Introduction to libpcap - PowerPoint PPT Presentation

About This Presentation
Title:

Introduction to libpcap

Description:

promisc: true, set the interface into promiscuous mode; false, only bring ... compile the str into a filter program. str: filter string ... – PowerPoint PPT presentation

Number of Views:328
Avg rating:3.0/5.0
Slides: 16
Provided by: sepp5
Category:

less

Transcript and Presenter's Notes

Title: Introduction to libpcap


1
Introduction to libpcap
  • Speaker Yan-Hsiang Wang
  • Date 2006.10.16

2
outline
  • API (Application Program Interface)
  • Software based on libpcap
  • Sample program

3
pcap_lookupdev()
  • char pcap_lookupdev(char errbuf)
  • return a pointer to a network device suitable for
    use with pcap_open_live() and pcap_lookupnet()
  • return NULL indicates an error
  • reference lookupdev.c

4
pcap_lookupnet()
  • int pcap_lookupnet(const char device,
    bpf_u_int32 netp, bpf_u_int32 maskp, char
    errbuf)
  • determine the network number and mask associated
    with the network device
  • return -1 indicates an error
  • reference lookupnet.c

5
pcap_open_live() (1/2)
  • pcap_t pcap_open_live(const char device, int
    snaplen, int promisc, int to_ms, char errbuf)
  • obtain a packet capture descriptor to look at
    packets on the network
  • snaplen maximum number of bytes to capture

6
pcap_open_live() (2/2)
  • promisc true, set the interface into promiscuous
    mode false, only bring packets intended for you
  • to_ms read timeout in milliseconds zero, cause
    a read to wait forever to allow enough packets to
    arrive
  • return NULL indicates an error

7
pcap_next()
  • const u_char pcap_next(pcap_t p, struct
    pcap_pkthdr h)
  • read the next packet
  • return NULL indicates an error
  • pcap_next.c
  • timestamp.c

8
pcap_compile() (1/2)
  • int pcap_compile(pcap_t p,struct bpf_program
    fp, char str,int optimize, bpf_u_int32
    netmask)
  • compile the str into a filter program
  • str filter string
  • optimize 1, optimization on the resulting code
    is performed 0, false

9
pcap_compile() (2/2)
  • netmask specify network on which packets are
    being captured
  • return -1 indicates an error

10
pcap_setfilter()
  • int pcap_setfilter(pcap_t p,struct bpf_program
    fp)
  • specify a filter program
  • return -1 indicates an error
  • pcap_filter.c

11
Software based on libpcap (1/3)
  • ntop - network top
  • a network traffic probe that shows the network
    usage
  • sort network traffic according to many protocols
  • http//www.ntop.org/overview.html
  • http//linux.tnc.edu.tw/techdoc/ntop/ntop.htm

12
Software based on libpcap (2/3)
  • snort
  • intrusion prevention and detection system
  • sniff every packet and differentiate general and
    intrusion by against rules
  • http//www.snort.org/
  • http//www.linuxhall.org/modules.php?nameNewsfil
    earticlesid172

13
Software based on libpcap (3/3)
  • ethereal
  • network protocol analyzer
  • http//www.ethereal.com/
  • wireshark
  • http//www.wireshark.org/

14
Sample program
  • Capture 10 packets at tcp port 80
  • Show the packet payload
  • Save these payloads
  • captor.exe
  • http//ms11.voip.edu.tw/sepp/test_port_80.htm

15
Reference
  • TCPDUMP.org
  • http//www.tcpdump.org/
  • libpcap tutorial
  • http//www.cet.nau.edu/mc8/Socket/Tutorials/secti
    on1.html
Write a Comment
User Comments (0)
About PowerShow.com