon as they arrive, but are delivered after a short delay (called a &quot;packet buffer timeout&quot;), more than one packet can be accumulated before the packets are delivered, so that a single wakeup would be done for multiple packets, and each set of calls made to the operating system would supply multiple packets, rather than a single packet. This reduces the per-packet CPU overhead if packets are arriving at a high rate, increasing the number of packets per second that can be captured.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The packet buffer timeout is required so that an application won&#39;t wait for the operating system&#39;s capture buffer to fill up before packets are delivered; if packets are arriving slowly, that wait could take an arbitrarily long period of time.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Not all platforms support a packet buffer timeout; on platforms that don&#39;t, the packet buffer timeout is ignored. A zero value for the timeout, on platforms that support a packet buffer timeout, will cause a read to wait forever to allow enough packets to arrive, with no timeout. A negative value is invalid; the result of setting the timeout to a negative value is unpredictable.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1"><span Class="bold">NOTE</span>: the packet buffer timeout cannot be used to cause calls that read packets to return within a limited period of time, because, on some platforms, the packet buffer timeout isn&#39;t supported, and, on other platforms, the timer doesn&#39;t start until at least one packet arrives. This means that the packet buffer timeout should <span Class="bold">NOT</span> be used, for example, in an interactive application to allow the packet capture loop to ``poll&#39;&#39; for user input periodically, as there&#39;s no guarantee that a call reading packets will return after the timeout expires even if no packets have arrived.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The packet buffer timeout is set with <span Class="bold">pcap_set_timeout</span>().
<p class="level0"><a name="immediate"></a><span class="nroffip">immediate mode</span>
<p class="level1">In immediate mode, packets are always delivered as soon as they arrive, with no buffering. Immediate mode is set with <span Class="bold">pcap_set_immediate_mode</span>().
<p class="level0"><a name="buffer"></a><span class="nroffip">buffer size</span>
<p class="level1">Packets that arrive for a capture are stored in a buffer, so that they do not have to be read by the application as soon as they arrive. On some platforms, the buffer&#39;s size can be set; a size that&#39;s too small could mean that, if too many packets are being captured and the snapshot length doesn&#39;t limit the amount of data that&#39;s buffered, packets could be dropped if the buffer fills up before the application can read packets from it, while a size that&#39;s too large could use more non-pageable operating system memory than is necessary to prevent packets from being dropped.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The buffer size is set with <span Class="bold">pcap_set_buffer_size</span>().
<p class="level0"><a name="timestamp"></a><span class="nroffip">timestamp type</span>
<p class="level1">On some platforms, the time stamp given to packets on live captures can come from different sources that can have different resolutions or that can have different relationships to the time values for the current time supplied by routines on the native operating system. See <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) for a list of time stamp types.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">The time stamp type is set with <span Class="bold">pcap_set_tstamp_type</span>().
<p class="level1">Reading packets from a network interface may require that you have special privileges:
<p class="level1"><span Class="bold">Under SunOS 3.x or 4.x with NIT or BPF:</span> You must have read access to <span Class="emphasis">/dev/nit</span> or <span Class="emphasis">/dev/bpf*</span>.
<p class="level1"><span Class="bold">Under Solaris with DLPI:</span> You must have read/write access to the network pseudo device, e.g. <span Class="emphasis">/dev/le</span>. On at least some versions of Solaris, however, this is not sufficient to allow <span Class="emphasis">tcpdump</span> to capture in promiscuous mode; on those versions of Solaris, you must be root, or the application capturing packets must be installed setuid to root, in order to capture in promiscuous mode. Note that, on many (perhaps all) interfaces, if you don&#39;t capture in promiscuous mode, you will not see any outgoing packets, so a capture not done in promiscuous mode may not be very useful.
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">In newer versions of Solaris, you must have been given the <span Class="bold">net_rawaccess</span> privilege; this is both necessary and sufficient to give you access to the network pseudo-device - there is no need to change the privileges on that device. A user can be given that privilege by, for example, adding that privilege to the user&#39;s <span Class="bold">defaultpriv</span> key with the <span Class="bold">usermod (@MAN_ADMIN_COMMANDS@)</span> command.
<p class="level1"><span Class="bold">Under HP-UX with DLPI:</span> You must be root or the application capturing packets must be installed setuid to root.
<p class="level1"><span Class="bold">Under IRIX with snoop:</span> You must be root or the application capturing packets must be installed setuid to root.
<p class="level1"><span Class="bold">Under Linux:</span> You must be root or the application capturing packets must be installed setuid to root (unless your distribution has a kernel that supports capability bits such as CAP_NET_RAW and code to allow those capability bits to be given to particular accounts and to cause those bits to be set on a user&#39;s initial processes when they log in, in which case you must have CAP_NET_RAW in order to capture and CAP_NET_ADMIN to enumerate network devices with, for example, the <span Class="bold">-D</span> flag).
<p class="level1"><span Class="bold">Under ULTRIX and Digital UNIX/Tru64 UNIX:</span> Any user may capture network traffic. However, no user (not even the super-user) can capture in promiscuous mode on an interface unless the super-user has enabled promiscuous-mode operation on that interface using <span Class="emphasis">pfconfig</span>(8), and no user (not even the super-user) can capture unicast traffic received by or sent by the machine on an interface unless the super-user has enabled copy-all-mode operation on that interface using <span Class="emphasis">pfconfig</span>, so <span Class="emphasis">useful</span> packet capture on an interface probably requires that either promiscuous-mode or copy-all-mode operation, or both modes of operation, be enabled on that interface.
<p class="level1"><span Class="bold">Under BSD (this includes macOS):</span> You must have read access to <span Class="emphasis">/dev/bpf*</span> on systems that don&#39;t have a cloning BPF device, or to <span Class="emphasis">/dev/bpf</span> on systems that do. On BSDs with a devfs (this includes macOS), this might involve more than just having somebody with super-user access setting the ownership or permissions on the BPF devices - it might involve configuring devfs to set the ownership or permissions every time the system is booted, if the system even supports that; if it doesn&#39;t support that, you might have to find some other way to make that happen at boot time.
<p class="level1">Reading a saved packet file doesn&#39;t require special privileges.
<p class="level1">The packets read from the handle may include a ``pseudo-header&#39;&#39; containing various forms of packet meta-data, and probably includes a link-layer header whose contents can differ for different network interfaces. To determine the format of the packets supplied by the handle, call <span Class="bold">pcap_datalink</span>(); <span Class="emphasis"><a href="https://www.tcpdump.org/linktypes.html">https://www.tcpdump.org/linktypes.html</a></span> lists the values it returns and describes the packet formats that correspond to those values.
<p class="level1">Do <span Class="bold">NOT</span> assume that the packets for a given capture or ``savefile`` will have any given link-layer header type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. For example, the &quot;any&quot; device on Linux will have a link-layer header type of <span Class="bold">DLT_LINUX_SLL</span> even if all devices on the system at the time the &quot;any&quot; device is opened have some other data link type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet.
<p class="level1">To obtain the <span Class="bold">FILE\ *</span> corresponding to a <span Class="bold">pcap_t</span> opened for a ``savefile&#39;&#39;, call <span Class="bold">pcap_file</span>().
<p class="level1"><span Class="bold">Routines</span>
<p class="level2">
<p class="level2"><a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP) get a <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) activate a <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_findalldevs.html">pcap_findalldevs</a>(3PCAP) get a list of devices that can be opened for a live capture
<p class="level2"><span Class="bold">pcap_freealldevs</span>(3PCAP) free list of devices
<p class="level2"><a Class="bold" href="./pcap_lookupdev.html">pcap_lookupdev</a>(3PCAP) get first non-loopback device on that list
<p class="level2"><a Class="bold" href="./pcap_open_offline.html">pcap_open_offline</a>(3PCAP) open a <span Class="bold">pcap_t</span> for a ``savefile&#39;&#39;, given a pathname
<p class="level2"><span Class="bold">pcap_open_offline_with_tstamp_precision</span>(3PCAP) open a <span Class="bold">pcap_t</span> for a ``savefile&#39;&#39;, given a pathname, and specify the precision to provide for packet time stamps
<p class="level2"><span Class="bold">pcap_fopen_offline</span>(3PCAP) open a <span Class="bold">pcap_t</span> for a ``savefile&#39;&#39;, given a <span Class="bold">FILE\ *</span>
<p class="level2"><span Class="bold">pcap_fopen_offline_with_tstamp_precision</span>(3PCAP) open a <span Class="bold">pcap_t</span> for a ``savefile&#39;&#39;, given a <span Class="bold">FILE\ *</span>, and specify the precision to provide for packet time stamps
<p class="level2"><a Class="bold" href="./pcap_open_dead.html">pcap_open_dead</a>(3PCAP) create a ``fake&#39;&#39; <span Class="bold">pcap_t</span>
<p class="level2"><a Class="bold" href="./pcap_close.html">pcap_close</a>(3PCAP) close a <span Class="bold">pcap_t</span>
<p class="level2"><a Class="bold" href="./pcap_set_snaplen.html">pcap_set_snaplen</a>(3PCAP) set the snapshot length for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_snapshot.html">pcap_snapshot</a>(3PCAP) get the snapshot length for a <span Class="bold">pcap_t</span>
<p class="level2"><a Class="bold" href="./pcap_set_promisc.html">pcap_set_promisc</a>(3PCAP) set promiscuous mode for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_set_protocol_linux.html">pcap_set_protocol_linux</a>(3PCAP) set capture protocol for a not-yet-activated <span Class="bold">pcap_t</span> for live capture (Linux only)
<p class="level2"><a Class="bold" href="./pcap_set_rfmon.html">pcap_set_rfmon</a>(3PCAP) set monitor mode for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_can_set_rfmon.html">pcap_can_set_rfmon</a>(3PCAP) determine whether monitor mode can be set for a <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_set_timeout.html">pcap_set_timeout</a>(3PCAP) set packet buffer timeout for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><span Class="bold">pcap_set_immediate_mode</span>(3PCAP) set immediate mode for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_set_buffer_size.html">pcap_set_buffer_size</a>(3PCAP) set buffer size for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_set_tstamp_type.html">pcap_set_tstamp_type</a>(3PCAP) set time stamp type for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_list_tstamp_types.html">pcap_list_tstamp_types</a>(3PCAP) get list of available time stamp types for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><span Class="bold">pcap_free_tstamp_types</span>(3PCAP) free list of available time stamp types
<p class="level2"><a Class="bold" href="./pcap_tstamp_type_val_to_name.html">pcap_tstamp_type_val_to_name</a>(3PCAP) get name for a time stamp type
<p class="level2"><span Class="bold">pcap_tstamp_type_val_to_description</span>(3PCAP) get description for a time stamp type
<p class="level2"><a Class="bold" href="./pcap_tstamp_type_name_to_val.html">pcap_tstamp_type_name_to_val</a>(3PCAP) get time stamp type corresponding to a name
<p class="level2"><a Class="bold" href="./pcap_set_tstamp_precision.html">pcap_set_tstamp_precision</a>(3PCAP) set time stamp precision for a not-yet-activated <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_get_tstamp_precision.html">pcap_get_tstamp_precision</a>(3PCAP) get the time stamp precision of a <span Class="bold">pcap_t</span> for live capture
<p class="level2"><a Class="bold" href="./pcap_datalink.html">pcap_datalink</a>(3PCAP) get link-layer header type for a <span Class="bold">pcap_t</span>
<p class="level2"><a Class="bold" href="./pcap_file.html">pcap_file</a>(3PCAP) get the <span Class="bold">FILE\ *</span> for a <span Class="bold">pcap_t</span> opened for a ``savefile&#39;&#39;
<p class="level2"><a Class="bold" href="./pcap_is_swapped.html">pcap_is_swapped</a>(3PCAP) determine whether a ``savefile&#39;&#39; being read came from a machine with the opposite byte order
<p class="level2"><a Class="bold" href="./pcap_major_version.html">pcap_major_version</a>(3PCAP)
<p class="level2">
<p class="level2"><span Class="bold">pcap_minor_version</span>(3PCAP) get the major and minor version of the file format version for a ``savefile&#39;&#39;
<p class="level2">
<p class="level1"><a name="Selecting"></a><h2 class="nroffsh">Selecting a link-layer header type for a live capture</h2>
<p class="level0">Some devices may provide more than one link-layer header type. To obtain a list of all link-layer header types provided by a device, call <span Class="bold">pcap_list_datalinks</span>() on an activated <span Class="bold">pcap_t</span> for the device. To free a list of link-layer header types, call <span Class="bold">pcap_free_datalinks</span>(). To set the link-layer header type for a device, call <span Class="bold">pcap_set_datalink</span>(). This should be done after the device has been activated but before any packets are read and before any filters are compiled or installed.
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_list_datalinks.html">pcap_list_datalinks</a>(3PCAP) get a list of link-layer header types for a device
<p class="level1"><span Class="bold">pcap_free_datalinks</span>(3PCAP) free list of link-layer header types
<p class="level1"><a Class="bold" href="./pcap_set_datalink.html">pcap_set_datalink</a>(3PCAP) set link-layer header type for a device
<p class="level1"><a Class="bold" href="./pcap_datalink_val_to_name.html">pcap_datalink_val_to_name</a>(3PCAP) get name for a link-layer header type
<p class="level1"><span Class="bold">pcap_datalink_val_to_description</span>(3PCAP) get description for a link-layer header type
<p class="level1"><a Class="bold" href="./pcap_datalink_name_to_val.html">pcap_datalink_name_to_val</a>(3PCAP) get link-layer header type corresponding to a name
<p class="level0"><a name="Reading"></a><h2 class="nroffsh">Reading packets</h2>
<p class="level0">Packets are read with <span Class="bold">pcap_dispatch</span>() or <span Class="bold">pcap_loop</span>(), which process one or more packets, calling a callback routine for each packet, or with <span Class="bold">pcap_next</span>() or <span Class="bold">pcap_next_ex</span>(), which return the next packet. The callback for <span Class="bold">pcap_dispatch</span>() and <span Class="bold">pcap_loop</span>() is supplied a pointer to a <span Class="emphasis">struct pcap_pkthdr</span>, which includes the following members:
<p class="level1">
<p class="level1"><span Class="bold">ts</span> a <span Class="emphasis">struct timeval</span> containing the time when the packet was captured
<p class="level1"><span Class="bold">caplen</span> a <span Class="emphasis">bpf_u_int32</span> giving the number of bytes of the packet that are available from the capture
<p class="level1"><span Class="bold">len</span> a <span Class="emphasis">bpf_u_int32</span> giving the length of the packet, in bytes (which might be more than the number of bytes available from the capture, if the length of the packet is larger than the maximum number of bytes to capture).
