Table of Contents
open_live
Table of Contents
open_live
open_live — Obtain a packet capture descriptor to look at packets on the network
Reader open_live
( | device, | |
| snaplen, | ||
| promisc, | ||
to_ms); |
string device
;
int snaplen
;
int promisc
;
int to_ms
;
open_live is used to obtain a packet
capture descriptor to look at packets on the network.
device is a string that specifies the
network device to open; on Linux systems with 2.2 or later
kernels, a device argument of any or
NULL can be used to capture packets
from all interfaces. snaplen
specifies the maximum number of bytes to capture.
promisc specifies if the interface is
to be put into promiscuous mode. (Note that even if this
parameter is false, the interface could well be in
promiscuous mode for some other reason.) For now, this
doesn't work on the any device; if an
argument of any or
NULL is supplied, the
promisc flag is ignored.
to_ms specifies the read timeout in
milliseconds. The read timeout is used to arrange that the
read not necessarily return immediately when a packet is
seen, but that it wait for some amount of time to allow more
packets to arrive and to read multiple packets from the OS
kernel in one operation. Not all platforms support a read
timeout; on platforms that don't, the read timeout is
ignored.
open_offline — Obtain a packet capture descriptor to look at packets on a savefile
Reader open_offline
( | filename); |
string filename
;lookupdev —
Return a network device suitable for use with
open_live
string lookupdev
( | ); |
findalldevs — Obtain the list of available network devices
string[] findalldevs
( | ); |
findalldevs constructs a list of
network devices that can be opened with
open_live. (Note that there may be
network devices that cannot be opened with
open_live, because, for example, that
process might not have sufficient privileges to open them
for capturing; if so, those devices will not appear on the
list.)
Table of Contents
dispatch, loop — Collect and process packets
int dispatch
( | maxcant, | |
(* callback)); |
int maxcant
;
void (* callback)
(Pkthdr, string)
;
int loop
( | maxcant, | |
(* callback)); |
int maxcant
;
void (* callback)
(Pkthdr, string)
;
dispatch is used to collect and process
packets. maxcant specifies the
maximum number of packets to process before returning. This
is not a minimum number; when reading a live capture, only
one bufferful of packets is read at a time, so fewer than
maxcant packets may be processed. A
cnt of -1
processes all the packets received in one buffer when
reading a live capture, or all the packets in the file when
reading a savefile. callback
specifies a routine to be called with two arguments: a
Pkthdr instance describing the data
passed and the data itself.
The number of packets read is returned. 0 is returned if no packets were read from a live capture (if, for example, they were discarded because they didn't pass the packet filter, or if, on platforms that support a read timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read) or if no more packets are available in a savefile.
When reading a live capture, dispatch
will not necessarily return when the read times out; on
some platforms, the read timeout isn't supported, and, on
other platforms, the timer doesn't start until at least
one packet arrives. This means that the read timeout
should not be used in, for example,
an interactive application, to allow the packet capture
loop to poll for user input periodically, as there's no
guarantee that dispatch will return
after the timeout expires.
loop is similar to
dispatch except it keeps reading
packets until maxcant packets are
processed or an error occurs. It does
not return when live read timeouts
occur. Rather, specifying a non-zero read timeout to
open_live and then calling
dispatch allows the reception and
processing of any packets that arrive when the timeout
occurs. A negative maxcant causes
loop to loop forever (or at least until
an error occurs). 0 is returned
if maxcant is exhausted.
getnet, getmask — Get the associated network number and mask
int32 getnet
( | ); |
int32 getmask
( | ); |
datalink — Obtain the link layer type
int datalink
( | ); |
datalink returns the link layer type; link layer types it can return include:
DLT_NULL
BSD loopback encapsulation; the
link layer header is a 4-byte field, in host
byte order, containing a PF_
value from socket.h for the
network-layer protocol of the packet.
