freebsd-skq/contrib/libpcap/pcap.3pcap.in

.\" @(#) $Header: /tcpdump/master/libpcap/pcap.3pcap.in,v 1.1 2008-10-21 07:33:01 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP 3PCAP "4 April 2008"
.SH NAME
pcap \- Packet Capture library
.SH SYNOPSIS
.nf
.ft B
#include <pcap/pcap.h>
.LP
.ft B
.ft
.fi
.SH DESCRIPTION
The Packet Capture library
provides a high level interface to packet capture systems. All packets
on the network, even those destined for other hosts, are accessible
through this mechanism.
It also supports saving captured packets to a ``savefile'', and reading
packets from a ``savefile''.
.PP
To open a handle for a live capture, call
.BR pcap_create() ,
set the appropriate options on the handle, and then activate it with
.BR pcap_activate() .
To open a handle for a ``savefile'' with captured packets, call
.BR pcap_open_offline() .
Both
.B pcap_create()
and
.B pcap_open_offline()
return a pointer to a
.BR pcap_t ,
which is the handle used for reading packets from the capture stream or
the ``savefile'', and for finding out information about the capture
stream or ``savefile''.
.PP
The options that can be set on a capture handle include
.IP "snapshot length"
If, when capturing, you capture the entire contents of the packet, that
requires more CPU time to copy the packet to your application, more disk
and possibly network bandwidth to write the packet data to a file, and
more disk space to save the packet.  If you don't need the entire
contents of the packet - for example, if you are only interested in the
TCP headers of packets - you can set the "snapshot length" for the
capture to an appropriate value.  If the snapshot length is set to
.IR snaplen ,
and
.I snaplen
is less
than the size of a packet that is captured, only the first
.I snaplen
bytes of that packet will be captured and provided as packet data.
.IP
A snapshot length of 65535 should be sufficient, on most if not all
networks, to capture all the data available from the packet.
.IP
The snapshot length is set with
.BR pcap_set_snaplen() .
.IP "promiscuous mode"
On broadcast LANs such as Ethernet, if the network isn't switched, or if
the adapter is connected to a "mirror port" on a switch to which all
packets passing through the switch are sent, a network adapter receives
all packets on the LAN, including unicast or multicast packets not sent
to a network address that the network adapter isn't configured to
recognize.
.IP
Normally, the adapter will discard those packets; however, many network
adapters support "promiscuous mode", which is a mode in which all
packets, even if they are not sent to an address that the adapter
recognizes, are provided to the host.  This is useful for passively
capturing traffic between two or more other hosts for analysis.
.IP
Note that even if an application does not set promiscuous mode, the
adapter could well be in promiscuous mode for some other reason.
.IP
For now, this doesn't work on the "any" device; if an argument of "any"
or NULL is supplied, the setting of promiscuous mode is ignored.
.IP
Promiscuous mode is set with
.BR pcap_set_promisc() .
.IP "monitor mode"
On IEEE 802.11 wireless LANs, even if an adapter is in promiscuous mode,
it will supply to the host only frames for the network with which it's
associated.  It might also supply only data frames, not management or
control frames, and might not provide the 802.11 header or radio
information pseudo-header for those frames.
.IP
In "monitor mode", sometimes also called "rfmon mode" (for "Radio
Frequency MONitor"), the adapter will supply all frames that it
receives, with 802.11 headers, and might supply a pseudo-header with
radio information about the frame as well.
.IP
Note that in monitor mode the adapter might disassociate from the
network with which it's associated, so that you will not be able to use
any wireless networks with that adapter.  This could prevent accessing
files on a network server, or resolving host names or network addresses,
if you are capturing in monitor mode and are not connected to another
network with another adapter.
.IP
Monitor mode is set with
.BR pcap_set_rfmon() ,
and
.B pcap_can_set_rfmon()
can be used to determine whether an adapter can be put into monitor
mode.