<p class="level0">
<p class="level0">The callback is also supplied a <span Class="emphasis">const u_char</span> pointer to the first <span Class="bold">caplen</span> (as given in the <span Class="emphasis">struct pcap_pkthdr</span> mentioned above) bytes of data from the packet. This won&#39;t necessarily be the entire packet; to capture the entire packet, you will have to provide a value for <span Class="emphasis">snaplen</span> in your call to <span Class="bold">pcap_set_snaplen</span>() that is sufficiently large to get all of the packet&#39;s data - a value of 65535 should be sufficient on most if not all networks). When reading from a ``savefile&#39;&#39;, the snapshot length specified when the capture was performed will limit the amount of packet data available.
<p class="level0"><span Class="bold">pcap_next</span>() is passed an argument that points to a <span Class="emphasis">struct pcap_pkthdr</span> structure, and fills it in with the time stamp and length values for the packet. It returns a <span Class="emphasis">const u_char</span> to the first <span Class="bold">caplen</span> bytes of the packet on success, and NULL on error.
<p class="level0"><span Class="bold">pcap_next_ex</span>() is passed two pointer arguments, one of which points to a <span Class="emphasis">struct</span>pcap_pkthdr<a class="emphasis" href="#">*</a> and one of which points to a <span Class="emphasis">const u_char</span>*. It sets the first pointer to point to a <span Class="emphasis">struct pcap_pkthdr</span> structure with the time stamp and length values for the packet, and sets the second pointer to point to the first <span Class="bold">caplen</span> bytes of the packet.
<p class="level0">To force the loop in <span Class="bold">pcap_dispatch</span>() or <span Class="bold">pcap_loop</span>() to terminate, call <span Class="bold">pcap_breakloop</span>().
<p class="level0">By default, when reading packets from an interface opened for a live capture, <span Class="bold">pcap_dispatch</span>(), <span Class="bold">pcap_next</span>(), and <span Class="bold">pcap_next_ex</span>() will, if no packets are currently available to be read, block waiting for packets to become available. On some, but <span Class="emphasis">not</span> all, platforms, if a packet buffer timeout was specified, the wait will terminate after the packet buffer timeout expires; applications should be prepared for this, as it happens on some platforms, but should not rely on it, as it does not happen on other platforms. Note that the wait might, or might not, terminate even if no packets are available; applications should be prepared for this to happen, but must not rely on it happening.
<p class="level0">A handle can be put into ``non-blocking mode&#39;&#39;, so that those routines will, rather than blocking, return an indication that no packets are available to read. Call <span Class="bold">pcap_setnonblock</span>() to put a handle into non-blocking mode or to take it out of non-blocking mode; call <span Class="bold">pcap_getnonblock</span>() to determine whether a handle is in non-blocking mode. Note that non-blocking mode does not work correctly in Mac OS X 10.6.
<p class="level0">Non-blocking mode is often combined with routines such as <span Class="bold">select</span>(2) or <span Class="bold">poll</span>(2) or other routines a platform offers to wait for any of a set of descriptors to be ready to read. To obtain, for a handle, a descriptor that can be used in those routines, call <span Class="bold">pcap_get_selectable_fd</span>(). If the routine indicates that data is available to read on the descriptor, an attempt should be made to read from the device.
<p class="level0">Not all handles have such a descriptor available; <span Class="bold">pcap_get_selectable_fd</span>() will return <span Class="bold">PCAP_ERROR</span> if no such descriptor is available. If no such descriptor is available, this may be because the device must be polled periodically for packets; in that case, <span Class="bold">pcap_get_required_select_timeout</span>() will return a pointer to a <span Class="bold">struct timeval</span> whose value can be used as a timeout in those routines. When the routine returns, an attmept should be made to read packets from the device. If <span Class="bold">pcap_get_required_select_timeout</span>() returns NULL, no such timeout is available, and those routines cannot be used with the device.
<p class="level0">In addition, for various reasons, one or more of those routines will not work properly with the descriptor; the documentation for <span Class="bold">pcap_get_selectable_fd</span>() gives details. Note that, just as an attempt to read packets from a <span Class="bold">pcap_t</span> may not return any packets if the packet buffer timeout expires, a <span Class="bold">select</span>(), <span Class="bold">poll</span>(), or other such call may, if the packet buffer timeout expires, indicate that a descriptor is ready to read even if there are no packets available to read.
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><span Class="bold">pcap_dispatch</span>(3PCAP) read a bufferful of packets from a <span Class="bold">pcap_t</span> open for a live capture or the full set of packets from a <span Class="bold">pcap_t</span> open for a ``savefile&#39;&#39;
<p class="level1"><a Class="bold" href="./pcap_loop.html">pcap_loop</a>(3PCAP) read packets from a <span Class="bold">pcap_t</span> until an interrupt or error occurs
<p class="level1"><span Class="bold">pcap_next</span>(3PCAP) read the next packet from a <span Class="bold">pcap_t</span> without an indication whether an error occurred
<p class="level1"><a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a>(3PCAP) read the next packet from a <span Class="bold">pcap_t</span> with an error indication on an error
<p class="level1"><a Class="bold" href="./pcap_breakloop.html">pcap_breakloop</a>(3PCAP) prematurely terminate the loop in <span Class="bold">pcap_dispatch</span>() or <span Class="bold">pcap_loop</span>()
<p class="level1"><a Class="bold" href="./pcap_setnonblock.html">pcap_setnonblock</a>(3PCAP) set or clear non-blocking mode on a <span Class="bold">pcap_t</span>
<p class="level1"><span Class="bold">pcap_getnonblock</span>(3PCAP) get the state of non-blocking mode for a <span Class="bold">pcap_t</span>
<p class="level1"><a Class="bold" href="./pcap_get_selectable_fd.html">pcap_get_selectable_fd</a>(3PCAP) attempt to get a descriptor for a <span Class="bold">pcap_t</span> that can be used in calls such as <span Class="bold">select</span>(2) and <span Class="bold">poll</span>(2)
<p class="level1"><a Class="bold" href="./pcap_get_required_select_timeout.html">pcap_get_required_select_timeout</a>(3PCAP) if no descriptor usable with <span Class="bold">select</span>(2) and <span Class="bold">poll</span>(2) is available for the <span Class="bold">pcap_t</span>, attempt to get a timeout usable with those routines
<p class="level0"><a name="Filters"></a><h2 class="nroffsh">Filters</h2>
<p class="level0">In order to cause only certain packets to be returned when reading packets, a filter can be set on a handle. For a live capture, the filtering will be performed in kernel mode, if possible, to avoid copying ``uninteresting&#39;&#39; packets from the kernel to user mode.
<p class="level0">A filter can be specified as a text string; the syntax and semantics of the string are as described by <a Class="bold" href="./pcap-filter.html">pcap-filter</a>(7). A filter string is compiled into a program in a pseudo-machine-language by <span Class="bold">pcap_compile</span>() and the resulting program can be made a filter for a handle with <span Class="bold">pcap_setfilter</span>(). The result of <span Class="bold">pcap_compile</span>() can be freed with a call to <span Class="bold">pcap_freecode</span>(). <span Class="bold">pcap_compile</span>() may require a network mask for certain expressions in the filter string; <span Class="bold">pcap_lookupnet</span>() can be used to find the network address and network mask for a given capture device.
<p class="level0">A compiled filter can also be applied directly to a packet that has been read using <span Class="bold">pcap_offline_filter</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_compile.html">pcap_compile</a>(3PCAP) compile filter expression to a pseudo-machine-language code program
<p class="level1"><a Class="bold" href="./pcap_freecode.html">pcap_freecode</a>(3PCAP) free a filter program
<p class="level1"><a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>(3PCAP) set filter for a <span Class="bold">pcap_t</span>
<p class="level1"><a Class="bold" href="./pcap_lookupnet.html">pcap_lookupnet</a>(3PCAP) get network address and network mask for a capture device
<p class="level1"><a Class="bold" href="./pcap_offline_filter.html">pcap_offline_filter</a>(3PCAP) apply a filter program to a packet
<p class="level0"><a name="Incoming"></a><h2 class="nroffsh">Incoming and outgoing packets</h2>
<p class="level0">By default, libpcap will attempt to capture both packets sent by the machine and packets received by the machine. To limit it to capturing only packets received by the machine or, if possible, only packets sent by the machine, call <span Class="bold">pcap_setdirection</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_setdirection.html">pcap_setdirection</a>(3PCAP) specify whether to capture incoming packets, outgoing packets, or both
<p class="level0"><a name="Capture"></a><h2 class="nroffsh">Capture statistics</h2>
<p class="level0">To get statistics about packets received and dropped in a live capture, call <span Class="bold">pcap_stats</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_stats.html">pcap_stats</a>(3PCAP) get capture statistics
<p class="level0"><a name="Opening"></a><h2 class="nroffsh">Opening a handle for writing captured packets</h2>
<p class="level0">To open a ``savefile`` to which to write packets, given the pathname the ``savefile&#39;&#39; should have, call <span Class="bold">pcap_dump_open</span>(). To open a ``savefile`` to which to write packets, given the pathname the ``savefile&#39;&#39; should have, call <span Class="bold">pcap_dump_open</span>(); to set up a handle for a ``savefile&#39;&#39;, given a <span Class="bold">FILE\ *</span> referring to a file already opened for writing, call <span Class="bold">pcap_dump_fopen</span>(). They each return pointers to a <span Class="bold">pcap_dumper_t</span>, which is the handle used for writing packets to the ``savefile&#39;&#39;. If it succeeds, it will have created the file if it doesn&#39;t exist and truncated the file if it does exist. To close a <span Class="bold">pcap_dumper_t</span>, call <span Class="bold">pcap_dump_close</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>(3PCAP) open a <span Class="bold">pcap_dumper_t</span> for a ``savefile``, given a pathname
<p class="level1"><span Class="bold">pcap_dump_fopen</span>(3PCAP) open a <span Class="bold">pcap_dumper_t</span> for a ``savefile``, given a <span Class="bold">FILE\ *</span>
<p class="level1"><a Class="bold" href="./pcap_dump_close.html">pcap_dump_close</a>(3PCAP) close a <span Class="bold">pcap_dumper_t</span>
<p class="level1"><a Class="bold" href="./pcap_dump_file.html">pcap_dump_file</a>(3PCAP) get the <span Class="bold">FILE\ *</span> for a <span Class="bold">pcap_dumper_t</span> opened for a ``savefile&#39;&#39;
<p class="level0"><a name="Writing"></a><h2 class="nroffsh">Writing packets</h2>
<p class="level0">To write a packet to a <span Class="bold">pcap_dumper_t</span>, call <span Class="bold">pcap_dump</span>(). Packets written with <span Class="bold">pcap_dump</span>() may be buffered, rather than being immediately written to the ``savefile&#39;&#39;. Closing the <span Class="bold">pcap_dumper_t</span> will cause all buffered-but-not-yet-written packets to be written to the ``savefile&#39;&#39;. To force all packets written to the <span Class="bold">pcap_dumper_t</span>, and not yet written to the ``savefile&#39;&#39; because they&#39;re buffered by the <span Class="bold">pcap_dumper_t</span>, to be written to the ``savefile&#39;&#39;, without closing the <span Class="bold">pcap_dumper_t</span>, call <span Class="bold">pcap_dump_flush</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_dump.html">pcap_dump</a>(3PCAP) write packet to a <span Class="bold">pcap_dumper_t</span>
<p class="level1"><a Class="bold" href="./pcap_dump_flush.html">pcap_dump_flush</a>(3PCAP) flush buffered packets written to a <span Class="bold">pcap_dumper_t</span> to the ``savefile&#39;&#39;
<p class="level1"><a Class="bold" href="./pcap_dump_ftell.html">pcap_dump_ftell</a>(3PCAP) get current file position for a <span Class="bold">pcap_dumper_t</span>
<p class="level0"><a name="Injecting"></a><h2 class="nroffsh">Injecting packets</h2>
<p class="level0">If you have the required privileges, you can inject packets onto a network with a <span Class="bold">pcap_t</span> for a live capture, using <span Class="bold">pcap_inject</span>() or <span Class="bold">pcap_sendpacket</span>(). (The two routines exist for compatibility with both OpenBSD and WinPcap; they perform the same function, but have different return values.)
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_inject.html">pcap_inject</a>(3PCAP)
<p class="level1">
<p class="level1"><span Class="bold">pcap_sendpacket</span>(3PCAP) transmit a packet
<p class="level1">
<p class="level0"><a name="Reporting"></a><h2 class="nroffsh">Reporting errors</h2>
<p class="level0">Some routines return error or warning status codes; to convert them to a string, use <span Class="bold">pcap_statustostr</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_statustostr.html">pcap_statustostr</a>(3PCAP) get a string for an error or warning status code
<p class="level0"><a name="Getting"></a><h2 class="nroffsh">Getting library version information</h2>
<p class="level0">To get a string giving version information about libpcap, call <span Class="bold">pcap_lib_version</span>().
<p class="level0"><span Class="bold">Routines</span>
<p class="level1">
<p class="level1"><a Class="bold" href="./pcap_lib_version.html">pcap_lib_version</a>(3PCAP) get library version string
<p class="level0"><a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">In versions of libpcap prior to 1.0, the <span Class="bold">pcap.h</span> header file was not in a <span Class="bold">pcap</span> directory on most platforms; if you are writing an application that must work on versions of libpcap prior to 1.0, include <span Class="bold">&lt;pcap.h&gt;</span>, which will include <span Class="bold">&lt;pcap/pcap.h&gt;</span> for you, rather than including <span Class="bold">&lt;pcap/pcap.h&gt;</span>.
<p class="level0"><span Class="bold">pcap_create</span>() and <span Class="bold">pcap_activate</span>() were not available in versions of libpcap prior to 1.0; if you are writing an application that must work on versions of libpcap prior to 1.0, either use <span Class="bold">pcap_open_live</span>() to get a handle for a live capture or, if you want to be able to use the additional capabilities offered by using <span Class="bold">pcap_create</span>() and <span Class="bold">pcap_activate</span>(), use an <span Class="bold">autoconf</span>(1) script or some other configuration script to check whether the libpcap 1.0 APIs are available and use them only if they are. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><span Class="bold">autoconf</span>(1), <span Class="bold">tcpdump</span>(1), <span Class="bold">tcpslice</span>(1), <a Class="bold" href="./pcap-filter.html">pcap-filter</a>(7), <span Class="bold">pfconfig</span>(8), <span Class="bold">usermod</span>(@MAN_ADMIN_COMMANDS@) <a name="AUTHORS"></a><h2 class="nroffsh">AUTHORS</h2>
<p class="level0">The original authors of libpcap are:
<p class="level0">Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
<p class="level0">The current version is available from &quot;The Tcpdump Group&quot;&#39;s Web site at
<p class="level0">
<p class="level1"><span Class="emphasis"><a href="https://www.tcpdump.org/">https://www.tcpdump.org/</a></span>
<p class="level0"><a name="BUGS"></a><h2 class="nroffsh">BUGS</h2>
<p class="level0">To report a security issue please send an e-mail to security@tcpdump.org.
<p class="level0">To report bugs and other problems, contribute patches, request a feature, provide generic feedback etc please see the file <span Class="emphasis">CONTRIBUTING</span> in the libpcap source tree root. <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

