4
# An interface to the LBL pcap(3) library. This module simply
5
# bootstraps the extensions defined in Pcap.xs
7
# Copyright (C) 2005-2009 Sebastien Aperghis-Tramoni. All rights reserved.
8
# Copyright (C) 2003 Marco Carnut. All rights reserved.
9
# Copyright (C) 1999, 2000 Tim Potter. All rights reserved.
10
# Copyright (C) 1998 Bo Adler. All rights reserved.
11
# Copyright (C) 1997 Peter Lister. All rights reserved.
13
# This program is free software; you can redistribute it and/or modify
14
# it under the same terms as Perl itself.
23
my @func_short_names = qw(
24
lookupdev findalldevs lookupnet
25
open_live open_dead open_offline loop breakloop close dispatch
26
next next_ex compile compile_nopcap setfilter freecode
27
setnonblock getnonblock
28
dump_open dump dump_file dump_flush dump_close
29
datalink set_datalink datalink_name_to_val datalink_val_to_name
30
datalink_val_to_description
31
snapshot is_swapped major_version minor_version stats
32
file fileno get_selectable_fd geterr strerror perror
33
lib_version createsrcstr parsesrcstr open setbuff setuserbuffer
34
setmode setmintocopy getevent sendpacket
35
sendqueue_alloc sendqueue_queue sendqueue_transmit
38
my @func_long_names = map { "pcap_$_" } @func_short_names;
44
for my $func (@func_short_names) {
45
*{ __PACKAGE__ . "::pcap_$func" } = \&{ __PACKAGE__ . "::" . $func }
58
BPF_ALIGNMENT BPF_MAJOR_VERSION BPF_MAXBUFSIZE BPF_MAXINSNS
59
BPF_MEMWORDS BPF_MINBUFSIZE BPF_MINOR_VERSION BPF_RELEASE
62
DLT_AIRONET_HEADER DLT_APPLE_IP_OVER_IEEE1394 DLT_ARCNET
63
DLT_ARCNET_LINUX DLT_ATM_CLIP DLT_ATM_RFC1483 DLT_AURORA
64
DLT_AX25 DLT_CHAOS DLT_CHDLC DLT_CISCO_IOS DLT_C_HDLC
65
DLT_DOCSIS DLT_ECONET DLT_EN10MB DLT_EN3MB DLT_ENC DLT_FDDI
66
DLT_FRELAY DLT_HHDLC DLT_IBM_SN DLT_IBM_SP DLT_IEEE802
67
DLT_IEEE802_11 DLT_IEEE802_11_RADIO DLT_IEEE802_11_RADIO_AVS
68
DLT_IPFILTER DLT_IP_OVER_FC DLT_JUNIPER_ATM1 DLT_JUNIPER_ATM2
69
DLT_JUNIPER_ES DLT_JUNIPER_GGSN DLT_JUNIPER_MFR DLT_JUNIPER_MLFR
70
DLT_JUNIPER_MLPPP DLT_JUNIPER_MONITOR DLT_JUNIPER_SERVICES
71
DLT_LINUX_IRDA DLT_LINUX_SLL DLT_LOOP DLT_LTALK DLT_NULL
72
DLT_OLD_PFLOG DLT_PCI_EXP DLT_PFLOG DLT_PFSYNC DLT_PPP
73
DLT_PPP_BSDOS DLT_PPP_ETHER DLT_PPP_SERIAL DLT_PRISM_HEADER
74
DLT_PRONET DLT_RAW DLT_RIO DLT_SLIP DLT_SLIP_BSDOS DLT_SUNATM
75
DLT_SYMANTEC_FIREWALL DLT_TZSP DLT_USER0 DLT_USER1 DLT_USER2
76
DLT_USER3 DLT_USER4 DLT_USER5 DLT_USER6 DLT_USER7 DLT_USER8
77
DLT_USER9 DLT_USER10 DLT_USER11 DLT_USER12 DLT_USER13
81
MODE_CAPT MODE_MON MODE_STAT
84
OPENFLAG_PROMISCUOUS OPENFLAG_DATATX_UDP OPENFLAG_NOCAPTURE_RPCAP
87
PCAP_ERRBUF_SIZE PCAP_IF_LOOPBACK
88
PCAP_VERSION_MAJOR PCAP_VERSION_MINOR
91
RMTAUTH_NULL RMTAUTH_PWD
94
PCAP_SAMP_NOSAMP PCAP_SAMP_1_EVERY_N PCAP_SAMP_FIRST_AFTER_N_MS
97
PCAP_SRC_FILE PCAP_SRC_IFLOCAL PCAP_SRC_IFREMOTE
100
lookupdev findalldevs lookupnet
101
open_live open_dead open_offline
102
dump_open dump_close dump_file dump_flush
103
compile compile_nopcap setfilter freecode
104
dispatch next_ex loop breakloop
105
datalink set_datalink datalink_name_to_val