“host byte order” is the byte order
of the machine on which the packets are captured,
and the PF_ values are for
the OS of the machine on which
the packets are captured; if a live capture is
being done, “host byte order” is the
byte order of the machine capturing the packets,
and the PF_ values are those
of the OS of the machine
capturing the packets, but if a savefile is being
read, the byte order and PF_
values are not necessarily
those of the machine reading the capture file.
DLT_EN10MB
DLT_IEEE802
DLT_ARCNET
DLT_SLIP
SLIP; the link layer header contains, in order:
0 for packets received by
the machine and 1 for
packets sent by the machine.
a 1-byte field, the upper 4 bits of which indicate the type of packet, as per RFC 1144:
0x40; an unmodified
IP datagram
(TYPE_IP)
0x70; an
uncompressed-TCP/IP
datagram
(UNCOMPRESSED_TCP),
with that byte being the first byte of
the raw IP header on
the wire, containing the connection
number in the protocol field
0x80; a
compressed-TCP/IP
datagram
(COMPRESSED_TCP),
with that byte being the first byte of
the compressed TCP/IP
datagram header
UNCOMPRESSED_TCP, the
rest of the modified IP
header, and for
COMPRESSED_TCP, the
compressed TCP/IP datagram
header
for a total of 16 bytes; the uncompressed IP datagram follows the header.
DLT_PPP
0xff and 0x03,
it's PPP in
HDLC-like framing, with the
PPP header following those two
bytes, otherwise it's PPP without
framing, and the packet begins with the
PPP header.
DLT_FDDI
DLT_ATM_RFC1483
DLT_RAW
DLT_PPP_SERIAL
0xFF for PPP
in HDLC-like framing, and
will be 0x0F or
0x8F for Cisco
PPP with HDLC
framing.
DLT_PPP_ETHER
DLT_C_HDLC
DLT_IEEE802_11
DLT_LOOP
OpenBSD loopback encapsulation; the link layer
header is a 4-byte field, in network byte
order, containing a PF_ value
from OpenBSD's socket.h for the
network-layer protocol of the packet.
Note that, if a savefile is being read, those
PF_ values are
not necessarily those of the
machine reading the capture file.
DLT_LINUX_SLL
Linux cooked capture encapsulation; the link layer header contains, in order:
a 2-byte "packet type", in network byte order, which is one of:
0; packet was sent to
us by somebody else.
1; packet was
broadcast by somebody else.
2; packet was
multicast, but not broadcast, by
somebody else.
3; packet was sent by
somebody else to somebody else.
4; packet was sent by
us.
ARPHRD_ value for the
link layer device type.
1 for Novell
802.3 frames without an 802.2
LLC header or
4 for frames beginning with
an 802.2 LLC header.
DLT_LTALK
getnonblock, setnonblock — Manipulate the non-blocking flag
int getnonblock
( | ); |
setnonblock
( | state); |
int state
;
getnonblock returns the current
non-blocking state of the capture descriptor; it
always returns 0 on savefiles.
setnonblock puts a capture descriptor,
opened with open_live, into
non-blocking mode, or takes it out of
non-blocking mode, depending on whether the
state argument is non-zero or
zero. It has no effect on savefiles. In non-blocking
mode, an attempt to read from the capture descriptor with
dispatch will, if no packets are
currently available to be read, return
0 immediately rather than
blocking waiting for packets to arrive.
loop and next will
not work in non-blocking mode.
Table of Contents
getts, getcaplen, getlen — Obtain packet header information
(long, long) getts
( | ); |
long getcaplen
( | ); |
long getlen
( | ); |
getts, getcaplen
and getlen return the timestamp,
capture length and total length fields of the packet header,
respectively.
Timestamp is a tuple with two elements: the number of seconds since the Epoch, and the amount of microseconds past the current second. The capture length is the number of bytes of the packet that are available from the capture. Finally, total length gives the length of the packet, in bytes (which might be more than the number of bytes available from the capture, if the length of the packet is larger than the maximum number of bytes to capture).
Table of Contents