.IP "read timeout"
If, when capturing, packets are delivered as soon as they arrive, the
application capturing the packets will be woken up for each packet as it
arrives, and might have to make one or more calls to the operating
system to fetch each packet.
.IP
If, instead, packets are not delivered as soon as they arrive, but are
delivered after a short delay (called a "read timeout"), more than one
packet can be accumulated before the packets are delivered, so that a
single wakeup would be done for multiple packets, and each set of calls
made to the operating system would supply multiple packets, rather than
a single packet.  This reduces the per-packet CPU overhead if packets
are arriving at a high rate, increasing the number of packets per second
that can be captured.
.IP
The read timeout is required so that an application won't wait for the
operating system's capture buffer to fill up before packets are
delivered; if packets are arriving slowly, that wait could take an
arbitrarily long period of time.
.IP
Not all platforms support a read timeout; on platforms that
don't, the read timeout is ignored.  A zero value for the timeout,
on platforms that support a read timeout,
will cause a read to wait forever to allow enough packets to
arrive, with no timeout.
.IP
.BR NOTE :
the read timeout cannot be used to cause calls that read
packets to return within a limited period of time, because, on some
platforms, the read timeout isn't supported, and, on other platforms,
the timer doesn't start until at least one packet arrives.  This means
that the read timeout should
.B NOT
be used, for example, in an interactive application to allow the packet
capture loop to ``poll'' for user input periodically, as there's no
guarantee that a call reading packets will return after the timeout
expires even if no packets have arrived.
.IP
The read timeout is set with
.BR pcap_set_timeout() .
.IP "buffer size"
Packets that arrive for a capture are stored in a buffer, so that they
do not have to be read by the application as soon as they arrive.  On
some platforms, the buffer's size can be set; a size that's too small
could mean that, if too many packets are being captured and the snapshot
length doesn't limit the amount of data that's buffered, packets could
be dropped if the buffer fills up before the application can read
packets from it, while a size that's too large could use more
non-pageable operating system memory than is necessary to prevent
packets from being dropped.
.IP
The buffer size is set with
.BR pcap_set_buffer_size() .
.PP
Reading packets from a network interface may require that you have
special privileges:
.TP
.B Under SunOS 3.x or 4.x with NIT or BPF:
You must have read access to
.I /dev/nit
or
.IR /dev/bpf* .
.TP
.B Under Solaris with DLPI:
You must have read/write access to the network pseudo device, e.g.
.IR /dev/le .
On at least some versions of Solaris, however, this is not sufficient to
allow
.I tcpdump
to capture in promiscuous mode; on those versions of Solaris, you must
be root, or the application capturing packets
must be installed setuid to root, in order to capture in promiscuous
mode.  Note that, on many (perhaps all) interfaces, if you don't capture
in promiscuous mode, you will not see any outgoing packets, so a capture
not done in promiscuous mode may not be very useful.
.IP
In newer versions of Solaris, you must have been given the
.B net_rawaccess
privilege; this is both necessary and sufficient to give you access to the
network pseudo-device - there is no need to change the privileges on
that device.  A user can be given that privilege by, for example, adding
that privilege to the user's
.B defaultpriv
key with the
.B usermod (1M)
command.
.TP
.B Under HP-UX with DLPI:
You must be root or the application capturing packets must be installed
setuid to root.
.TP
.B Under IRIX with snoop:
You must be root or the application capturing packets must be installed
setuid to root.
.TP
.B Under Linux:
You must be root or the application capturing packets must be installed
setuid to root (unless your distribution has a kernel
that supports capability bits such as CAP_NET_RAW and code to allow
those capability bits to be given to particular accounts and to cause
those bits to be set on a user's initial processes when they log in, in
which case you  must have CAP_NET_RAW in order to capture and
CAP_NET_ADMIN to enumerate network devices with, for example, the
.B \-D
flag).
.TP
.B Under ULTRIX and Digital UNIX/Tru64 UNIX:
Any user may capture network traffic.