106
datalink_val_to_name datalink_val_to_description
107
snapshot get_selectable_fd
108
stats is_swapped major_version minor_version
109
geterr strerror perror lib_version
110
createsrcstr parsesrcstr
111
setbuff setuserbuffer setmode setmintocopy getevent sendpacket
112
sendqueue_alloc sendqueue_queue sendqueue_transmit
117
@{$EXPORT_TAGS{pcap}},
118
@{$EXPORT_TAGS{datalink}},
124
@{$EXPORT_TAGS{functions}},
125
@{$EXPORT_TAGS{mode}},
126
@{$EXPORT_TAGS{openflag}},
127
@{$EXPORT_TAGS{bpf}},
132
XSLoader::load('Net::Pcap', $VERSION);
136
push @ISA, 'DynaLoader';
137
bootstrap Net::Pcap $VERSION;
143
# This AUTOLOAD is used to 'autoload' constants from the constant()
148
($constname = $AUTOLOAD) =~ s/.*:://;
149
return if $constname eq "DESTROY";
150
croak "Net::Pcap::constant() not defined" if $constname eq 'constant';
151
my ($error, $val) = constant($constname);
152
if ($error) { croak $error; }
156
# Fixed between 5.005_53 and 5.005_61
157
#XXX if ($] >= 5.00561) {
158
#XXX *$AUTOLOAD = sub () { $val };
160
*$AUTOLOAD = sub { $val };
167
# pseudo-bloc to enable immediate (unsafe) signals delivery
168
sub UNSAFE_SIGNALS (&) {
173
# Perl wrapper for DWIM
175
croak "Usage: pcap_findalldevs(devinfo, err)"
176
unless @_ and @_ <= 2 and ref $_[0];
178
# findalldevs(\$err), legacy from Marco Carnut 0.05
180
( ref $_[0] eq 'SCALAR' and return findalldevs_xs(\%devinfo, $_[0]) )
181
or croak "arg1 not a scalar ref"
184
# findalldevs(\$err, \%devinfo), legacy from Jean-Louis Morel 0.04.02
185
ref $_[0] eq 'SCALAR' and (
186
( ref $_[1] eq 'HASH' and return findalldevs_xs($_[1], $_[0]) )
187
or croak "arg2 not a hash ref"
190
# findalldevs(\%devinfo, \$err), new, correct syntax, consistent with libpcap(3)
191
ref $_[0] eq 'HASH' and (
192
( ref $_[1] eq 'SCALAR' and return findalldevs_xs($_[0], $_[1]) )
193
or croak "arg2 not a scalar ref"
196
# if here, the function was called with incorrect arguments
197
ref $_[0] ne 'HASH' and croak "arg1 not a hash ref";
207
Net::Pcap - Interface to pcap(3) LBL packet capture library
218
my $dev = pcap_lookupdev(\$err); # find a device
220
# open the device for live listening
221
my $pcap = pcap_open_live($dev, 1024, 1, 0, \$err);
223
# loop over next 10 packets
224
pcap_loop($pcap, 10, \&process_packet, "just for the demo");
230
my ($user_data, $header, $packet) = @_;
237
C<Net::Pcap> is a Perl binding to the LBL pcap(3) library and its
238
Win32 counterpart, the WinPcap library. Pcap (packet capture) is
239
a portable API to capture network packet: it allows applications
240
to capture packets at link-layer, bypassing the normal protocol
241
stack. It also provides features like kernel-level packet filtering
242
and access to internal statistics.
244
Common applications include network statistics collection,
245
security monitoring, network debugging, etc.
250
=head2 Signals handling
252
Since version 5.7.3, Perl uses a mechanism called "deferred signals"
253
to delay signals delivery until "safe" points in the interpreter.