79
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_activate.html Normal file
View File

@@ -0,0 +1,79 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_activate - activate a capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_activate(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_activate()</span> is used to activate a packet capture handle to look at packets on the network, with the options that were set on the handle being in effect. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_activate()</span> returns 0 on success without warnings, a non-zero positive value on success with warnings, and a negative value on error. A non-zero return value indicates what warning or error condition occurred.
<p class="level0">The possible warning values are:
<p class="level0"><span Class="bold">PCAP_WARNING_PROMISC_NOTSUP</span> Promiscuous mode was requested, but the capture source doesn&#39;t support promiscuous mode.
<p class="level0"><span Class="bold">PCAP_WARNING_TSTAMP_TYPE_NOTSUP</span> The time stamp type specified in a previous <a Class="bold" href="./pcap_set_tstamp_type.html">pcap_set_tstamp_type</a> call isn&#39;t supported by the capture source (the time stamp type is left as the default),
<p class="level0"><span Class="bold">PCAP_WARNING</span> Another warning condition occurred; <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display a message describing the warning condition.
<p class="level0">The possible error values are:
<p class="level0"><span Class="bold">PCAP_ERROR_ACTIVATED</span> The handle has already been activated.
<p class="level0"><span Class="bold">PCAP_ERROR_NO_SUCH_DEVICE</span> The capture source specified when the handle was created doesn&#39;t exist.
<p class="level0"><span Class="bold">PCAP_ERROR_PERM_DENIED</span> The process doesn&#39;t have permission to open the capture source.
<p class="level0"><span Class="bold">PCAP_ERROR_PROMISC_PERM_DENIED</span> The process has permission to open the capture source but doesn&#39;t have permission to put it into promiscuous mode.
<p class="level0"><span Class="bold">PCAP_ERROR_RFMON_NOTSUP</span> Monitor mode was specified but the capture source doesn&#39;t support monitor mode.
<p class="level0"><span Class="bold">PCAP_ERROR_IFACE_NOT_UP</span> The capture source device is not up.
<p class="level0"><span Class="bold">PCAP_ERROR</span> Another error occurred. <span Class="bold">pcap_geterr()</span> or <span Class="bold">pcap_perror()</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display a message describing the error.
<p class="level0">If <span Class="bold">PCAP_WARNING_PROMISC_NOTSUP</span>, <span Class="bold">PCAP_ERROR_NO_SUCH_DEVICE</span>, or <span Class="bold">PCAP_ERROR_PERM_DENIED</span> is returned, <span Class="bold">pcap_geterr()</span> or <span Class="bold">pcap_perror()</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display an message giving additional details about the problem that might be useful for debugging the problem if it&#39;s unexpected.
<p class="level0">Additional warning and error codes may be added in the future; a program should check for positive, negative, and zero return codes, and treat all positive return codes as warnings and all negative return codes as errors. <a Class="bold" href="./pcap_statustostr.html">pcap_statustostr</a> can be called, with a warning or error code as an argument, to fetch a message describing the warning or error code. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_breakloop.html Normal file
View File

@@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_breakloop - force a pcap_dispatch() or pcap_loop() call to return <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_breakloop(pcap_t *);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_breakloop()</span> sets a flag that will force <span Class="bold">pcap_dispatch(3PCAP)</span> or <a Class="bold" href="./pcap_loop.html">pcap_loop</a> to return rather than looping; they will return the number of packets that have been processed so far, or <span Class="bold">PCAP_ERROR_BREAK</span> if no packets have been processed so far.
<p class="level0">This routine is safe to use inside a signal handler on UNIX or a console control handler on Windows, as it merely sets a flag that is checked within the loop.
<p class="level0">The flag is checked in loops reading packets from the OS - a signal by itself will not necessarily terminate those loops - as well as in loops processing a set of packets returned by the OS. Note that if you are catching signals on UNIX systems that support restarting system calls after a signal, and calling pcap_breakloop() in the signal handler, you must specify, when catching those signals, that system calls should NOT be restarted by that signal. Otherwise, if the signal interrupted a call reading packets in a live capture, when your signal handler returns after calling pcap_breakloop(), the call will be restarted, and the loop will not terminate until more packets arrive and the call completes.
<p class="level0">Note also that, in a multi-threaded application, if one thread is blocked in pcap_dispatch(), pcap_loop(), pcap_next(3PCAP), or pcap_next_ex(3PCAP), a call to pcap_breakloop() in a different thread will not unblock that thread. You will need to use whatever mechanism the OS provides for breaking a thread out of blocking calls in order to unblock the thread, such as thread cancellation or thread signalling in systems that support POSIX threads, or <span Class="bold">SetEvent()</span> on the result of <span Class="bold">pcap_getevent()</span> on a <span Class="bold">pcap_t</span> on which the thread is blocked on Windows. Asynchronous procedure calls will not work on Windows, as a thread blocked on a <span Class="bold">pcap_t</span> will not be in an alertable state.
<p class="level0">Note that <span Class="bold">pcap_next()</span> and <span Class="bold">pcap_next_ex()</span> will, on some platforms, loop reading packets from the OS; that loop will not necessarily be terminated by a signal, so <span Class="bold">pcap_breakloop()</span> should be used to terminate packet processing even if <span Class="bold">pcap_next()</span> or <span Class="bold">pcap_next_ex()</span> is being used.
<p class="level0"><span Class="bold">pcap_breakloop()</span> does not guarantee that no further packets will be processed by <span Class="bold">pcap_dispatch()</span> or <span Class="bold">pcap_loop()</span> after it is called; at most one more packet might be processed.
<p class="level0">If <span Class="bold">PCAP_ERROR_BREAK</span> is returned from <span Class="bold">pcap_dispatch()</span> or <span Class="bold">pcap_loop()</span>, the flag is cleared, so a subsequent call will resume reading packets. If a positive number is returned, the flag is not cleared, so a subsequent call will return <span Class="bold">PCAP_ERROR_BREAK</span> and clear the flag. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_can_set_rfmon.html Normal file
View File

@@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_can_set_rfmon - check whether monitor mode can be set for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_can_set_rfmon(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_can_set_rfmon()</span> checks whether monitor mode could be set on a capture handle when the handle is activated. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_can_set_rfmon()</span> returns 0 if monitor mode could not be set, 1 if monitor mode could be set, and a negative value on error. A negative return value indicates what error condition occurred. The possible error values are:
<p class="level0"><span Class="bold">PCAP_ERROR_NO_SUCH_DEVICE</span> The capture source specified when the handle was created doesn&#39;t exist.
<p class="level0"><span Class="bold">PCAP_ERROR_PERM_DENIED</span> The process doesn&#39;t have permission to check whether monitor mode could be supported.
<p class="level0"><span Class="bold">PCAP_ERROR_ACTIVATED</span> The capture handle has already been activated.
<p class="level0"><span Class="bold">PCAP_ERROR</span> Another error occurred. <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">\%pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display a message describing the error.
<p class="level0">Additional error codes may be added in the future; a program should check for 0, 1, and negative, return codes, and treat all negative return codes as errors. <a Class="bold" href="./pcap_statustostr.html">pcap_statustostr</a> can be called, with a warning or error code as an argument, to fetch a message describing the warning or error code. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP), <a Class="bold" href="./pcap_set_rfmon.html">pcap_set_rfmon</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_close.html Normal file
View File

@@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_close - close a capture device or savefile <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_close(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_close()</span> closes the files associated with <span Class="emphasis">p</span> and deallocates resources. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

69
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_compile.html Normal file
View File

@@ -0,0 +1,69 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_compile - compile a filter expression <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_compile(pcap_t *p, struct bpf_program *fp,
&nbsp;&nbsp;&nbsp;&nbsp;const char *str, int optimize, bpf_u_int32 netmask);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_compile()</span> is used to compile the string <span Class="emphasis">str</span> into a filter program. See <a Class="bold" href="./pcap-filter.html">pcap-filter</a>(7) for the syntax of that string. <span Class="emphasis">program</span> is a pointer to a <span Class="emphasis">bpf_program</span> struct and is filled in by <span Class="bold">pcap_compile()</span>. <span Class="emphasis">optimize</span> controls whether optimization on the resulting code is performed. <span Class="emphasis">netmask</span> specifies the IPv4 netmask of the network on which packets are being captured; it is used only when checking for IPv4 broadcast addresses in the filter program. If the netmask of the network on which packets are being captured isn&#39;t known to the program, or if packets are being captured on the Linux &quot;any&quot; pseudo-interface that can capture on more than one network, a value of <span Class="bold">PCAP_NETMASK_UNKNOWN</span> can be supplied; tests for IPv4 broadcast addresses will fail to compile, but all other tests in the filter program will be OK.
<p class="level0">NOTE: in libpcap 1.8.0 and later, <span Class="bold">pcap_compile()</span> can be used in multiple threads within a single process. However, in earlier versions of libpcap, it is <span Class="emphasis">not</span> safe to use <span Class="bold">pcap_compile()</span> in multiple threads in a single process without some form of mutual exclusion allowing only one thread to call it at any given time. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_compile()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">The <span Class="bold">PCAP_NETMASK_UNKNOWN</span> constant became available in libpcap release 1.1.0. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>(3PCAP), <a Class="bold" href="./pcap_freecode.html">pcap_freecode</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_create.html Normal file
View File

@@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_create - create a live capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap_create(const char *source, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_create()</span> is used to create a packet capture handle to look at packets on the network. <span Class="emphasis">source</span> is a string that specifies the network device to open; on Linux systems with 2.2 or later kernels, a <span Class="emphasis">source</span> argument of &quot;any&quot; or <span Class="bold">NULL</span> can be used to capture packets from all interfaces.
<p class="level0">The returned handle must be activated with <a Class="bold" href="./pcap_activate.html">pcap_activate</a> before packets can be captured with it; options for the capture, such as promiscuous mode, can be set on the handle before activating it. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_create()</span> returns a <span Class="emphasis">pcap_t *</span> on success and <span Class="bold">NULL</span> on failure. If <span Class="bold">NULL</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_datalink.html Normal file
View File