However, no user (not even the super-user) can capture in promiscuous
mode on an interface unless the super-user has enabled promiscuous-mode
operation on that interface using
.IR pfconfig (8),
and no user (not even the super-user) can capture unicast traffic
received by or sent by the machine on an interface unless the super-user
has enabled copy-all-mode operation on that interface using
.IR pfconfig ,
so
.I useful
packet capture on an interface probably requires that either
promiscuous-mode or copy-all-mode operation, or both modes of
operation, be enabled on that interface.
.TP
.B Under BSD (this includes Mac OS X):
You must have read access to
.I /dev/bpf*
on systems that don't have a cloning BPF device, or to
.I /dev/bpf
on systems that do.
On BSDs with a devfs (this includes Mac OS X), this might involve more
than just having somebody with super-user access setting the ownership
or permissions on the BPF devices - it might involve configuring devfs
to set the ownership or permissions every time the system is booted,
if the system even supports that; if it doesn't support that, you might
have to find some other way to make that happen at boot time.
.PP
Reading a saved packet file doesn't require special privileges.
.PP
To open a ``savefile`` to which to write packets, call
.BR pcap_dump_open() .
It returns a pointer to a
.BR pcap_dumper_t ,
which is the handle used for writing packets to the ``savefile''.
.PP
Packets are read with
.B pcap_dispatch()
or
.BR pcap_loop() ,
which process one or more packets, calling a callback routine for each
packet, or with
.B pcap_next()
or
.BR pcap_next_ex() ,
which return the next packet.
The callback for
.B pcap_dispatch()
and
.BR pcap_loop()
is supplied a pointer to a
.IR "struct pcap_pkthdr" ,
which includes the following members:
.RS
.TP
.B ts
a
.I struct timeval
containing the time when the packet was captured
.TP
.B caplen
a
.I bpf_u_int32
giving the number of bytes of the packet that are available from the
capture
.TP
.B len
a
.I bpf_u_int32
giving the length of the packet, in bytes (which might be more than the
number of bytes available from the capture, if the length of the packet
is larger than the maximum number of bytes to capture).
.RE
.PP
.B pcap_next_ex()
supplies that pointer through a pointer argument.
.B pcap_next()
is passed an argument that points to a
.I struct pcap_pkthdr
structure, and fills it in.
.PP
The callback is also supplied a
.I const u_char
pointer to the first
.B caplen
(as given in the
.I struct pcap_pkthdr
a pointer to which is passed to the callback routine)
bytes of data from the packet.  This won't necessarily be the entire
packet; to capture the entire packet, you will have to provide a value
for
.I snaplen
in your call to
.B pcap_open_live()
that is sufficiently large to get all of the packet's data - a value of
65535 should be sufficient on most if not all networks).  When reading
from a ``savefile'', the snapshot length specified when the capture was
performed will limit the amount of packet data available.
.B pcap_next()
returns that pointer;
.B pcap_next_ex()
supplies that pointer through a pointer argument.
.SH BACKWARDS COMPATIBILITY
.PP
In versions of libpcap prior to 1.0, the
.B pcap.h
header file was not in a
.B pcap
directory on most platforms; if you are writing an application that must
work on versions of libpcap prior to 1.0, include
.BR <pcap.h> ,
which will include
.B <pcap/pcap.h>
for you, rather than including
.BR <pcap/pcap.h> .
.PP
.B pcap_create()
and
.B pcap_activate()
were not available in versions of libpcap prior to 1.0; if you are
writing an application that must work on versions of libpcap prior to
1.0, either use
.B pcap_open_live()
to get a handle for a live capture or, if you want to be able to use the
additional capabilities offered by using
.B pcap_create()
and
.BR pcap_activate() ,
use an
.BR autoconf (1)