254
See L<perlipc/"Deferred Signals (Safe Signals)"> for a detailled
257
Since C<Net::Pcap> version 0.08, released in October 2005, the module
258
modified the internal variable C<PL_signals> to re-enable immediate
259
signals delivery in Perl 5.8 and later within some XS functions
260
(CPAN-RT #6320). However, it can create situations where the Perl
261
interpreter is less stable and can crash (CPAN-RT #43308). Therefore,
262
as of version 0.17, C<Net::Pcap> no longer modifies C<PL_signals> by
263
itself, but provides facilities so the user has full control of how
264
signals are delivered.
266
First, there C<pcap_perl_settings()> function allows to select how
269
pcap_perl_settings(PERL_SIGNALS_UNSAFE);
270
pcap_loop($pcap, 10, \&process_packet, "");
271
pcap_perl_settings(PERL_SIGNALS_SAFE);
273
Then, to easily make code interruptable, C<Net::Pcap> provides the
274
C<UNSAFE_SIGNALS> pseudo-bloc:
277
pcap_loop($pcap, 10, \&process_packet, "");
280
(Stolen from Rafael Garcia-Suarez's C<Perl::Unsafe::Signals>)
285
C<Net::Pcap> supports the following C<Exporter> tags:
291
C<:bpf> exports a few BPF related constants:
293
BPF_ALIGNMENT BPF_MAJOR_VERSION BPF_MAXBUFSIZE BPF_MAXINSNS
294
BPF_MEMWORDS BPF_MINBUFSIZE BPF_MINOR_VERSION BPF_RELEASE
298
C<:datalink> exports the data link types macros:
300
DLT_AIRONET_HEADER DLT_APPLE_IP_OVER_IEEE1394 DLT_ARCNET
301
DLT_ARCNET_LINUX DLT_ATM_CLIP DLT_ATM_RFC1483 DLT_AURORA
302
DLT_AX25 DLT_CHAOS DLT_CHDLC DLT_CISCO_IOS DLT_C_HDLC
303
DLT_DOCSIS DLT_ECONET DLT_EN10MB DLT_EN3MB DLT_ENC DLT_FDDI
304
DLT_FRELAY DLT_HHDLC DLT_IBM_SN DLT_IBM_SP DLT_IEEE802
305
DLT_IEEE802_11 DLT_IEEE802_11_RADIO DLT_IEEE802_11_RADIO_AVS
306
DLT_IPFILTER DLT_IP_OVER_FC DLT_JUNIPER_ATM1 DLT_JUNIPER_ATM2
307
DLT_JUNIPER_ES DLT_JUNIPER_GGSN DLT_JUNIPER_MFR DLT_JUNIPER_MLFR
308
DLT_JUNIPER_MLPPP DLT_JUNIPER_MONITOR DLT_JUNIPER_SERVICES
309
DLT_LINUX_IRDA DLT_LINUX_SLL DLT_LOOP DLT_LTALK DLT_NULL
310
DLT_OLD_PFLOG DLT_PCI_EXP DLT_PFLOG DLT_PFSYNC DLT_PPP
311
DLT_PPP_BSDOS DLT_PPP_ETHER DLT_PPP_SERIAL DLT_PRISM_HEADER
312
DLT_PRONET DLT_RAW DLT_RIO DLT_SLIP DLT_SLIP_BSDOS DLT_SUNATM
313
DLT_SYMANTEC_FIREWALL DLT_TZSP DLT_USER0 DLT_USER1 DLT_USER2
314
DLT_USER3 DLT_USER4 DLT_USER5 DLT_USER6 DLT_USER7 DLT_USER8
315
DLT_USER9 DLT_USER10 DLT_USER11 DLT_USER12 DLT_USER13
316
DLT_USER14 DLT_USER15
320
C<:pcap> exports the following C<pcap> constants:
322
PCAP_ERRBUF_SIZE PCAP_IF_LOOPBACK
323
PCAP_VERSION_MAJOR PCAP_VERSION_MINOR
327
C<:mode> exports the following constants:
329
MODE_CAPT MODE_MON MODE_STAT
333
C<:openflag> exports the following constants:
335
OPENFLAG_PROMISCUOUS OPENFLAG_DATATX_UDP OPENFLAG_NOCAPTURE_RPCAP
339
C<:source> exports the following constants:
341
PCAP_SRC_FILE PCAP_SRC_IFLOCAL PCAP_SRC_IFREMOTE
345
C<:sample> exports the following constants:
347
PCAP_SAMP_NOSAMP PCAP_SAMP_1_EVERY_N PCAP_SAMP_FIRST_AFTER_N_MS
351
C<:rpcap> exports the following constants:
353
RMTAUTH_NULL RMTAUTH_PWD
357
C<:functions> short names of the functions (without the C<"pcap_"> prefix)
358
for those which would not cause a clash with an already defined name.