@@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_datalink - get the link-layer header type <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_datalink(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_datalink()</span> returns the link-layer header type for the live capture or ``savefile&#39;&#39; specified by <span Class="emphasis">p</span>.
<p class="level0">It must not be called on a pcap descriptor created by <span Class="bold">\%pcap_create(3PCAP)</span> that has not yet been activated by <span Class="bold">\%pcap_activate(3PCAP)</span>.
<p class="level0"><span Class="emphasis"><a href="https://www.tcpdump.org/linktypes.html">https://www.tcpdump.org/linktypes.html</a></span> lists the values <span Class="bold">pcap_datalink()</span> can return and describes the packet formats that correspond to those values.
<p class="level0">Do <span Class="bold">NOT</span> assume that the packets for a given capture or ``savefile`` will have any given link-layer header type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. For example, the &quot;any&quot; device on Linux will have a link-layer header type of <span Class="bold">DLT_LINUX_SLL</span> even if all devices on the system at the time the &quot;any&quot; device is opened have some other data link type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_datalink()</span> returns the link-layer header type on success and <span Class="bold">PCAP_ERROR_NOT_ACTIVATED</span> if called on a capture handle that has been created but not activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap-linktype.html">pcap-linktype</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_datalink_name_to_val.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_datalink_name_to_val - get the link-layer header type value corresponding to a header type name <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_datalink_name_to_val(const char *name);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_datalink_name_to_val()</span> translates a link-layer header type name, which is a <span Class="bold">DLT_</span> name with the <span Class="bold">DLT_</span> removed, to the corresponding link-layer header type value. The translation is case-insensitive. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_datalink_name_to_val()</span> returns the type value on success and <span Class="bold">PCAP_ERROR</span> if the name is not a known type name.. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_datalink_val_to_name.html Normal file
View File

@@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_datalink_val_to_name, pcap_datalink_val_to_description, pcap_datalink_val_to_description_or_dlt - get a name or description for a link-layer header type value <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap.h&gt;
const char *pcap_datalink_val_to_name(int dlt);
const char *pcap_datalink_val_to_description(int dlt);
const char *pcap_datalink_val_to_description_or_dlt(int dlt);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_datalink_val_to_name()</span> translates a link-layer header type value to the corresponding link-layer header type name, which is the <span Class="bold">DLT_</span> name for the link-layer header type value with the <span Class="bold">DLT_</span> removed. <span Class="bold">NULL</span> is returned if the type value does not correspond to a known <span Class="bold">DLT_</span> value.
<p class="level0"><span Class="bold">pcap_datalink_val_to_description()</span> translates a link-layer header type value to a short description of that link-layer header type. <span Class="bold">NULL</span> is returned if the type value does not correspond to a known <span Class="bold">DLT_</span> value.
<p class="level0"><span Class="bold">pcap_datalink_val_to_description_or_dlt()</span> translates a link-layer header type value to a short description of that link-layer header type just like pcap_datalink_val_to_description. If the type value does not correspond to a known <span Class="bold">DLT_</span> value, the string &quot;DLT n&quot; is returned, where n is the value of the dlt argument. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump - write a packet to a capture file <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_dump(u_char *user, struct pcap_pkthdr *h,
&nbsp;&nbsp;&nbsp;&nbsp;u_char *sp);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump()</span> outputs a packet to the ``savefile&#39;&#39; opened with <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>. Note that its calling arguments are suitable for use with <span Class="bold">pcap_dispatch(3PCAP)</span> or <a Class="bold" href="./pcap_loop.html">pcap_loop</a>. If called directly, the <span Class="emphasis">user</span> parameter is of type <span Class="bold">pcap_dumper_t</span> as returned by <span Class="bold">pcap_dump_open()</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_close.html Normal file
View File

@@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_close - close a savefile being written to <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_dump_close(pcap_dumper_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_close()</span> closes the ``savefile.&#39;&#39; <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>(3PCAP), <a Class="bold" href="./pcap_dump.html">pcap_dump</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_file.html Normal file
View File

@@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_file - get the standard I/O stream for a savefile being written <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
FILE *pcap_dump_file(pcap_dumper_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_file()</span> returns the standard I/O stream of the ``savefile&#39;&#39; opened by <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_flush.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_flush - flush to a savefile packets dumped <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_dump_flush(pcap_dumper_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_flush()</span> flushes the output buffer to the ``savefile,&#39;&#39; so that any packets written with <a Class="bold" href="./pcap_dump.html">pcap_dump</a> but not yet written to the ``savefile&#39;&#39; will be written. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_dump_flush()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_ftell.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_ftell, pcap_dump_ftell64 - get the current file offset for a savefile being written <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
long pcap_dump_ftell(pcap_dumper_t *p);
int64_t pcap_dump_ftell64(pcap_dumper_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_ftell()</span> returns the current file position for the ``savefile&#39;&#39;, representing the number of bytes written by <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a> and <a Class="bold" href="./pcap_dump.html">pcap_dump</a>. <span Class="bold">PCAP_ERROR</span> is returned on error. If the current file position does not fit in a <span Class="bold">long</span>, it will be truncated; this can happen on 32-bit UNIX-like systems with large file support and on Windows. <span Class="bold">pcap_dump_ftell64()</span> returns the current file position in a <span Class="bold">int64_t</span>, so if file offsets that don&#39;t fit in a <span Class="bold">long</span> but that fit in a <span Class="bold">int64_t</span> are supported, this will return the file offset without truncation. <span Class="bold">PCAP_ERROR</span> is returned on error. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

73
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_dump_open.html Normal file
View File

@@ -0,0 +1,73 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_dump_open, pcap_dump_fopen - open a file to which to write packets <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname);
pcap_dumper_t *pcap_dump_open_append(pcap_t *p, const char *fname);
pcap_dumper_t *pcap_dump_fopen(pcap_t *p, FILE *fp);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_dump_open()</span> is called to open a ``savefile&#39;&#39; for writing. <span Class="emphasis">fname</span> specifies the name of the file to open. The file will have the same format as those used by <span Class="bold">tcpdump</span>(1) and <span Class="bold">tcpslice</span>(1). The name &quot;-&quot; is a synonym for <span Class="bold">stdout</span>.
<p class="level0"><span Class="bold">pcap_dump_fopen()</span> is called to write data to an existing open stream <span Class="emphasis">fp</span>; this stream will be closed by a subsequent call to <a Class="bold" href="./pcap_dump_close.html">pcap_dump_close</a>. Note that on Windows, that stream should be opened in binary mode.
<p class="level0"><span Class="emphasis">p</span> is a capture or ``savefile&#39;&#39; handle returned by an earlier call to <a Class="bold" href="./pcap_create.html">pcap_create</a> and activated by an earlier call to <span Class="bold">\%pcap_activate(3PCAP)</span>, or returned by an earlier call to <span Class="bold">\%pcap_open_offline(3PCAP)</span>, <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>, or <a Class="bold" href="./pcap_open_dead.html">pcap_open_dead</a>. The time stamp precision, link-layer type, and snapshot length from <span Class="emphasis">p</span> are used as the link-layer type and snapshot length of the output file.
<p class="level0"><span Class="bold">pcap_dump_open_append()</span> is like <span Class="bold">pcap_dump_open()</span> but does not create the file if it does not exist and, if it does already exist, and is a pcap file with the same byte order as the host opening the file, and has the same time stamp precision, link-layer header type, and snapshot length as <span Class="emphasis">p</span>, it will write new packets at the end of the file. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUES</h2>
<p class="level0">A pointer to a <span Class="bold">pcap_dumper_t</span> structure to use in subsequent <a Class="bold" href="./pcap_dump.html">pcap_dump</a> and <a Class="bold" href="./pcap_dump_close.html">pcap_dump_close</a> calls is returned on success. <span Class="bold">NULL</span> is returned on failure. If <span Class="bold">NULL</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> can be used to get the error text. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">The <span Class="bold">pcap_dump_open_append()</span> function became available in libpcap release 1.7.2. In previous releases, there is no support for appending packets to an existing savefile. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <span Class="bold">\%pcap-savefile</span>(5) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_file.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_file - get the standard I/O stream for a savefile being read <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
FILE *pcap_file(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_file()</span> returns the standard I/O stream of the ``savefile,&#39;&#39; if a ``savefile&#39;&#39; was opened with <a Class="bold" href="./pcap_open_offline.html">pcap_open_offline</a>, or <span Class="bold">NULL</span>, if a network device was opened with <a Class="bold" href="./pcap_create.html">pcap_create</a> and <span Class="bold">\%pcap_activate(3PCAP)</span>, or with <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>.
<p class="level0">Note that the Packet Capture library is usually built with large file support, so the standard I/O stream of the ``savefile&#39;&#39; might refer to a file larger than 2 gigabytes; applications that use <span Class="bold">pcap_file()</span> should, if possible, use calls that support large files on the return value of <span Class="bold">pcap_file()</span> or the value returned by <span Class="bold">fileno(3)</span> when passed the return value of <span Class="bold">pcap_file()</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_fileno.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_fileno - get the file descriptor for a live capture <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_fileno(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">If <span Class="emphasis">p</span> refers to a network device that was opened for a live capture using a combination of <a Class="bold" href="./pcap_create.html">pcap_create</a> and <a Class="bold" href="./pcap_activate.html">pcap_activate</a>, or using <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>, <span Class="bold">pcap_fileno()</span> returns the file descriptor from which captured packets are read.
<p class="level0">If <span Class="emphasis">p</span> refers to a ``savefile&#39;&#39; that was opened using functions such as <a Class="bold" href="./pcap_open_offline.html">pcap_open_offline</a> or <span Class="bold">pcap_fopen_offline(3PCAP)</span>, a ``dead&#39;&#39; <span Class="bold">pcap_t</span> opened using <a Class="bold" href="./pcap_open_dead.html">pcap_open_dead</a>, or a <span Class="bold">pcap_t</span> that was created with <span Class="bold">pcap_create()</span> but that has not yet been activated with <span Class="bold">pcap_activate()</span>, it returns <span Class="bold">PCAP_ERROR</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

99
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_findalldevs.html Normal file
View File

@@ -0,0 +1,99 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_findalldevs, pcap_freealldevs - get a list of capture devices, and free that list <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf);
void pcap_freealldevs(pcap_if_t *alldevs);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_findalldevs()</span> constructs a list of network devices that can be opened with <a Class="bold" href="./pcap_create.html">pcap_create</a> and <a Class="bold" href="./pcap_activate.html">pcap_activate</a> or with <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>. (Note that there may be network devices that cannot be opened by the process calling <span Class="bold">pcap_findalldevs()</span>, because, for example, that process does not have sufficient privileges to open them for capturing; if so, those devices will not appear on the list.) If <span Class="bold">pcap_findalldevs()</span> succeeds, the pointer pointed to by <span Class="emphasis">alldevsp</span> is set to point to the first element of the list, or to <span Class="bold">NULL</span> if no devices were found (this is considered success). Each element of the list is of type <span Class="bold">pcap_if_t</span>, and has the following members:
<p class="level1">
<p class="level1"><span Class="bold">next</span> if not <span Class="bold">NULL</span>, a pointer to the next element in the list; <span Class="bold">NULL</span> for the last element of the list
<p class="level1"><span Class="bold">name</span> a pointer to a string giving a name for the device to pass to <span Class="bold">pcap_open_live()</span>
<p class="level1"><span Class="bold">description</span> if not <span Class="bold">NULL</span>, a pointer to a string giving a human-readable description of the device
<p class="level1"><span Class="bold">addresses</span> a pointer to the first element of a list of network addresses for the device, or <span Class="bold">NULL</span> if the device has no addresses
<p class="level1"><span Class="bold">flags</span> device flags:
<p class="level2">
<p class="level2"><span Class="bold">PCAP_IF_LOOPBACK</span> set if the device is a loopback interface
<p class="level2"><span Class="bold">PCAP_IF_UP</span> set if the device is up
<p class="level2"><span Class="bold">PCAP_IF_RUNNING</span> set if the device is running
<p class="level2"><span Class="bold">PCAP_IF_WIRELESS</span> set if the device is a wireless interface; this includes IrDA as well as radio-based networks such as IEEE 802.15.4 and IEEE 802.11, so it doesn&#39;t just mean Wi-Fi
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS</span> a bitmask for an indication of whether the adapter is connected or not; for wireless interfaces, &quot;connected&quot; means &quot;associated with a network&quot;
<p class="level2">The possible values for the connection status bits are:
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS_UNKNOWN</span> it&#39;s unknown whether the adapter is connected or not
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS_CONNECTED</span> the adapter is connected
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS_DISCONNECTED</span> the adapter is disconnected
<p class="level2"><span Class="bold">PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE</span> the notion of &quot;connected&quot; and &quot;disconnected&quot; don&#39;t apply to this interface; for example, it doesn&#39;t apply to a loopback device
<p class="level1">
<p class="level0">
<p class="level0">Each element of the list of addresses is of type <span Class="bold">pcap_addr_t</span>, and has the following members:
<p class="level1">
<p class="level1"><span Class="bold">next</span> if not <span Class="bold">NULL</span>, a pointer to the next element in the list; <span Class="bold">NULL</span> for the last element of the list
<p class="level1"><span Class="bold">addr</span> a pointer to a <span Class="bold">struct sockaddr</span> containing an address
<p class="level1"><span Class="bold">netmask</span> if not <span Class="bold">NULL</span>, a pointer to a <span Class="bold">struct sockaddr</span> that contains the netmask corresponding to the address pointed to by <span Class="bold">addr</span>
<p class="level1"><span Class="bold">broadaddr</span> if not <span Class="bold">NULL</span>, a pointer to a <span Class="bold">struct sockaddr</span> that contains the broadcast address corresponding to the address pointed to by <span Class="bold">addr</span>; may be null if the device doesn&#39;t support broadcasts
<p class="level1"><span Class="bold">dstaddr</span> if not <span Class="bold">NULL</span>, a pointer to a <span Class="bold">struct sockaddr</span> that contains the destination address corresponding to the address pointed to by <span Class="bold">addr</span>; may be null if the device isn&#39;t a point-to-point interface
<p class="level0">
<p class="level0">Note that the addresses in the list of addresses might be IPv4 addresses, IPv6 addresses, or some other type of addresses, so you must check the <span Class="bold">sa_family</span> member of the <span Class="bold">struct sockaddr</span> before interpreting the contents of the address; do not assume that the addresses are all IPv4 addresses, or even all IPv4 or IPv6 addresses. IPv4 addresses have the value <span Class="bold">AF_INET</span>, IPv6 addresses have the value <span Class="bold">AF_INET6</span> (which older operating systems that don&#39;t support IPv6 might not define), and other addresses have other values. Whether other addresses are returned, and what types they might have is platform-dependent. For IPv4 addresses, the <span Class="bold">struct sockaddr</span> pointer can be interpreted as if it pointed to a <span Class="bold">struct sockaddr_in</span>; for IPv6 addresses, it can be interpreted as if it pointed to a <span Class="bold">struct sockaddr_in6</span>.
<p class="level0">The list of devices must be freed with <span Class="bold">pcap_freealldevs(3PCAP)</span>, which frees the list pointed to by <span Class="emphasis">alldevs</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_findalldevs()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure; as indicated, finding no devices is considered success, rather than failure, so 0 will be returned in that case. If <span Class="bold">PCAP_ERROR</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">The <span Class="bold">PCAP_IF_UP</span> and <span Class="bold">PCAP_IF_RUNNING</span> constants became available in libpcap release 1.6.1. The <span Class="bold">PCAP_IF_WIRELESS</span>, <span Class="bold">PCAP_IF_CONNECTION_STATUS</span>, <span Class="bold">PCAP_IF_CONNECTION_STATUS_UNKNOWN</span>, <span Class="bold">PCAP_IF_CONNECTION_STATUS_CONNECTED</span>, <span Class="bold">PCAP_IF_CONNECTION_STATUS_DISCONNECTED</span>, and <span Class="bold">PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE</span> constants became available in libpcap release 1.9.0. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_freecode.html Normal file
View File