script or some other configuration script to check whether the libpcap
1.0 APIs are available and use them only if they are.
.SH SEE ALSO
autoconf(1), tcpdump(1), tcpslice(1), pcap-filter(@MAN_MISC_INFO@), pfconfig(8),
usermod(1M)
.SH AUTHORS
The original authors of libpcap are:
.LP
Van Jacobson,
Craig Leres and
Steven McCanne, all of the
Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
.LP
The current version is available from "The Tcpdump Group"'s Web site at
.LP
.RS
.I http://www.tcpdump.org/
.RE
.SH BUGS
Please send problems, bugs, questions, desirable enhancements, etc. to:
.LP
.RS
tcpdump-workers@lists.tcpdump.org
.RE
Update libpcap to 1.1.1. Changes: Thu. April 1, 2010. guy@alum.mit.edu. Summary for 1.1.1 libpcap release Update CHANGES to reflect more of the changes in 1.1.0. Fix build on RHEL5. Fix shared library build on AIX. Thu. March 11, 2010. ken@netfunctional.ca/guy@alum.mit.edu. Summary for 1.1.0 libpcap release Add SocketCAN capture support Add Myricom SNF API support Update Endace DAG and ERF support Add support for shared libraries on Solaris, HP-UX, and AIX Build, install, and un-install shared libraries by default; don't build/install shared libraries on platforms we don't support Fix building from a directory other than the source directory Fix compiler warnings and builds on some platforms Update config.guess and config.sub Support monitor mode on mac80211 devices on Linux Fix USB memory-mapped capturing on Linux; it requires a new DLT_ value On Linux, scan /sys/class/net for devices if we have it; scan it, or /proc/net/dev if we don't have /sys/class/net, even if we have getifaddrs(), as it'll find interfaces with no addresses Add limited support for reading pcap-ng files Fix BPF driver-loading error handling on AIX Support getting the full-length interface description on FreeBSD In the lexical analyzer, free up any addrinfo structure we got back from getaddrinfo(). Add support for BPF and libdlpi in OpenSolaris (and SXCE) Hyphenate "link-layer" everywhere Add /sys/kernel/debug/usb/usbmon to the list of usbmon locations In pcap_read_linux_mmap(), if there are no frames available, call poll() even if we're in non-blocking mode, so we pick up errors, and check for the errors in question. Note that poll() works on BPF devices is Snow Leopard If an ENXIO or ENETDOWN is received, it may mean the device has gone away. Deal with it. For BPF, raise the default capture buffer size to from 32k to 512k Support ps_ifdrop on Linux Added a bunch of #ifdef directives to make wpcap.dll (WinPcap) compile under cygwin. Changes to Linux mmapped captures. Fix bug where create_ring would fail for particular snaplen and buffer size combinations Update pcap-config so that it handles libpcap requiring additional libraries Add workaround for threadsafeness on Windows Add missing mapping for DLT_ENC <-> LINKTYPE_ENC DLT: Add DLT_CAN_SOCKETCAN DLT: Add Solaris ipnet Don't check for DLT_IPNET if it's not defined Add link-layer types for Fibre Channel FC-2 Add link-layer types for Wireless HART Add link-layer types for AOS Add link-layer types for DECT Autoconf fixes (AIX, HP-UX, OSF/1, Tru64 cleanups) Install headers unconditionally, and include vlan.h/bluetooth.h if enabled Autoconf fixes+cleanup Support enabling/disabling bluetooth (--{en,dis}able-bluetooth) Support disabling SITA support (--without-sita) Return -1 on failure to create packet ring (if supported but creation failed) Fix handling of 'any' device, so that it can be opened, and no longer attempt to open it in Monitor mode Add support for snapshot length for USB Memory-Mapped Interface Fix configure and build on recent Linux kernels Fix memory-mapped Linux capture to support pcap_next() and pcap_next_ex() Fixes for Linux USB capture DLT: Add DLT_LINUX_EVDEV DLT: Add DLT_GSMTAP_UM DLT: Add DLT_GSMTAP_ABIS 2010-10-28 16:22:13 +00:00			`.\" @(#) $Header: /tcpdump/master/libpcap/pcap.3pcap.in,v 1.1 2008-10-21 07:33:01 guy Exp $`
Import of libpcap 1.0.0. 2009-03-21 20:43:56 +00:00			`.\"`
			`.\" Copyright (c) 1994, 1996, 1997`
			`.\" The Regents of the University of California. All rights reserved.`