359
Namely, the following functions are not available in short form:
360
C<open()>, C<close()>, C<next()>, C<dump()>, C<file()>, C<fileno()>.
361
Using these short names is now discouraged, and may be removed in the future.
365
By default, this module exports the symbols from the C<:datalink> and
366
C<:pcap> tags, and all the functions, with the same names as the C library.
371
All functions defined by C<Net::Pcap> are direct mappings to the
372
libpcap functions. Consult the pcap(3) documentation and source code
373
for more information.
375
Arguments that change a parameter, for example C<pcap_lookupdev()>,
376
are passed that parameter as a reference. This is to retain
377
compatibility with previous versions of C<Net::Pcap>.
379
=head2 Lookup functions
383
=item B<pcap_lookupdev(\$err)>
385
Returns the name of a network device that can be used with
386
C<pcap_open_live()> function. On error, the C<$err> parameter
387
is filled with an appropriate error message else it is undefined.
391
$dev = pcap_lookupdev();
394
=item B<pcap_findalldevs(\%devinfo, \$err)>
396
Returns a list of all network device names that can be used with
397
C<pcap_open_live()> function. On error, the C<$err> parameter
398
is filled with an appropriate error message else it is undefined.
402
@devs = pcap_findalldevs(\%devinfo, \$err);
403
for my $dev (@devs) {
404
print "$dev : $devinfo{$dev}\n"
411
For backward compatibility reasons, this function can also
412
be called using the following signatures:
414
@devs = pcap_findalldevs(\$err);
416
@devs = pcap_findalldevs(\$err, \%devinfo);
418
The first form was introduced by Marco Carnut in C<Net::Pcap> version 0.05
419
and kept intact in versions 0.06 and 0.07.
420
The second form was introduced by Jean-Louis Morel for the Windows only,
421
ActivePerl port of C<Net::Pcap>, in versions 0.04.01 and 0.04.02.
423
The new syntax has been introduced for consistency with the rest of the Perl
424
API and the C API of C<libpcap(3)>, where C<$err> is always the last argument.
429
=item B<pcap_lookupnet($dev, \$net, \$mask, \$err)>
431
Determine the network number and netmask for the device specified in
432
C<$dev>. The function returns 0 on success and sets the C<$net> and
433
C<$mask> parameters with values. On failure it returns -1 and the
434
C<$err> parameter is filled with an appropriate error message.
438
=head2 Packet capture functions
442
=item B<pcap_open_live($dev, $snaplen, $promisc, $to_ms, \$err)>
444
Returns a packet capture descriptor for looking at packets on the
445
network. The C<$dev> parameter specifies which network interface to
446
capture packets from. The C<$snaplen> and C<$promisc> parameters specify
447
the maximum number of bytes to capture from each packet, and whether
448
to put the interface into promiscuous mode, respectively. The C<$to_ms>
449
parameter specifies a read timeout in milliseconds. The packet descriptor
450
will be undefined if an error occurs, and the C<$err> parameter will be
451
set with an appropriate error message.
455
$dev = pcap_lookupdev();
456
$pcap = pcap_open_live($dev, 1024, 1, 0, \$err)
457
or die "Can't open device $dev: $err\n";
460
=item B<pcap_open_dead($linktype, $snaplen)>
462
Creates and returns a new packet descriptor to use when calling the other
463
functions in C<libpcap>. It is typically used when just using C<libpcap>
464
for compiling BPF code.
468
$pcap = pcap_open_dead(0, 1024);
471
=item B<pcap_open_offline($filename, \$err)>
473
Return a packet capture descriptor to read from a previously created
474
"savefile". The returned descriptor is undefined if there was an
475
error and in this case the C<$err> parameter will be filled. Savefiles
476
are created using the C<pcap_dump_*> commands.
480
$pcap = pcap_open_offline($dump, \$err)
481
or die "Can't read '$dump': $err\n";
484
=item B<pcap_loop($pcap, $count, \&callback, $user_data)>
486
Read C<$count> packets from the packet capture descriptor C<$pcap> and call
487
the perl function C<&callback> with an argument of C<$user_data>.
