10.1. Introduction to libpcap

libpcap is an open source C-language library for capturing network packets. libpcap is available for a number of different platforms, including most Unix and Unix-like platforms (such as Linux and BSD), as well as for Windows.

Although libpcap is primarily a packet-capturing tool, it also can create and manipulate packets from saved files, which can then be used in the wide variety of tools that support the libpcap format.

10.1.1. Why Use libpcap?

libpcap hides much of the complexity inherent in network packet capture. Packet capture is possible using native network functionality on most platforms; however, the interfaces and semantics required for capturing packets are not for the faint of heart. For example, the following is a fragment of code for packet capture from a tool I wrote for Linux some years ago:^[1]

^[1] If you're familiar with the netlink(3) interface you know how old this code really is.

struct sockaddr_nl nl_addr;
int fd;
int recvlen;
unsigned char msgbuf[3000];

fd = socket (PF_NETLINK, SOCK_RAW, 0x02)

memset (&nl_addr, 0, sizeof (struct sockaddr_nl));
nl_addr.nl_family = (sa_family_t) PF_NETLINK;
nl_addr.nl_pid = (unsigned int) getpid ( );
nl_addr.nl_groups = 0x02;

bind (fd, (struct sockaddr *) &nl_addr, sizeof (struct sockaddr_nl)
recvlen = recv (fd, msgbuf, MAX_BUFFER_SIZE, 0)

As you can see, this is not the friendliest of code. It uses BSD socket calls to the Linux-only netlink(3) interface to pass packets from the kernel to the user tool.

libpcap hides the complexity of getting packets from the operating system, and it gives the tool developer a consistent interface for developing tools, regardless of the tool's intended operating system. In turn, this makes writing portable code much simpler, and it makes your tools much more useful.

10.1.2. Installing libpcap

You can obtain the latest version of libpcap from http://www.tcpdump.org. libpcap is easy to compile from the source code:

> tar zxvf libpcap-0.8.3.tar.gz
> cd libpcap-0.8.3
> ./configure
> make
> make install

Many Linux distributions also include libpcap as an optional package that you can install with the distribution, or add afterward. Because libpcap's functionality changes between versions, you should use the latest version of the libraries available for your distribution or compile the library from source for your own development.

If you are compiling libpcap from source, make sure you uninstall previous versions of libpcap to avoid problems with mismatched files. You will need to remove the following files from the libraries directory (commonly /usr/lib/ or /usr/local/lib/ ): libpcap.a libpcap.so.*.* You will also need to remove the following files from the include files directory (commonly /usr/include/ or /usr/local/include/ ): pcap.h pcap-bpf.h pcap-namedb.h You might also have to add the path the libpcap libraries are installed to into the library search path (commonly /etc/ld.so.conf for Linux systems).

To develop the examples in this chapter, we'll be using libpcap Version 0.8.3. Although many of the examples work with earlier versions of libpcap, some functionality might not be available.