			`.\"`
			`.\" Redistribution and use in source and binary forms, with or without`
			`.\" modification, are permitted provided that: (1) source code distributions`
			`.\" retain the above copyright notice and this paragraph in its entirety, (2)`
			`.\" distributions including binary code include the above copyright notice and`
			`.\" this paragraph in its entirety in the documentation or other materials`
			`.\" provided with the distribution, and (3) all advertising materials mentioning`
			`.\" features or use of this software display the following acknowledgement:`
			.\" ``This product includes software developed by the University of California,
			`.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of`
			`.\" the University nor the names of its contributors may be used to endorse`
			`.\" or promote products derived from this software without specific prior`
			`.\" written permission.`
			.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
			`.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF`
			`.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.`
			`.\"`
			`.TH PCAP 3PCAP "4 April 2008"`
			`.SH NAME`
			`pcap \- Packet Capture library`
			`.SH SYNOPSIS`
			`.nf`
			`.ft B`
			`#include <pcap/pcap.h>`
			`.LP`
			`.ft B`
			`.ft`
			`.fi`
			`.SH DESCRIPTION`
			`The Packet Capture library`
			`provides a high level interface to packet capture systems. All packets`
			`on the network, even those destined for other hosts, are accessible`
			`through this mechanism.`
			It also supports saving captured packets to a ``savefile'', and reading
			packets from a ``savefile''.
			`.PP`
			`To open a handle for a live capture, call`
			`.BR pcap_create() ,`
			`set the appropriate options on the handle, and then activate it with`
			`.BR pcap_activate() .`
			To open a handle for a ``savefile'' with captured packets, call
			`.BR pcap_open_offline() .`
			`Both`
			`.B pcap_create()`
			`and`
			`.B pcap_open_offline()`
			`return a pointer to a`
			`.BR pcap_t ,`
			`which is the handle used for reading packets from the capture stream or`
			the ``savefile'', and for finding out information about the capture
			stream or ``savefile''.
			`.PP`
			`The options that can be set on a capture handle include`
			`.IP "snapshot length"`
			`If, when capturing, you capture the entire contents of the packet, that`
			`requires more CPU time to copy the packet to your application, more disk`
			`and possibly network bandwidth to write the packet data to a file, and`
			`more disk space to save the packet. If you don't need the entire`
			`contents of the packet - for example, if you are only interested in the`
			`TCP headers of packets - you can set the "snapshot length" for the`
			`capture to an appropriate value. If the snapshot length is set to`
			`.IR snaplen ,`
			`and`
			`.I snaplen`
			`is less`
			`than the size of a packet that is captured, only the first`
			`.I snaplen`
			`bytes of that packet will be captured and provided as packet data.`
			`.IP`
			`A snapshot length of 65535 should be sufficient, on most if not all`
			`networks, to capture all the data available from the packet.`
			`.IP`
			`The snapshot length is set with`
			`.BR pcap_set_snaplen() .`
			`.IP "promiscuous mode"`
			`On broadcast LANs such as Ethernet, if the network isn't switched, or if`
			`the adapter is connected to a "mirror port" on a switch to which all`
			`packets passing through the switch are sent, a network adapter receives`
			`all packets on the LAN, including unicast or multicast packets not sent`
			`to a network address that the network adapter isn't configured to`
			`recognize.`
			`.IP`
			`Normally, the adapter will discard those packets; however, many network`
			`adapters support "promiscuous mode", which is a mode in which all`
			`packets, even if they are not sent to an address that the adapter`
			`recognizes, are provided to the host. This is useful for passively`
			`capturing traffic between two or more other hosts for analysis.`
			`.IP`
			`Note that even if an application does not set promiscuous mode, the`