488
If C<$count> is negative, then the function loops forever or until an error
489
occurs. Returns 0 if C<$count> is exhausted, -1 on error, and -2 if the
490
loop terminated due to a call to pcap_breakloop() before any packets were
493
The callback function is also passed packet header information and
497
my ($user_data, $header, $packet) = @_;
502
The header information is a reference to a hash containing the
509
C<len> - the total length of the packet.
513
C<caplen> - the actual captured length of the packet data. This corresponds
514
to the snapshot length parameter passed to C<open_live()>.
518
C<tv_sec> - seconds value of the packet timestamp.
522
C<tv_usec> - microseconds value of the packet timestamp.
528
pcap_loop($pcap, 10, \&process_packet, "user data");
531
my ($user_data, $header, $packet) = @_;
536
=item B<pcap_breakloop($pcap)>
538
Sets a flag that will force C<pcap_dispatch()> or C<pcap_loop()>
539
to return rather than looping; they will return the number of packets that
540
have been processed so far, or -2 if no packets have been processed so far.
542
This routine is safe to use inside a signal handler on UNIX or a console
543
control handler on Windows, as it merely sets a flag that is checked within
546
Please see the section on C<pcap_breakloop()> in L<pcap(3)> for more
550
=item B<pcap_close($pcap)>
552
Close the packet capture device associated with the descriptor C<$pcap>.
555
=item B<pcap_dispatch($pcap, $count, \&callback, $user_data)>
557
Collect C<$count> packets and process them with callback function
558
C<&callback>. if C<$count> is -1, all packets currently buffered are
559
processed. If C<$count> is 0, process all packets until an error occurs.
562
=item B<pcap_next($pcap, \%header)>
564
Return the next available packet on the interface associated with
565
packet descriptor C<$pcap>. Into the C<%header> hash is stored the received
566
packet header. If not packet is available, the return value and
570
=item B<pcap_next_ex($pcap, \%header, \$packet)>
572
Reads the next available packet on the interface associated with packet
573
descriptor C<$pcap>, stores its header in C<\%header> and its data in
574
C<\$packet> and returns a success/failure indication:
580
C<1> means that the packet was read without problems;
584
C<0> means that packets are being read from a live capture, and the
589
C<-1> means that an error occurred while reading the packet;
593
C<-2> packets are being read from a dump file, and there are no more
594
packets to read from the savefile.
599
=item B<pcap_compile($pcap, \$filter, $filter_str, $optimize, $netmask)>
601
Compile the filter string contained in C<$filter_str> and store it in
602
C<$filter>. A description of the filter language can be found in the
603
libpcap source code, or the manual page for tcpdump(8) . The filter
604
is optimized if the C<$optimize> variable is true. The netmask of the
605
network device must be specified in the C<$netmask> parameter. The
606
function returns 0 if the compilation was successful, or -1 if there
610
=item B<pcap_compile_nopcap($snaplen, $linktype, \$filter, $filter_str, $optimize, $netmask)>
612
Similar to C<compile()> except that instead of passing a C<$pcap> descriptor,
613
one passes C<$snaplen> and C<$linktype> directly. Returns -1 if there was an
614
error, but the error message is not available.
617
=item B<pcap_setfilter($pcap, $filter)>
619
Associate the compiled filter stored in C<$filter> with the packet
620
capture descriptor C<$pcap>.
623
=item B<pcap_freecode($filter)>
625
Used to free the allocated memory used by a compiled filter, as created
626
by C<pcap_compile()>.
629
=item B<pcap_setnonblock($pcap, $mode, \$err)>
631
Set the I<non-blocking> mode of a live capture descriptor, depending on the
632
value of C<$mode> (zero to activate and non-zero to deactivate). It has no
633
effect on offline descriptors. If there is an error, it returns -1 and sets
636
In non-blocking mode, an attempt to read from the capture descriptor with
637
C<pcap_dispatch()> will, if no packets are currently available to be read,
638
return 0 immediately rather than blocking waiting for packets to arrive.
639
C<pcap_loop()> and C<pcap_next()> will not work in non-blocking mode.
642
=item B<pcap_getnonblock($pcap, \$err)>
644
Returns the I<non-blocking> state of the capture descriptor C<$pcap>.
645
Always returns 0 on savefiles. If there is an error, it returns -1 and
650
=head2 Savefile commands
654
=item B<pcap_dump_open($pcap, $filename)>
656
Open a savefile for writing and return a descriptor for doing so. If
657
C<$filename> is C<"-"> data is written to standard output. On error, the
658
return value is undefined and C<pcap_geterr()> can be used to
659
retrieve the error text.