@@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_freecode - free a BPF program <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
void pcap_freecode(struct bpf_program *);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_freecode()</span> is used to free up allocated memory pointed to by a <span Class="emphasis">bpf_program</span> struct generated by <a Class="bold" href="./pcap_compile.html">pcap_compile</a> when that BPF program is no longer needed, for example after it has been made the filter program for a pcap structure by a call to <a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_get_required_select_timeout.html Normal file
View File

@@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_get_required_select_timeout - get a file descriptor on which a select() can be done for a live capture <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
struct timeval *pcap_get_required_select_timeout(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_get_required_select_timeout()</span> returns, on UNIX, a pointer to a <span Class="bold">struct timeval</span> containing a value that must be used as the minimum timeout in <span Class="bold">select(2)</span>, <span Class="bold">poll(2)</span>, <span Class="bold">epoll_wait(2)</span>, and <span Class="bold">kevent()</span> calls if <a Class="bold" href="./pcap_get_selectable_fd.html">pcap_get_selectable_fd</a> returns <span Class="bold">PCAP_ERROR</span>.
<p class="level0">The timeout that should be used in those calls must be no larger than the smallest of all timeouts returned by <span Class="bold">\%pcap_get_required_select_timeout()</span> for devices from which packets will be captured.
<p class="level0">The device for which <span Class="bold">pcap_get_selectable_fd()</span> returned <span Class="bold">PCAP_ERROR</span> must be put in non-blocking mode with <a Class="bold" href="./pcap_setnonblock.html">pcap_setnonblock</a>, and an attempt must always be made to read packets from the device when the <span Class="bold">select()</span>, <span Class="bold">poll()</span>, <span Class="bold">epoll_wait()</span>, or <span Class="bold">kevent()</span> call returns.
<p class="level0">Note that a device on which a read can be done without blocking may, on some platforms, not have any packets to read if the packet buffer timeout has expired. A call to <span Class="bold">pcap_dispatch(3PCAP)</span> or <a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a> will return 0 in this case, but will not block.
<p class="level0"><span Class="bold">pcap_get_required_select_timeout()</span> is not available on Windows. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0">A pointer to a <span Class="bold">struct timeval</span> is returned if the timeout is required; otherwise <span Class="bold">NULL</span> is returned. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">This function became available in libpcap release 1.9.0. In previous releases, <span Class="bold">select()</span>, <span Class="bold">poll()</span>, <span Class="bold">epoll_wait()</span>, and <span Class="bold">kevent()</span> cannot be used on any capture source for which <span Class="bold">pcap_get_selectable_fd</span> returns -1. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_get_selectable_fd.html">pcap_get_selectable_fd</a>(3PCAP), <span Class="bold">select</span>(2), <span Class="bold">poll</span>(2), <span Class="bold">epoll_wait</span>(2), <span Class="bold">kqueue</span>(2) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

79
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_get_selectable_fd.html Normal file
View File

@@ -0,0 +1,79 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_get_selectable_fd - get a file descriptor on which a select() can be done for a live capture <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_get_selectable_fd(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_get_selectable_fd()</span> returns, on UNIX, a file descriptor number for a file descriptor on which one can do a <span Class="bold">select(2)</span>, <span Class="bold">poll(2)</span>, <span Class="bold">epoll_wait(2)</span>, <span Class="bold">kevent()</span>, or other such call to wait for it to be possible to read packets without blocking, if such a descriptor exists, or <span Class="bold">PCAP_ERROR</span>, if no such descriptor exists.
<p class="level0">Some network devices opened with <a Class="bold" href="./pcap_create.html">pcap_create</a> and <a Class="bold" href="./pcap_activate.html">pcap_activate</a>, or with <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>, do not support those calls (for example, regular network devices on FreeBSD 4.3 and 4.4, and Endace DAG devices), so <span Class="bold">PCAP_ERROR</span> is returned for those devices. In that case, those calls must be given a timeout less than or equal to the timeout returned by <a Class="bold" href="./pcap_get_required_select_timeout.html">pcap_get_required_select_timeout</a> for the device for which <span Class="bold">pcap_get_selectable_fd()</span> returned <span Class="bold">PCAP_ERROR</span>, the device must be put in non-blocking mode with a call to <span Class="bold">\%pcap_setnonblock(3PCAP)</span>, and an attempt must always be made to read packets from the device when the call returns. If <span Class="bold">\%pcap_get_required_select_timeout()</span> returns <span Class="bold">NULL</span>, it is not possible to wait for packets to arrive on the device in an event loop.
<p class="level0">Note that a device on which a read can be done without blocking may, on some platforms, not have any packets to read if the packet buffer timeout has expired. A call to <span Class="bold">pcap_dispatch(3PCAP)</span> or <a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a> will return 0 in this case, but will not block.
<p class="level0">Note that in:
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">FreeBSD prior to FreeBSD 4.6;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">NetBSD prior to NetBSD 3.0;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">OpenBSD prior to OpenBSD 2.4;
<p class="level0"><a name=""></a><span class="nroffip"></span>
<p class="level1">Mac OS X prior to Mac OS X 10.7;
<p class="level1"><span Class="bold">select()</span>, <span Class="bold">poll()</span>, and <span Class="bold">kevent()</span> do not work correctly on BPF devices; <span Class="bold">pcap_get_selectable_fd()</span> will return a file descriptor on most of those versions (the exceptions being FreeBSD 4.3 and 4.4), but a simple <span Class="bold">select()</span>, <span Class="bold">poll()</span>, or <span Class="bold">kevent()</span> call will not indicate that the descriptor is readable until a full buffer&#39;s worth of packets is received, even if the packet timeout expires before then. To work around this, code that uses those calls to wait for packets to arrive must put the <span Class="bold">pcap_t</span> in non-blocking mode, and must arrange that the call have a timeout less than or equal to the packet buffer timeout, and must try to read packets after that timeout expires, regardless of whether the call indicated that the file descriptor for the <span Class="bold">pcap_t</span> is ready to be read or not. (That workaround will not work in FreeBSD 4.3 and later; however, in FreeBSD 4.6 and later, those calls work correctly on BPF devices, so the workaround isn&#39;t necessary, although it does no harm.)
<p class="level1">Note also that <span Class="bold">poll()</span> and <span Class="bold">kevent()</span> doesn&#39;t work on character special files, including BPF devices, in Mac OS X 10.4 and 10.5, so, while <span Class="bold">select()</span> can be used on the descriptor returned by <span Class="bold">pcap_get_selectable_fd()</span>, <span Class="bold">poll()</span> and <span Class="bold">kevent()</span> cannot be used on it those versions of Mac OS X. <span Class="bold">poll()</span>, but not <span Class="bold">kevent()</span>, works on that descriptor in Mac OS X releases prior to 10.4; <span Class="bold">poll()</span> and <span Class="bold">kevent()</span> work on that descriptor in Mac OS X 10.6 and later.
<p class="level1"><span Class="bold">pcap_get_selectable_fd()</span> is not available on Windows. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0">A selectable file descriptor is returned if one exists; otherwise, <span Class="bold">PCAP_ERROR</span> is returned. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <span Class="bold">kqueue</span>(2) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

75
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_get_tstamp_precision.html Normal file
View File

@@ -0,0 +1,75 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_get_tstamp_precision - get the time stamp precision returned in captures <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_get_tstamp_precision(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_get_tstamp_precision()</span> returns the precision of the time stamp returned in packet captures on the pcap descriptor. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_get_tstamp_precision()</span> returns <span Class="bold">PCAP_TSTAMP_PRECISION_MICRO</span> or <span Class="bold">PCAP_TSTAMP_PRECISION_NANO</span>, which indicates that pcap captures contains time stamps in microseconds or nanoseconds respectively. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">This function became available in libpcap release 1.5.1. In previous releases, time stamps from a capture device or savefile are always given in seconds and microseconds. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_set_tstamp_precision.html">pcap_set_tstamp_precision</a>(3PCAP), <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_geterr.html Normal file
View File

@@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_geterr, pcap_perror - get or print libpcap error message text <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
char *pcap_geterr(pcap_t *p);
void pcap_perror(pcap_t *p, const char *prefix);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_geterr()</span> returns the error text pertaining to the last pcap library error. <span Class="bold">NOTE</span>: the pointer it returns will no longer point to a valid error message string after the <span Class="bold">pcap_t</span> passed to it is closed; you must use or copy the string before closing the <span Class="bold">pcap_t</span>.
<p class="level0"><span Class="bold">pcap_perror()</span> prints the text of the last pcap library error on <span Class="bold">stderr</span>, prefixed by <span Class="emphasis">prefix</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

71
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_inject.html Normal file
View File

@@ -0,0 +1,71 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_inject, pcap_sendpacket - transmit a packet <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_inject(pcap_t *p, const void *buf, size_t size);
int pcap_sendpacket(pcap_t *p, const u_char *buf, int size);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_inject()</span> sends a raw packet through the network interface; <span Class="emphasis">buf</span> points to the data of the packet, including the link-layer header, and <span Class="emphasis">size</span> is the number of bytes in the packet.
<p class="level0">Note that, even if you successfully open the network interface, you might not have permission to send packets on it, or it might not support sending packets; as <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a> doesn&#39;t have a flag to indicate whether to open for capturing, sending, or capturing and sending, you cannot request an open that supports sending and be notified at open time whether sending will be possible. Note also that some devices might not support sending packets.
<p class="level0">Note that, on some platforms, the link-layer header of the packet that&#39;s sent might not be the same as the link-layer header of the packet supplied to <span Class="bold">pcap_inject()</span>, as the source link-layer address, if the header contains such an address, might be changed to be the address assigned to the interface on which the packet it sent, if the platform doesn&#39;t support sending completely raw and unchanged packets. Even worse, some drivers on some platforms might change the link-layer type field to whatever value libpcap used when attaching to the device, even on platforms that <span Class="emphasis">do</span> nominally support sending completely raw and unchanged packets.
<p class="level0"><span Class="bold">pcap_sendpacket()</span> is like <span Class="bold">pcap_inject()</span>, but it returns 0 on success, rather than returning the number of bytes written. (<span Class="bold">pcap_inject()</span> comes from OpenBSD; <span Class="bold">pcap_sendpacket()</span> comes from WinPcap. Both are provided for compatibility.) <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_inject()</span> returns the number of bytes written on success and <span Class="bold">PCAP_ERROR</span> on failure.
<p class="level0"><span Class="bold">pcap_sendpacket()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure.
<p class="level0">If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_is_swapped.html Normal file
View File

@@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_is_swapped - find out whether a savefile has the native byte order <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_is_swapped(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_is_swapped()</span> returns true (1) if <span Class="emphasis">p</span> refers to a ``savefile&#39;&#39; that uses a different byte order than the current system. For a live capture, it always returns false (0).
<p class="level0">It must not be called on a pcap descriptor created by <span Class="bold">\%pcap_create(3PCAP)</span> that has not yet been activated by <span Class="bold">\%pcap_activate(3PCAP)</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_is_swapped()</span> returns true (1) or false (0) on success and <span Class="bold">PCAP_ERROR_NOT_ACTIVATED</span> if called on a capture handle that has been created but not activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_lib_version.html Normal file
View File