			`adapter could well be in promiscuous mode for some other reason.`
			`.IP`
			`For now, this doesn't work on the "any" device; if an argument of "any"`
			`or NULL is supplied, the setting of promiscuous mode is ignored.`
			`.IP`
			`Promiscuous mode is set with`
			`.BR pcap_set_promisc() .`
			`.IP "monitor mode"`
			`On IEEE 802.11 wireless LANs, even if an adapter is in promiscuous mode,`
			`it will supply to the host only frames for the network with which it's`
			`associated. It might also supply only data frames, not management or`
			`control frames, and might not provide the 802.11 header or radio`
			`information pseudo-header for those frames.`
			`.IP`
			`In "monitor mode", sometimes also called "rfmon mode" (for "Radio`
			`Frequency MONitor"), the adapter will supply all frames that it`
			`receives, with 802.11 headers, and might supply a pseudo-header with`
			`radio information about the frame as well.`
			`.IP`
			`Note that in monitor mode the adapter might disassociate from the`
			`network with which it's associated, so that you will not be able to use`
			`any wireless networks with that adapter. This could prevent accessing`
			`files on a network server, or resolving host names or network addresses,`
			`if you are capturing in monitor mode and are not connected to another`
			`network with another adapter.`
			`.IP`
			`Monitor mode is set with`
			`.BR pcap_set_rfmon() ,`
			`and`
			`.B pcap_can_set_rfmon()`
			`can be used to determine whether an adapter can be put into monitor`
			`mode.`
			`.IP "read timeout"`
			`If, when capturing, packets are delivered as soon as they arrive, the`
			`application capturing the packets will be woken up for each packet as it`
			`arrives, and might have to make one or more calls to the operating`
			`system to fetch each packet.`
			`.IP`
			`If, instead, packets are not delivered as soon as they arrive, but are`
			`delivered after a short delay (called a "read timeout"), more than one`
			`packet can be accumulated before the packets are delivered, so that a`
			`single wakeup would be done for multiple packets, and each set of calls`
			`made to the operating system would supply multiple packets, rather than`
			`a single packet. This reduces the per-packet CPU overhead if packets`
			`are arriving at a high rate, increasing the number of packets per second`
			`that can be captured.`
			`.IP`
			`The read timeout is required so that an application won't wait for the`
			`operating system's capture buffer to fill up before packets are`
			`delivered; if packets are arriving slowly, that wait could take an`
			`arbitrarily long period of time.`
			`.IP`
			`Not all platforms support a read timeout; on platforms that`
			`don't, the read timeout is ignored. A zero value for the timeout,`
			`on platforms that support a read timeout,`
			`will cause a read to wait forever to allow enough packets to`
			`arrive, with no timeout.`
			`.IP`
			`.BR NOTE :`
			`the read timeout cannot be used to cause calls that read`
			`packets to return within a limited period of time, because, on some`
			`platforms, the read timeout isn't supported, and, on other platforms,`
			`the timer doesn't start until at least one packet arrives. This means`
			`that the read timeout should`
			`.B NOT`
			`be used, for example, in an interactive application to allow the packet`
			capture loop to ``poll'' for user input periodically, as there's no
			`guarantee that a call reading packets will return after the timeout`
			`expires even if no packets have arrived.`
			`.IP`
			`The read timeout is set with`
			`.BR pcap_set_timeout() .`
			`.IP "buffer size"`
			`Packets that arrive for a capture are stored in a buffer, so that they`
			`do not have to be read by the application as soon as they arrive. On`
			`some platforms, the buffer's size can be set; a size that's too small`
			`could mean that, if too many packets are being captured and the snapshot`
			`length doesn't limit the amount of data that's buffered, packets could`
			`be dropped if the buffer fills up before the application can read`
