This document provides an overview of the libpcap packet capture library. It discusses installing libpcap, opening interfaces and capturing packets, parsing raw packets according to the OSI model, using filters with pcap_compile and pcap_setfilter, and introduces the pcapstreamer program for capturing packets using libpcap.

1. Programming with libpcap
About libpcap
Packages to install
Finding and Opening interface
Capturing packets
Parsing Raw packet
Filters
Pcapstreamer
By
Mohan R

2. About libpcap
Packet capture library
Written in C
Core part of tcpdump utility
Used by many network applications
Wireshark
Snort
Scapy

3. Packages to install
Fedora
# yum install libpcap-devel
Ubuntu
# apt-get install libpcap-dev
Gentoo
# emerge net-libs/libpcap

4. Finding and Opening Interface
'NULL' or 'any' interface
pcap_findalldev() and pcap_freealldev()
pcap_lookupdev() to get default device
pcap_open_live() to open capture interface
'snaplen' parameter in pcap_open_live()
'promisc' parameter in pcap_open_live()

5. Capturing Packets
pcap_loop()
(pcap_handler)() callback function
struct pcap_pkthdr structure
pcap_pkthdr.ts.tv_sec to get capturetimestamp
pcap_pkthdr.caplen to get captured length
pcap_pkthdr.length to get the packet length
Raw packet will be passed to (pcap_handler)()

6. Parsing Raw Packets
OSI model
TCP/IP protocol stack
Link Headers (SLL – linux cooked,EN10MB)
Network Headers (IP ICMP)
,
Transport Headers (TCP,UDP)
Data (Application layer protocols and Data)

7. Filters
pcap_compile() function
pcap_setfilter() function
“[proto] [direction] [type] [id]”
“proto[offset:size]”
Eg: pcapstreamer -i lo ip src host 127.0.0.1
Eg: pcapstreamer -i lo “ip[12:4] = 0x7f000001”
Much more inside pcap-filter(7)

8. Pcapstreamer
A little program to capture packets
Uses libpcap library
Capable of parsing packets
Can filter packets with pcap-filter rules
Git source: https://github.com/mohan43u/pcapstreamer.git
Manual Page: http://mohan43u.github.com/pcapstreamer

9. Questions???

10. Thank You