@@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_lib_version - get the version information for libpcap <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
const char *pcap_lib_version(void);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_lib_version()</span> returns a pointer to a string giving information about the version of the libpcap library being used; note that it contains more information than just a version number. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_list_datalinks.html Normal file
View File

@@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_list_datalinks, pcap_free_datalinks - get a list of link-layer header types supported by a capture device, and free that list <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_list_datalinks(pcap_t *p, int **dlt_buf);
void pcap_free_datalinks(int *dlt_list);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_list_datalinks()</span> is used to get a list of the supported link-layer header types of the interface associated with the pcap descriptor. <span Class="bold">pcap_list_datalinks()</span> allocates an array to hold the list and sets <span Class="emphasis">*dlt_buf</span> to point to that array.
<p class="level0">The caller is responsible for freeing the array with <span Class="bold">pcap_free_datalinks()</span>, which frees the list of link-layer header types pointed to by <span Class="emphasis">dlt_list</span>.
<p class="level0">It must not be called on a pcap descriptor created by <span Class="bold">\%pcap_create(3PCAP)</span> that has not yet been activated by <span Class="bold">\%pcap_activate(3PCAP)</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_list_datalinks()</span> returns the number of link-layer header types in the array on success, <span Class="bold">PCAP_ERROR_NOT_ACTIVATED</span> if called on a capture handle that has been created but not activated, and <span Class="bold">PCAP_ERROR</span> on other errors. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">\%pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_datalink_val_to_name.html">pcap_datalink_val_to_name</a>(3PCAP), <a Class="bold" href="./pcap-linktype.html">pcap-linktype</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

69
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_list_tstamp_types.html Normal file
View File

@@ -0,0 +1,69 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_list_tstamp_types, pcap_free_tstamp_types - get a list of time stamp types supported by a capture device, and free that list <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_list_tstamp_types(pcap_t *p, int **tstamp_typesp);
void pcap_free_tstamp_types(int *tstamp_types);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_list_tstamp_types()</span> is used to get a list of the supported time stamp types of the interface associated with the pcap descriptor. <span Class="bold">pcap_list_tstamp_types()</span> allocates an array to hold the list and sets <span Class="emphasis">*tstamp_typesp</span> to point to the array. See <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) for a list of all the time stamp types.
<p class="level0">The caller is responsible for freeing the array with <span Class="bold">pcap_free_tstamp_types()</span>, which frees the list pointed to by <span Class="emphasis">tstamp_types</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_list_tstamp_types()</span> returns the number of time stamp types in the array on success and <span Class="bold">PCAP_ERROR</span> on failure. A return value of one means that the only time stamp type supported is the one in the list, which is the capture device&#39;s default time stamp type. A return value of zero means that the only time stamp type supported is <span Class="bold">PCAP_TSTAMP_HOST</span>, which is the capture device&#39;s default time stamp type (only older versions of libpcap will return that; newer versions will always return one or more types). If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">These functions became available in libpcap release 1.2.1. In previous releases, the time stamp type cannot be set; only the default time stamp type offered by a capture source is available. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_tstamp_type_val_to_name.html">pcap_tstamp_type_val_to_name</a>(3PCAP), <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_lookupdev.html Normal file
View File

@@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_lookupdev - find the default device on which to capture <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
[DEPRECATED] char *pcap_lookupdev(char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">This interface is obsoleted by</span> <a Class="bold" href="./pcap_findalldevs.html">pcap_findalldevs</a>(3PCAP). To find a default device on which to capture, call <span Class="bold">pcap_findalldevs()</span> and, if the list it returns is not empty, use the first device in the list. (If the list is empty, there are no devices on which capture is possible.)
<p class="level0"><span Class="bold">pcap_lookupdev()</span> returns a pointer to a string giving the name of a network device suitable for use with <a Class="bold" href="./pcap_create.html">pcap_create</a> and <span Class="bold">\%pcap_activate(3PCAP)</span>, or with <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a>, and with <a Class="bold" href="./pcap_lookupnet.html">pcap_lookupnet</a>. If there is an error, <span Class="bold">NULL</span> is returned and <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <a name="BUGS"></a><h2 class="nroffsh">BUGS</h2>
<p class="level0">The pointer returned by <span Class="bold">pcap_lookupdev()</span> points to a static buffer; subsequent calls to <span Class="bold">pcap_lookupdev()</span> in the same thread, or calls to <span Class="bold">pcap_lookupdev()</span> in another thread, may overwrite that buffer.
<p class="level0">In WinPcap, this function may return a UTF-16 string rather than an ASCII or UTF-8 string.
<p class="level0"><p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_lookupnet.html Normal file
View File

@@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_lookupnet - find the IPv4 network number and netmask for a device <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
int pcap_lookupnet(const char *device, bpf_u_int32 *netp,
&nbsp;&nbsp;&nbsp;&nbsp;bpf_u_int32 *maskp, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_lookupnet()</span> is used to determine the IPv4 network number and mask associated with the network device <span Class="emphasis">device</span>. Both <span Class="emphasis">netp</span> and <span Class="emphasis">maskp</span> are <span Class="emphasis">bpf_u_int32</span> pointers. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_lookupnet()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

78
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_loop.html Normal file
View File

@@ -0,0 +1,78 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_loop, pcap_dispatch - process packets from a live capture or savefile <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h,
&nbsp;&nbsp;&nbsp;&nbsp; const u_char *bytes);
int pcap_loop(pcap_t *p, int cnt,
&nbsp;&nbsp;&nbsp;&nbsp;pcap_handler callback, u_char *user);
int pcap_dispatch(pcap_t *p, int cnt,
&nbsp;&nbsp;&nbsp;&nbsp;pcap_handler callback, u_char *user);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_loop()</span> processes packets from a live capture or ``savefile&#39;&#39; until <span Class="emphasis">cnt</span> packets are processed, the end of the ``savefile&#39;&#39; is reached when reading from a ``savefile&#39;&#39;, <a Class="bold" href="./pcap_breakloop.html">pcap_breakloop</a> is called, or an error occurs. It does <span Class="bold">not</span> return when live packet buffer timeouts occur. A value of -1 or 0 for <span Class="emphasis">cnt</span> is equivalent to infinity, so that packets are processed until another ending condition occurs.
<p class="level0"><span Class="bold">pcap_dispatch()</span> processes packets from a live capture or ``savefile&#39;&#39; until <span Class="emphasis">cnt</span> packets are processed, the end of the current bufferful of packets is reached when doing a live capture, the end of the ``savefile&#39;&#39; is reached when reading from a ``savefile&#39;&#39;, <span Class="bold">pcap_breakloop()</span> is called, or an error occurs. Thus, when doing a live capture, <span Class="emphasis">cnt</span> is the maximum number of packets to process before returning, but is not a minimum number; when reading a live capture, only one bufferful of packets is read at a time, so fewer than <span Class="emphasis">cnt</span> packets may be processed. A value of -1 or 0 for <span Class="emphasis">cnt</span> causes all the packets received in one buffer to be processed when reading a live capture, and causes all the packets in the file to be processed when reading a ``savefile&#39;&#39;.
<p class="level0">Note that, when doing a live capture on some platforms, if the read timeout expires when there are no packets available, <span Class="bold">pcap_dispatch()</span> will return 0, even when not in non-blocking mode, as there are no packets to process. Applications should be prepared for this to happen, but must not rely on it happening.
<p class="level0">(In older versions of libpcap, the behavior when <span Class="emphasis">cnt</span> was 0 was undefined; different platforms and devices behaved differently, so code that must work with older versions of libpcap should use -1, not 0, as the value of <span Class="emphasis">cnt</span>.)
<p class="level0"><span Class="emphasis">callback</span> specifies a <span Class="emphasis">pcap_handler</span> routine to be called with three arguments: a <span Class="emphasis">u_char</span> pointer which is passed in the <span Class="emphasis">user</span> argument to <span Class="bold">pcap_loop()</span> or <span Class="bold">pcap_dispatch()</span>, a <span Class="emphasis">const struct pcap_pkthdr</span> pointer pointing to the packet time stamp and lengths, and a <span Class="emphasis">const u_char</span> pointer to the first <span Class="bold">caplen</span> (as given in the <span Class="emphasis">struct pcap_pkthdr</span> a pointer to which is passed to the callback routine) bytes of data from the packet. The <span Class="emphasis">struct pcap_pkthdr</span> and the packet data are not to be freed by the callback routine, and are not guaranteed to be valid after the callback routine returns; if the code needs them to be valid after the callback, it must make a copy of them.
<p class="level0">The bytes of data from the packet begin with a link-layer header. The format of the link-layer header is indicated by the return value of the <a Class="bold" href="./pcap_datalink.html">pcap_datalink</a> routine when handed the <span Class="bold">pcap_t</span> value also passed to <span Class="bold">pcap_loop()</span> or <span Class="bold">pcap_dispatch()</span>. <span Class="emphasis"><a href="https://www.tcpdump.org/linktypes.html">https://www.tcpdump.org/linktypes.html</a></span> lists the values <span Class="bold">pcap_datalink()</span> can return and describes the packet formats that correspond to those values. The value it returns will be valid for all packets received unless and until <a Class="bold" href="./pcap_set_datalink.html">pcap_set_datalink</a> is called; after a successful call to <span Class="bold">pcap_set_datalink()</span>, all subsequent packets will have a link-layer header of the type specified by the link-layer header type value passed to <span Class="bold">pcap_set_datalink()</span>.
<p class="level0">Do <span Class="bold">NOT</span> assume that the packets for a given capture or ``savefile`` will have any given link-layer header type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. For example, the &quot;any&quot; device on Linux will have a link-layer header type of <span Class="bold">DLT_LINUX_SLL</span> even if all devices on the system at the time the &quot;any&quot; device is opened have some other data link type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_loop()</span> returns 0 if <span Class="emphasis">cnt</span> is exhausted or if, when reading from a ``savefile&#39;&#39;, no more packets are available. It returns <span Class="bold">PCAP_ERROR</span> if an error occurs or <span Class="bold">PCAP_ERROR_BREAK</span> if the loop terminated due to a call to <span Class="bold">pcap_breakloop()</span> before any packets were processed. It does <span Class="bold">not</span> return when live packet buffer timeouts occur; instead, it attempts to read more packets.
<p class="level0"><span Class="bold">pcap_dispatch()</span> returns the number of packets processed on success; this can be 0 if no packets were read from a live capture (if, for example, they were discarded because they didn&#39;t pass the packet filter, or if, on platforms that support a packet buffer timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read) or if no more packets are available in a ``savefile.&#39;&#39; It returns <span Class="bold">PCAP_ERROR</span> if an error occurs or <span Class="bold">PCAP_ERROR_BREAK</span> if the loop terminated due to a call to <span Class="bold">pcap_breakloop()</span> before any packets were processed. If your application uses pcap_breakloop(), make sure that you explicitly check for PCAP_ERROR and PCAP_ERROR_BREAK, rather than just checking for a return value &lt; 0.
<p class="level0">If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_major_version.html Normal file
View File

@@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_major_version, pcap_minor_version - get the version number of a savefile <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_major_version(pcap_t *p);
int pcap_minor_version(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">If <span Class="emphasis">p</span> refers to a ``savefile&#39;&#39;, <span Class="bold">pcap_major_version()</span> returns the major number of the file format of the ``savefile&#39;&#39; and <span Class="bold">pcap_minor_version()</span> returns the minor number of the file format of the ``savefile&#39;&#39;. The version number is stored in the ``savefile&#39;&#39;; note that the meaning of its values depends on the type of ``savefile&#39;&#39; (for example, pcap or pcapng).
<p class="level0">If <span Class="emphasis">p</span> refers to a live capture, the values returned by <span Class="bold">pcap_major_version()</span> and <span Class="bold">pcap_minor_version()</span> are not meaningful. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

71
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_next_ex.html Normal file
View File

