1 / 15

Introduction to libpcap

Introduction to libpcap. Speaker: Yan-Hsiang Wang Date: 2006.10.16. outline. API (Application Program Interface) Software based on libpcap Sample program. pcap_lookupdev(). char *pcap_lookupdev(char *errbuf)

christophermaurice
Download Presentation

Introduction to libpcap

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to libpcap Speaker: Yan-Hsiang Wang Date: 2006.10.16

  2. outline • API (Application Program Interface) • Software based on libpcap • Sample program

  3. pcap_lookupdev() • char *pcap_lookupdev(char *errbuf) • return a pointer to a network device suitable for use with pcap_open_live() and pcap_lookupnet() • return NULL indicates an error • reference: lookupdev.c

  4. pcap_lookupnet() • int pcap_lookupnet(const char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf) • determine the network number and mask associated with the network device • return -1 indicates an error • reference: lookupnet.c

  5. pcap_open_live() (1/2) • pcap_t *pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf) • obtain a packet capture descriptor to look at packets on the network • snaplen: maximum number of bytes to capture

  6. pcap_open_live() (2/2) • promisc: true, set the interface into promiscuous mode; false, only bring packets intended for you • to_ms: read timeout in milliseconds; zero, cause a read to wait forever to allow enough packets to arrive • return NULL indicates an error

  7. pcap_next() • const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) • read the next packet • return NULL indicates an error • pcap_next.c • timestamp.c

  8. pcap_compile() (1/2) • int pcap_compile(pcap_t *p,struct bpf_program *fp, char *str,int optimize, bpf_u_int32 netmask) • compile the str into a filter program • str: filter string • optimize: 1, optimization on the resulting code is performed; 0, false

  9. pcap_compile() (2/2) • netmask: specify network on which packets are being captured • return -1 indicates an error

  10. pcap_setfilter() • int pcap_setfilter(pcap_t *p,struct bpf_program *fp) • specify a filter program • return -1 indicates an error • pcap_filter.c

  11. Software based on libpcap (1/3) • ntop - network top • a network traffic probe that shows the network usage • sort network traffic according to many protocols • http://www.ntop.org/overview.html • http://linux.tnc.edu.tw/techdoc/ntop/ntop.htm

  12. Software based on libpcap (2/3) • snort • intrusion prevention and detection system • sniff every packet and differentiate general and intrusion by against rules • http://www.snort.org/ • http://www.linuxhall.org/modules.php?name=News&file=article&sid=172

  13. Software based on libpcap (3/3) • ethereal • network protocol analyzer • http://www.ethereal.com/ • wireshark • http://www.wireshark.org/

  14. Sample program • Capture 10 packets at tcp port 80 • Show the packet payload • Save these payloads • captor.exe • http://ms11.voip.edu.tw/~sepp/test_port_80.htm

  15. Reference • TCPDUMP.org • http://www.tcpdump.org/ • libpcap tutorial • http://www.cet.nau.edu/~mc8/Socket/Tutorials/section1.html

More Related