			`packets from it, while a size that's too large could use more`
			`non-pageable operating system memory than is necessary to prevent`
			`packets from being dropped.`
			`.IP`
			`The buffer size is set with`
			`.BR pcap_set_buffer_size() .`
			`.PP`
			`Reading packets from a network interface may require that you have`
			`special privileges:`
			`.TP`
			`.B Under SunOS 3.x or 4.x with NIT or BPF:`
			`You must have read access to`
			`.I /dev/nit`
			`or`
			`.IR /dev/bpf* .`
			`.TP`
			`.B Under Solaris with DLPI:`
			`You must have read/write access to the network pseudo device, e.g.`
			`.IR /dev/le .`
			`On at least some versions of Solaris, however, this is not sufficient to`
			`allow`
			`.I tcpdump`
			`to capture in promiscuous mode; on those versions of Solaris, you must`
			`be root, or the application capturing packets`
			`must be installed setuid to root, in order to capture in promiscuous`
			`mode. Note that, on many (perhaps all) interfaces, if you don't capture`
			`in promiscuous mode, you will not see any outgoing packets, so a capture`
			`not done in promiscuous mode may not be very useful.`
			`.IP`
			`In newer versions of Solaris, you must have been given the`
			`.B net_rawaccess`
			`privilege; this is both necessary and sufficient to give you access to the`
			`network pseudo-device - there is no need to change the privileges on`
			`that device. A user can be given that privilege by, for example, adding`
			`that privilege to the user's`
			`.B defaultpriv`
			`key with the`
			`.B usermod (1M)`
			`command.`
			`.TP`
			`.B Under HP-UX with DLPI:`
			`You must be root or the application capturing packets must be installed`
			`setuid to root.`
			`.TP`
			`.B Under IRIX with snoop:`
			`You must be root or the application capturing packets must be installed`
			`setuid to root.`
			`.TP`
			`.B Under Linux:`
			`You must be root or the application capturing packets must be installed`
			`setuid to root (unless your distribution has a kernel`
			`that supports capability bits such as CAP_NET_RAW and code to allow`
			`those capability bits to be given to particular accounts and to cause`
			`those bits to be set on a user's initial processes when they log in, in`
			`which case you must have CAP_NET_RAW in order to capture and`
			`CAP_NET_ADMIN to enumerate network devices with, for example, the`
			`.B \-D`
			`flag).`
			`.TP`
			`.B Under ULTRIX and Digital UNIX/Tru64 UNIX:`
			`Any user may capture network traffic.`
			`However, no user (not even the super-user) can capture in promiscuous`
			`mode on an interface unless the super-user has enabled promiscuous-mode`
			`operation on that interface using`
			`.IR pfconfig (8),`
			`and no user (not even the super-user) can capture unicast traffic`
			`received by or sent by the machine on an interface unless the super-user`
			`has enabled copy-all-mode operation on that interface using`
			`.IR pfconfig ,`
			`so`
			`.I useful`
			`packet capture on an interface probably requires that either`
			`promiscuous-mode or copy-all-mode operation, or both modes of`
			`operation, be enabled on that interface.`
			`.TP`
			`.B Under BSD (this includes Mac OS X):`
			`You must have read access to`
			`.I /dev/bpf*`
			`on systems that don't have a cloning BPF device, or to`
			`.I /dev/bpf`
			`on systems that do.`
			`On BSDs with a devfs (this includes Mac OS X), this might involve more`
			`than just having somebody with super-user access setting the ownership`
			`or permissions on the BPF devices - it might involve configuring devfs`
			`to set the ownership or permissions every time the system is booted,`
			`if the system even supports that; if it doesn't support that, you might`
			`have to find some other way to make that happen at boot time.`
			`.PP`
			`Reading a saved packet file doesn't require special privileges.`
			`.PP`
			To open a ``savefile`` to which to write packets, call
			`.BR pcap_dump_open() .`
			`It returns a pointer to a`
			`.BR pcap_dumper_t ,`
			which is the handle used for writing packets to the ``savefile''.