662
=item B<pcap_dump($dumper, \%header, $packet)>
664
Dump the packet described by header C<%header> and packet data C<$packet>
665
to the savefile associated with C<$dumper>. The packet header has the
666
same format as that passed to the C<pcap_loop()> callback.
670
my $dump_file = 'network.dmp';
671
my $dev = pcap_lookupdev();
672
my $pcap = pcap_open_live($dev, 1024, 1, 0, \$err);
674
my $dumper = pcap_dump_open($pcap, $dump_file);
675
pcap_loop($pcap, 10, \&process_packet, '');
676
pcap_dump_close($dumper);
679
my ($user_data, $header, $packet) = @_;
680
pcap_dump($dumper, $header, $packet);
684
=item B<pcap_dump_file($dumper)>
686
Returns the filehandle associated with a savefile opened with
690
=item B<pcap_dump_flush($dumper)>
692
Flushes the output buffer to the corresponding save file, so that any
693
packets written with C<pcap_dump()> but not yet written to the save
694
file will be written. Returns -1 on error, 0 on success.
697
=item B<pcap_dump_close($dumper)>
699
Close the savefile associated with the descriptor C<$dumper>.
703
=head2 Status functions
708
=item B<pcap_datalink($pcap)>
710
Returns the link layer type associated with the given pcap descriptor.
714
$linktype = pcap_datalink($pcap);
717
=item B<pcap_set_datalink($pcap, $linktype)>
719
Sets the data link type of the given pcap descriptor to the type specified
720
by C<$linktype>. Returns -1 on failure.
723
=item B<pcap_datalink_name_to_val($name)>
725
Translates a data link type name, which is a C<DLT_> name with the C<DLT_>
726
part removed, to the corresponding data link type value. The translation is
727
case-insensitive. Returns -1 on failure.
731
$linktype = pcap_datalink_name_to_val('LTalk'); # returns DLT_LTALK
734
=item B<pcap_datalink_val_to_name($linktype)>
736
Translates a data link type value to the corresponding data link type name.
740
$name = pcap_datalink_val_to_name(DLT_LTALK); # returns 'LTALK'
743
=item B<pcap_datalink_val_to_description($linktype)>
745
Translates a data link type value to a short description of that data link type.
749
$descr = pcap_datalink_val_to_description(DLT_LTALK); # returns 'Localtalk'
752
=item B<pcap_snapshot($pcap)>
754
Returns the snapshot length (snaplen) specified in the call to
758
=item B<pcap_is_swapped($pcap)>
760
This function returns true if the endianness of the currently open
761
savefile is different from the endianness of the machine.
764
=item B<pcap_major_version($pcap)>
766
Return the major version number of the pcap library used to write the
767
currently open savefile.
770
=item B<pcap_minor_version($pcap)>
772
Return the minor version of the pcap library used to write the
773
currently open savefile.
776
=item B<pcap_stats($pcap, \%stats)>
778
Returns a hash containing information about the status of packet
779
capture device C<$pcap>. The hash contains the following fields.
781
This function is supported only on live captures, not on savefiles;
782
no statistics are stored in savefiles, so no statistics are available
783
when reading from a savefile.
789
C<ps_recv> - the number of packets received by the packet capture software.
793
C<ps_drop> - the number of packets dropped by the packet capture software.
797
C<ps_ifdrop> - the number of packets dropped by the network interface.
802
=item B<pcap_file($pcap)>
804
Returns the filehandle associated with a savefile opened with
805
C<pcap_open_offline()> or C<undef> if the device was opened
806
with C<pcap_open_live()>.
809
=item B<pcap_fileno($pcap)>
811
Returns the file number of the network device opened with C<pcap_open_live()>.
814
=item B<pcap_get_selectable_fd($pcap)>
816
Returns, on Unix, a file descriptor number for a file descriptor on which
817
one can do a C<select()> or C<poll()> to wait for it to be possible to read
818
packets without blocking, if such a descriptor exists, or -1, if no such
819
descriptor exists. Some network devices opened with C<pcap_open_live()>
820
do not support C<select()> or C<poll()>, so -1 is returned for those devices.
821
See L<pcap(3)> for more details.