@@ -0,0 +1,71 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_next_ex, pcap_next - read the next packet from a pcap_t <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header,
&nbsp;&nbsp;&nbsp;&nbsp;const u_char **pkt_data);
const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_next_ex()</span> reads the next packet and returns a success/failure indication. If the packet was read without problems, the pointer pointed to by the <span Class="emphasis">pkt_header</span> argument is set to point to the <span Class="emphasis">pcap_pkthdr</span> struct for the packet, and the pointer pointed to by the <span Class="emphasis">pkt_data</span> argument is set to point to the data in the packet. The <span Class="emphasis">struct pcap_pkthdr</span> and the packet data are not to be freed by the caller, and are not guaranteed to be valid after the next call to <span Class="bold">pcap_next_ex()</span>, <span Class="bold">pcap_next()</span>, <a Class="bold" href="./pcap_loop.html">pcap_loop</a>, or <span Class="bold">pcap_dispatch(3PCAP)</span>; if the code needs them to remain valid, it must make a copy of them.
<p class="level0"><span Class="bold">pcap_next()</span> reads the next packet (by calling <span Class="bold">pcap_dispatch()</span> with a <span Class="emphasis">cnt</span> of 1) and returns a <span Class="emphasis">u_char</span> pointer to the data in that packet. The packet data is not to be freed by the caller, and is not guaranteed to be valid after the next call to <span Class="bold">pcap_next_ex()</span>, <span Class="bold">pcap_next()</span>, <span Class="bold">pcap_loop()</span>, or <span Class="bold">pcap_dispatch()</span>; if the code needs it to remain valid, it must make a copy of it. The <span Class="emphasis">pcap_pkthdr</span> structure pointed to by <span Class="emphasis">h</span> is filled in with the appropriate values for the packet.
<p class="level0">The bytes of data from the packet begin with a link-layer header. The format of the link-layer header is indicated by the return value of the <span Class="bold">pcap_datalink(PCAP)</span> routine when handed the <span Class="bold">pcap_t</span> value also passed to <span Class="bold">pcap_loop()</span> or <span Class="bold">pcap_dispatch()</span>. <span Class="emphasis"><a href="https://www.tcpdump.org/linktypes.html">https://www.tcpdump.org/linktypes.html</a></span> lists the values <span Class="bold">pcap_datalink()</span> can return and describes the packet formats that correspond to those values. The value it returns will be valid for all packets received unless and until <a Class="bold" href="./pcap_set_datalink.html">pcap_set_datalink</a> is called; after a successful call to <span Class="bold">pcap_set_datalink()</span>, all subsequent packets will have a link-layer header of the type specified by the link-layer header type value passed to <span Class="bold">pcap_set_datalink()</span>.
<p class="level0">Do <span Class="bold">NOT</span> assume that the packets for a given capture or ``savefile`` will have any given link-layer header type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. For example, the &quot;any&quot; device on Linux will have a link-layer header type of <span Class="bold">DLT_LINUX_SLL</span> even if all devices on the system at the time the &quot;any&quot; device is opened have some other data link type, such as <span Class="bold">DLT_EN10MB</span> for Ethernet. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_next_ex()</span> returns 1 if the packet was read without problems, 0 if packets are being read from a live capture and the packet buffer timeout expired, <span Class="bold">PCAP_ERROR</span> if an error occurred while reading the packet, and <span Class="bold">PCAP_ERROR_BREAK</span> if packets are being read from a ``savefile&#39;&#39; and there are no more packets to read from the savefile. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text.
<p class="level0"><span Class="bold">pcap_next()</span> returns a pointer to the packet data on success, and returns <span Class="bold">NULL</span> if an error occurred, or if no packets were read from a live capture (if, for example, they were discarded because they didn&#39;t pass the packet filter, or if, on platforms that support a packet buffer timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read), or if no more packets are available in a ``savefile.&#39;&#39; Unfortunately, there is no way to determine whether an error occurred or not. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_offline_filter.html Normal file
View File

@@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_offline_filter - check whether a filter matches a packet <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_offline_filter(const struct bpf_program *fp,
&nbsp;&nbsp;&nbsp;&nbsp;const struct pcap_pkthdr *h, const u_char *pkt)
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_offline_filter()</span> checks whether a filter matches a packet. <span Class="emphasis">fp</span> is a pointer to a <span Class="emphasis">bpf_program</span> struct, usually the result of a call to <a Class="bold" href="./pcap_compile.html">pcap_compile</a>. <span Class="emphasis">h</span> points to the <span Class="emphasis">pcap_pkthdr</span> structure for the packet, and <span Class="emphasis">pkt</span> points to the data in the packet. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_offline_filter()</span> returns the return value of the filter program. This will be zero if the packet doesn&#39;t match the filter and non-zero if the packet matches the filter. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_open_dead.html Normal file
View File

@@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_open_dead, pcap_open_dead_with_tstamp_precision - open a fake pcap_t for compiling filters or opening a capture for output <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
pcap_t *pcap_open_dead(int linktype, int snaplen);
pcap_t *pcap_open_dead_with_tstamp_precision(int linktype, int snaplen,
&nbsp; u_int precision);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">
<p class="level0"><span Class="bold">pcap_open_dead()</span> and <span Class="bold">pcap_open_dead_with_tstamp_precision()</span> are used for creating a <span Class="bold">pcap_t</span> structure to use when calling the other functions in libpcap. It is typically used when just using libpcap for compiling BPF code; it can also be used if using <a Class="bold" href="./pcap_dump_open.html">pcap_dump_open</a>, <a Class="bold" href="./pcap_dump.html">pcap_dump</a>, and <a Class="bold" href="./pcap_dump_close.html">pcap_dump_close</a> to write a savefile if there is no <span Class="bold">pcap_t</span> that supplies the packets to be written.
<p class="level0"><span Class="emphasis">linktype</span> specifies the link-layer type for the <span Class="bold">pcap_t</span>.
<p class="level0"><span Class="emphasis">snaplen</span> specifies the snapshot length for the <span Class="bold">pcap_t</span>.
<p class="level0">When <span Class="bold">pcap_open_dead_with_tstamp_precision()</span>, is used to create a <span Class="bold">pcap_t</span> for use with <span Class="bold">pcap_dump_open()</span>, <span Class="emphasis">precision</span> specifies the time stamp precision for packets; <span Class="bold">PCAP_TSTAMP_PRECISION_MICRO</span> should be specified if the packets to be written have time stamps in seconds and microseconds, and <span Class="bold">PCAP_TSTAMP_PRECISION_NANO</span> should be specified if the packets to be written have time stamps in seconds and nanoseconds. Its value does not affect <a Class="bold" href="./pcap_compile.html">pcap_compile</a>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <span Class="bold">\%pcap-linktype</span>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

71
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_open_live.html Normal file
View File

@@ -0,0 +1,71 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_open_live - open a device for capturing <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap_open_live(const char *device, int snaplen,
&nbsp;&nbsp;&nbsp;&nbsp;int promisc, int to_ms, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_open_live()</span> is used to obtain a packet capture handle to look at packets on the network. <span Class="emphasis">device</span> is a string that specifies the network device to open; on Linux systems with 2.2 or later kernels, a <span Class="emphasis">device</span> argument of &quot;any&quot; or <span Class="bold">NULL</span> can be used to capture packets from all interfaces.
<p class="level0"><span Class="emphasis">snaplen</span> specifies the snapshot length to be set on the handle.
<p class="level0"><span Class="emphasis">promisc</span> specifies if the interface is to be put into promiscuous mode.
<p class="level0"><span Class="emphasis">to_ms</span> specifies the packet buffer timeout, as a non-negative value, in milliseconds. (See <a Class="bold" href="./pcap.html">pcap</a>(3PCAP) for an explanation of the packet buffer timeout.) <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_open_live()</span> returns a <span Class="emphasis">pcap_t *</span> on success and <span Class="bold">NULL</span> on failure. If <span Class="bold">NULL</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> may also be set to warning text when <span Class="bold">pcap_open_live()</span> succeeds; to detect this case the caller should store a zero-length string in <span Class="emphasis">errbuf</span> before calling <span Class="bold">pcap_open_live()</span> and display the warning to the user if <span Class="emphasis">errbuf</span> is no longer a zero-length string. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

76
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_open_offline.html Normal file
View File

@@ -0,0 +1,76 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_open_offline, pcap_open_offline_with_tstamp_precision, pcap_fopen_offline, pcap_fopen_offline_with_tstamp_precision - open a saved capture file for reading <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap_open_offline(const char *fname, char *errbuf);
pcap_t *pcap_open_offline_with_tstamp_precision(const char *fname,
&nbsp; u_int precision, char *errbuf);
pcap_t *pcap_fopen_offline(FILE *fp, char *errbuf);
pcap_t *pcap_fopen_offline_with_tstamp_precision(FILE *fp,
&nbsp; u_int precision, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_open_offline()</span> and <span Class="bold">pcap_open_offline_with_tstamp_precision()</span> are called to open a ``savefile&#39;&#39; for reading.
<p class="level0"><span Class="emphasis">fname</span> specifies the name of the file to open. The file can have the pcap file format as described in <a Class="bold" href="./pcap-savefile.html">pcap-savefile</a>(5), which is the file format used by, among other programs, <span Class="bold">tcpdump</span>(1) and <span Class="bold">tcpslice</span>(1), or can have the pcapng file format, although not all pcapng files can be read. The name &quot;-&quot; is a synonym for <span Class="bold">stdin</span>.
<p class="level0"><span Class="bold">pcap_open_offline_with_tstamp_precision()</span> takes an additional <span Class="emphasis">precision</span> argument specifying the time stamp precision desired; if <span Class="bold">PCAP_TSTAMP_PRECISION_MICRO</span> is specified, packet time stamps will be supplied in seconds and microseconds, and if <span Class="bold">PCAP_TSTAMP_PRECISION_NANO</span> is specified, packet time stamps will be supplied in seconds and nanoseconds. If the time stamps in the file do not have the same precision as the requested precision, they will be scaled up or down as necessary before being supplied.
<p class="level0">Alternatively, you may call <span Class="bold">pcap_fopen_offline()</span> or <span Class="bold">pcap_fopen_offline_with_tstamp_precision()</span> to read dumped data from an existing open stream <span Class="emphasis">fp</span>. <span Class="bold">pcap_fopen_offline_with_tstamp_precision()</span> takes an additional <span Class="emphasis">precision</span> argument as described above. Note that on Windows, that stream should be opened in binary mode. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_open_offline()</span>, <span Class="bold">pcap_open_offline_with_tstamp_precision()</span>, <span Class="bold">pcap_fopen_offline()</span>, and <span Class="bold">pcap_fopen_offline_with_tstamp_precision()</span> return a <span Class="emphasis">pcap_t *</span> on success and <span Class="bold">NULL</span> on failure. If <span Class="bold">NULL</span> is returned, <span Class="emphasis">errbuf</span> is filled in with an appropriate error message. <span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0"><span Class="bold">pcap_open_offline_with_tstamp_precision</span> and <span Class="bold">pcap_fopen_offline_with_tstamp_precision</span> became available in libpcap release 1.5.1. In previous releases, time stamps from a savefile are always given in seconds and microseconds. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap-savefile.html">pcap-savefile</a>(5) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_buffer_size.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_buffer_size - set the buffer size for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_buffer_size(pcap_t *p, int buffer_size);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_buffer_size()</span> sets the buffer size that will be used on a capture handle when the handle is activated to <span Class="emphasis">buffer_size</span>, which is in units of bytes. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_buffer_size()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_datalink.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_datalink - set the link-layer header type to be used by a capture device <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_datalink(pcap_t *p, int dlt);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_datalink()</span> is used to set the current link-layer header type of the pcap descriptor to the type specified by <span Class="emphasis">dlt</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_datalink()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_datalink_name_to_val.html">pcap_datalink_name_to_val</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_promisc.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_promisc - set promiscuous mode for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_promisc(pcap_t *p, int promisc);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_promisc()</span> sets whether promiscuous mode should be set on a capture handle when the handle is activated. If <span Class="emphasis">promisc</span> is non-zero, promiscuous mode will be set, otherwise it will not be set. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_promisc()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_protocol_linux.html Normal file
View File

@@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_protocol_linux - set capture protocol for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_protocol_linux(pcap_t *p, int protocol);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">On network interface devices on Linux, <span Class="bold">pcap_set_protocol_linux()</span> sets the protocol to be used in the <span Class="bold">socket</span>(2) call to create a capture socket when the handle is activated. The argument is a link-layer protocol value, such as the values in the <span Class="bold">&lt;linux/if_ether.h&gt;</span> header file, specified in host byte order. If <span Class="emphasis">protocol</span> is non-zero, packets of that protocol will be captured when the handle is activated, otherwise, all packets will be captured. This function is only provided on Linux, and, if it is used on any device other than a network interface, it will have no effect.
<p class="level0">It should not be used in portable code; instead, a filter should be specified with <a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>.
<p class="level0">If a given network interface provides a standard link-layer header, with a standard packet type, but provides some packet types with a different socket-layer protocol type from the one in the link-layer header, that packet type cannot be filtered with a filter specified with <span Class="bold">pcap_setfilter()</span> but can be filtered by specifying the socket-layer protocol type using <span Class="bold">pcap_set_protocol_linux()</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_protocol_linux()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">This function became available in libpcap release 1.9.0. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_rfmon.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_rfmon - set monitor mode for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_rfmon(pcap_t *p, int rfmon);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_rfmon()</span> sets whether monitor mode should be set on a capture handle when the handle is activated. If <span Class="emphasis">rfmon</span> is non-zero, monitor mode will be set, otherwise it will not be set. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_rfmon()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP), <a Class="bold" href="./pcap_can_set_rfmon.html">pcap_can_set_rfmon</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_snaplen.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_snaplen - set the snapshot length for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_snaplen(pcap_t *p, int snaplen);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_snaplen()</span> sets the snapshot length to be used on a capture handle when the handle is activated to <span Class="emphasis">snaplen</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_snaplen()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_timeout.html Normal file
View File

@@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_timeout - set the packet buffer timeout for a not-yet-activated capture handle <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_timeout(pcap_t *p, int to_ms);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_timeout()</span> sets the packet buffer timeout that will be used on a capture handle when the handle is activated to <span Class="emphasis">to_ms</span>, which is in units of milliseconds. (See <a Class="bold" href="./pcap.html">pcap</a>(3PCAP) for an explanation of the packet buffer timeout.)
<p class="level0">The behavior, if the timeout isn&#39;t specified, is undefined, as is the behavior if the timeout is set to zero or to a negative value. We recommend always setting the timeout to a non-zero value unless immediate mode is set, in which case the timeout has no effect. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_timeout()</span> returns 0 on success or <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap_create.html">pcap_create</a>(3PCAP), <a Class="bold" href="./pcap_activate.html">pcap_activate</a>(3PCAP), <span Class="bold">\%pcap_set_immediate_mode</span>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