			`.PP`
			`Packets are read with`
			`.B pcap_dispatch()`
			`or`
			`.BR pcap_loop() ,`
			`which process one or more packets, calling a callback routine for each`
			`packet, or with`
			`.B pcap_next()`
			`or`
			`.BR pcap_next_ex() ,`
			`which return the next packet.`
			`The callback for`
			`.B pcap_dispatch()`
			`and`
			`.BR pcap_loop()`
			`is supplied a pointer to a`
			`.IR "struct pcap_pkthdr" ,`
			`which includes the following members:`
			`.RS`
			`.TP`
			`.B ts`
			`a`
			`.I struct timeval`
			`containing the time when the packet was captured`
			`.TP`
			`.B caplen`
			`a`
			`.I bpf_u_int32`
			`giving the number of bytes of the packet that are available from the`
			`capture`
			`.TP`
			`.B len`
			`a`
			`.I bpf_u_int32`
			`giving the length of the packet, in bytes (which might be more than the`
			`number of bytes available from the capture, if the length of the packet`
			`is larger than the maximum number of bytes to capture).`
			`.RE`
			`.PP`
			`.B pcap_next_ex()`
			`supplies that pointer through a pointer argument.`
			`.B pcap_next()`
			`is passed an argument that points to a`
			`.I struct pcap_pkthdr`
			`structure, and fills it in.`
			`.PP`
			`The callback is also supplied a`
			`.I const u_char`
			`pointer to the first`
			`.B caplen`
			`(as given in the`
			`.I struct pcap_pkthdr`
			`a pointer to which is passed to the callback routine)`
			`bytes of data from the packet. This won't necessarily be the entire`
			`packet; to capture the entire packet, you will have to provide a value`
			`for`
			`.I snaplen`
			`in your call to`
			`.B pcap_open_live()`
			`that is sufficiently large to get all of the packet's data - a value of`
			`65535 should be sufficient on most if not all networks). When reading`
			from a ``savefile'', the snapshot length specified when the capture was
			`performed will limit the amount of packet data available.`
			`.B pcap_next()`
			`returns that pointer;`
			`.B pcap_next_ex()`
			`supplies that pointer through a pointer argument.`
			`.SH BACKWARDS COMPATIBILITY`
			`.PP`
			`In versions of libpcap prior to 1.0, the`
			`.B pcap.h`
			`header file was not in a`
			`.B pcap`
			`directory on most platforms; if you are writing an application that must`
			`work on versions of libpcap prior to 1.0, include`
			`.BR <pcap.h> ,`
			`which will include`
			`.B <pcap/pcap.h>`
			`for you, rather than including`
			`.BR <pcap/pcap.h> .`
			`.PP`
			`.B pcap_create()`
			`and`
			`.B pcap_activate()`
			`were not available in versions of libpcap prior to 1.0; if you are`
			`writing an application that must work on versions of libpcap prior to`
			`1.0, either use`
			`.B pcap_open_live()`
			`to get a handle for a live capture or, if you want to be able to use the`
			`additional capabilities offered by using`
			`.B pcap_create()`
			`and`
			`.BR pcap_activate() ,`
			`use an`
			`.BR autoconf (1)`
			`script or some other configuration script to check whether the libpcap`
			`1.0 APIs are available and use them only if they are.`
			`.SH SEE ALSO`
			`autoconf(1), tcpdump(1), tcpslice(1), pcap-filter(@MAN_MISC_INFO@), pfconfig(8),`
			`usermod(1M)`
			`.SH AUTHORS`
			`The original authors of libpcap are:`
			`.LP`
			`Van Jacobson,`
			`Craig Leres and`
			`Steven McCanne, all of the`
			`Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.`
			`.LP`
			`The current version is available from "The Tcpdump Group"'s Web site at`
			`.LP`
			`.RS`
			`.I http://www.tcpdump.org/`
			`.RE`
			`.SH BUGS`
			`Please send problems, bugs, questions, desirable enhancements, etc. to:`
			`.LP`
			`.RS`
			`tcpdump-workers@lists.tcpdump.org`
			`.RE`