75
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_tstamp_precision.html Normal file
View File

@@ -0,0 +1,75 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0">
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_tstamp_precision - set the time stamp precision returned in captures <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_tstamp_precision(pcap_t *p, int tstamp_precision);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_tstamp_precision()</span> sets the precision of the time stamp desired for packets captured on the pcap descriptor to the type specified by <span Class="emphasis">tstamp_precision</span>. It must be called on a pcap descriptor created by <a Class="bold" href="./pcap_create.html">pcap_create</a> that has not yet been activated by <a Class="bold" href="./pcap_activate.html">pcap_activate</a>. Two time stamp precisions are supported, microseconds and nanoseconds. One can use options <span Class="bold">PCAP_TSTAMP_PRECISION_MICRO and</span> <span Class="bold">PCAP_TSTAMP_PRECISION_NANO</span> to request desired precision. By default, time stamps are in microseconds. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_tstamp_precision()</span> returns 0 on success if the specified time stamp precision is expected to be supported by the capture device, <span Class="bold">PCAP_ERROR_TSTAMP_PRECISION_NOTSUP</span> if the capture device does not support the requested time stamp precision, <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">This function became available in libpcap release 1.5.1. In previous releases, time stamps from a capture device or savefile are always given in seconds and microseconds. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_get_tstamp_precision.html">pcap_get_tstamp_precision</a>(3PCAP), <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

67
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_set_tstamp_type.html Normal file
View File

@@ -0,0 +1,67 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_set_tstamp_type - set the time stamp type to be used by a capture device <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_set_tstamp_type(pcap_t *p, int tstamp_type);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_set_tstamp_type()</span> sets the type of time stamp desired for packets captured on the pcap descriptor to the type specified by <span Class="emphasis">tstamp_type</span>. It must be called on a pcap descriptor created by <a Class="bold" href="./pcap_create.html">pcap_create</a> that has not yet been activated by <a Class="bold" href="./pcap_activate.html">pcap_activate</a>. <a Class="bold" href="./pcap_list_tstamp_types.html">pcap_list_tstamp_types</a> will give a list of the time stamp types supported by a given capture device. See <a Class="bold" href="./pcap-tstamp.html">pcap-tstamp</a>(7) for a list of all the time stamp types. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_set_tstamp_type()</span> returns 0 on success if the specified time stamp type is expected to be supported by the capture device, <span Class="bold">PCAP_WARNING_TSTAMP_TYPE_NOTSUP</span> if the specified time stamp type is not supported by the capture device, <span Class="bold">PCAP_ERROR_ACTIVATED</span> if called on a capture handle that has been activated, and <span Class="bold">PCAP_ERROR_CANTSET_TSTAMP_TYPE</span> if the capture device doesn&#39;t support setting the time stamp type (only older versions of libpcap will return that; newer versions will always allow the time stamp type to be set to the default type). <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">This function became available in libpcap release 1.2.1. In previous releases, the time stamp type cannot be set; only the default time stamp type offered by a capture source is available. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_tstamp_type_name_to_val.html">pcap_tstamp_type_name_to_val</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

67
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_setdirection.html Normal file
View File

@@ -0,0 +1,67 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_setdirection - set the direction for which packets will be captured <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_setdirection(pcap_t *p, pcap_direction_t d);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_setdirection()</span> is used to specify a direction that packets will be captured. <span Class="emphasis">d</span> is one of the constants <span Class="bold">PCAP_D_IN</span>, <span Class="bold">PCAP_D_OUT</span> or <span Class="bold">PCAP_D_INOUT</span>. <span Class="bold">PCAP_D_IN</span> will only capture packets received by the device, <span Class="bold">PCAP_D_OUT</span> will only capture packets sent by the device and <span Class="bold">PCAP_D_INOUT</span> will capture packets received by or sent by the device. <span Class="bold">PCAP_D_INOUT</span> is the default setting if this function is not called.
<p class="level0"><span Class="bold">pcap_setdirection()</span> isn&#39;t necessarily fully supported on all platforms; some platforms might return an error for all values, and some other platforms might not support <span Class="bold">PCAP_D_OUT</span>.
<p class="level0">This operation is not supported if a ``savefile&#39;&#39; is being read. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_setdirection()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

65
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_setfilter.html Normal file
View File

@@ -0,0 +1,65 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_setfilter - set the filter <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_setfilter(pcap_t *p, struct bpf_program *fp);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_setfilter()</span> is used to specify a filter program. <span Class="emphasis">fp</span> is a pointer to a <span Class="emphasis">bpf_program</span> struct, usually the result of a call to <span Class="bold">\%pcap_compile(3PCAP)</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_setfilter()</span> returns 0 on success and <span Class="bold">PCAP_ERROR</span> on failure. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

70
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_setnonblock.html Normal file
View File

@@ -0,0 +1,70 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_setnonblock, pcap_getnonblock - set or get the state of non-blocking mode on a capture device <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
<pre class="level0">
char errbuf[PCAP_ERRBUF_SIZE];
int pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf);
int pcap_getnonblock(pcap_t *p, char *errbuf);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_setnonblock()</span> puts a capture handle into ``non-blocking&#39;&#39; mode, or takes it out of ``non-blocking&#39;&#39; mode, depending on whether the <span Class="emphasis">nonblock</span> argument is non-zero or zero. It has no effect on ``savefiles&#39;&#39;. If there is an error, <span Class="bold">PCAP_ERROR</span> is returned and <span Class="emphasis">errbuf</span> is filled in with an appropriate error message; otherwise, 0 is returned. In ``non-blocking&#39;&#39; mode, an attempt to read from the capture descriptor with <span Class="bold">pcap_dispatch(3PCAP)</span> will, if no packets are currently available to be read, return 0 immediately rather than blocking waiting for packets to arrive. <a Class="bold" href="./pcap_loop.html">pcap_loop</a> and <span Class="bold">pcap_next(3PCAP)</span> will not work in ``non-blocking&#39;&#39; mode.
<p class="level0">When first activated with <a Class="bold" href="./pcap_activate.html">pcap_activate</a> or opened with <span Class="bold">pcap_open_live(3PCAP) ,</span> a capture handle is not in ``non-blocking mode&#39;&#39;; a call to <span Class="bold">pcap_setnonblock()</span> is required in order to put it into ``non-blocking&#39;&#39; mode. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_getnonblock()</span> returns the current ``non-blocking&#39;&#39; state of the capture descriptor; it always returns 0 on ``savefiles&#39;&#39;. If there is an error, <span Class="bold">PCAP_ERROR</span> is returned and <span Class="emphasis">errbuf</span> is filled in with an appropriate error message.
<p class="level0"><span Class="emphasis">errbuf</span> is assumed to be able to hold at least <span Class="bold">PCAP_ERRBUF_SIZE</span> chars. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_next_ex.html">pcap_next_ex</a>(3PCAP), <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

66
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_snapshot.html Normal file
View File

@@ -0,0 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_snapshot - get the snapshot length <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_snapshot(pcap_t *p);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_snapshot()</span> returns the snapshot length specified when <a Class="bold" href="./pcap_set_snaplen.html">pcap_set_snaplen</a> or <a Class="bold" href="./pcap_open_live.html">pcap_open_live</a> was called, for a live capture, or the snapshot length from the capture file, for a ``savefile&#39;&#39;.
<p class="level0">It must not be called on a pcap descriptor created by <span Class="bold">\%pcap_create(3PCAP)</span> that has not yet been activated by <span Class="bold">\%pcap_activate(3PCAP)</span>. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_snapshot()</span> returns the snapshot length on success and <span Class="bold">PCAP_ERROR_NOT_ACTIVATED</span> if called on a capture handle that has been created but not activated. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

73
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_stats.html Normal file
View File

@@ -0,0 +1,73 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_stats - get capture statistics <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_stats(pcap_t *p, struct pcap_stat *ps);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_stats()</span> fills in the <span Class="bold">struct pcap_stat</span> pointed to by its second argument. The values represent packet statistics from the start of the run to the time of the call.
<p class="level0"><span Class="bold">pcap_stats()</span> is supported only on live captures, not on ``savefiles&#39;&#39;; no statistics are stored in ``savefiles&#39;&#39;, so no statistics are available when reading from a ``savefile&#39;&#39;.
<p class="level0">A <span Class="bold">struct pcap_stat</span> has the following members:
<p class="level1">
<p class="level1"><span Class="bold">ps_recv</span> number of packets received;
<p class="level1"><span Class="bold">ps_drop</span> number of packets dropped because there was no room in the operating system&#39;s buffer when they arrived, because packets weren&#39;t being read fast enough;
<p class="level1"><span Class="bold">ps_ifdrop</span> number of packets dropped by the network interface or its driver.
<p class="level0">
<p class="level0">The statistics do not behave the same way on all platforms. <span Class="bold">ps_recv</span> might count packets whether they passed any filter set with <a Class="bold" href="./pcap_setfilter.html">pcap_setfilter</a>(3PCAP) or not, or it might count only packets that pass the filter. It also might, or might not, count packets dropped because there was no room in the operating system&#39;s buffer when they arrived. <span Class="bold">ps_drop</span> is not available on all platforms; it is zero on platforms where it&#39;s not available. If packet filtering is done in libpcap, rather than in the operating system, it would count packets that don&#39;t pass the filter. Both <span Class="bold">ps_recv</span> and <span Class="bold">ps_drop</span> might, or might not, count packets not yet read from the operating system and thus not yet seen by the application. <span Class="bold">ps_ifdrop</span> might, or might not, be implemented; if it&#39;s zero, that might mean that no packets were dropped by the interface, or it might mean that the statistic is unavailable, so it should not be treated as an indication that the interface did not drop any packets. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_stats()</span> returns 0 on success and returns <span Class="bold">PCAP_ERROR</span> if there is an error or if <span Class="emphasis">p</span> doesn&#39;t support packet statistics. If <span Class="bold">PCAP_ERROR</span> is returned, <a Class="bold" href="./pcap_geterr.html">pcap_geterr</a> or <span Class="bold">pcap_perror(3PCAP)</span> may be called with <span Class="emphasis">p</span> as an argument to fetch or display the error text. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_statustostr.html Normal file
View File

@@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_statustostr - convert a PCAP_ERROR_ or PCAP_WARNING_ value to a string <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
const char *pcap_statustostr(int error);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_statustostr()</span> converts a <span Class="bold">PCAP_ERROR_</span> or <span Class="bold">PCAP_WARNING_</span> value returned by a libpcap routine to an error string. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

64
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_strerror.html Normal file
View File

@@ -0,0 +1,64 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_strerror - convert an errno value to a string <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
const char *pcap_strerror(int error);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_strerror()</span> is provided in case <span Class="bold">strerror</span>(3) isn&#39;t available. It returns an error message string corresponding to <span Class="emphasis">error</span>. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

67
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_tstamp_type_name_to_val.html Normal file
View File

@@ -0,0 +1,67 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_tstamp_type_name_to_val - get the time stamp type value corresponding to a time stamp type name <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap/pcap.h&gt;
int pcap_tstamp_type_name_to_val(const char *name);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_tstamp_type_name_to_val()</span> translates a time stamp type name to the corresponding time stamp type value. The translation is case-insensitive. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0"><span Class="bold">pcap_tstamp_type_name_to_val()</span> returns time stamp type value on success and <span Class="bold">PCAP_ERROR</span> on failure. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">This function became available in libpcap release 1.2.1. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_tstamp_type_val_to_name.html">pcap_tstamp_type_val_to_name</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>

68
network/arpicmplab/start/lib/npcap/docs/wpcap/pcap_tstamp_type_val_to_name.html Normal file
View File

@@ -0,0 +1,68 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>3PCAP man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
overflow: auto;
margin: 0;
}
P.level0, pre.level0 {
padding-left: 2em;
}
P.level1, pre.level1 {
padding-left: 4em;
}
P.level2, pre.level2 {
padding-left: 6em;
}
span.emphasis {
font-style: italic;
}
span.bold {
font-weight: bold;
}
span.manpage {
font-weight: bold;
}
h2.nroffsh {
background-color: #e0e0e0;
}
span.nroffip {
font-weight: bold;
font-size: 120%;
font-family: monospace;
}
p.roffit {
text-align: center;
font-size: 80%;
}
</STYLE>
</head><body>
<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">pcap_tstamp_type_val_to_name, pcap_tstamp_type_val_to_description - get a name or description for a time stamp type value <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;pcap.h&gt;
const char *pcap_tstamp_type_val_to_name(int tstamp_type);
const char *pcap_tstamp_type_val_to_description(int tstamp_type);
</pre>
<p class="level0"><a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0"><span Class="bold">pcap_tstamp_type_val_to_name()</span> translates a time stamp type value to the corresponding time stamp type name. <span Class="bold">NULL</span> is returned on failure.
<p class="level0"><span Class="bold">pcap_tstamp_type_val_to_description()</span> translates a time stamp type value to a short description of that time stamp type. <span Class="bold">NULL</span> is returned on failure. <a name="BACKWARD"></a><h2 class="nroffsh">BACKWARD COMPATIBILITY</h2>
<p class="level0">
<p class="level0">These functions became available in libpcap release 1.2.1. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><a Class="bold" href="./pcap.html">pcap</a>(3PCAP), <a Class="bold" href="./pcap_tstamp_type_name_to_val.html">pcap_tstamp_type_name_to_val</a>(3PCAP) <p class="roffit">
This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>