825
=head2 Error handling
829
=item B<pcap_geterr($pcap)>
831
Returns an error message for the last error associated with the packet
832
capture device C<$pcap>.
835
=item B<pcap_strerror($errno)>
837
Returns a string describing error number C<$errno>.
840
=item B<pcap_perror($pcap, $prefix)>
842
Prints the text of the last error associated with descriptor C<$pcap> on
843
standard error, prefixed by C<$prefix>.
851
=item B<pcap_lib_version()>
853
Returns the name and version of the C<pcap> library the module was linked
858
=head2 Perl specific functions
860
The following functions are specific to the Perl binding of libpcap.
864
=item B<pcap_perl_settings($setting)>
866
Modify internal behaviour of the Perl interpreter.
872
C<PERL_SIGNALS_SAFE>, C<PERL_SIGNALS_UNSAFE> respectively enable safe
873
or unsafe signals delivery. Returns the previous value of C<PL_signals>.
874
See L<"Signals handling">.
878
local $SIG{ALRM} = sub { pcap_breakloop() };
881
pcap_perl_settings(PERL_SIGNALS_UNSAFE);
882
pcap_loop($pcap, 10, \&process_packet, "");
883
pcap_perl_settings(PERL_SIGNALS_SAFE);
889
=head2 WinPcap specific functions
891
The following functions are only available with WinPcap, the Win32 port
892
of the Pcap library. If a called function is not available, it will cleanly
897
=item B<pcap_createsrcstr(\$source, $type, $host, $port, $name, \$err)>
899
Accepts a set of strings (host name, port, ...), and stores the complete
900
source string according to the new format (e.g. C<"rpcap://1.2.3.4/eth0">)
903
This function is provided in order to help the user creating the source
904
string according to the new format. An unique source string is used in
905
order to make easy for old applications to use the remote facilities.
906
Think about B<tcpdump(1)>, for example, which has only one way to specify
907
the interface on which the capture has to be started. However, GUI-based
908
programs can find more useful to specify hostname, port and interface name
909
separately. In that case, they can use this function to create the source
910
string before passing it to the C<pcap_open()> function.
912
Returns 0 if everything is fine, -1 if some errors occurred. The string
913
containing the complete source is returned in the C<$source> variable.
916
=item B<pcap_parsesrcstr($source, \$type, \$host, \$port, \$name, \$err)>
918
Parse the source string and stores the pieces in which the source can be split
919
in the corresponding variables.
921
This call is the other way round of C<pcap_createsrcstr()>. It accepts a
922
null-terminated string and it returns the parameters related to the source.
929
the type of the source (file, WinPcap on a remote adapter, WinPcap on local
930
adapter), which is determined by the source prefix (C<PCAP_SRC_IF_STRING>
935
the host on which the capture has to be started (only for remote captures);
939
the raw name of the source (file name, name of the remote adapter, name of
940
the local adapter), without the source prefix. The string returned does not
941
include the type of the source itself (i.e. the string returned does not
942
include C<"file://"> or C<"rpcap://"> or such).
946
The user can omit some parameters in case it is not interested in them.
948
Returns 0 if everything is fine, -1 if some errors occurred. The requested
949
values (host name, network port, type of the source) are returned into the
950
proper variables passed by reference.
953
=item B<pcap_open($source, $snaplen, $flags, $read_timeout, \$auth, \$err)>
955
Open a generic source in order to capture / send (WinPcap only) traffic.
957
The C<pcap_open()> replaces all the C<pcap_open_xxx()> functions with a single
960
This function hides the differences between the different C<pcap_open_xxx()>
961
functions so that the programmer does not have to manage different opening
962
function. In this way, the I<true> C<open()> function is decided according
963
to the source type, which is included into the source string (in the form of
966
Returns a pointer to a pcap descriptor which can be used as a parameter to
967
the following calls (C<compile()> and so on) and that specifies an opened
968
WinPcap session. In case of problems, it returns C<undef> and the C<$err>
969
variable keeps the error message.
972
=item B<pcap_setbuff($pcap, $dim)>
974
Sets the size of the kernel buffer associated with an adapter.
975
C<$dim> specifies the size of the buffer in bytes.
976
The return value is 0 when the call succeeds, -1 otherwise.
978
If an old buffer was already created with a previous call to
979
C<setbuff()>, it is deleted and its content is discarded.
980
C<open_live()> creates a S<1 MB> buffer by default.
983
=item B<pcap_setmode($pcap, $mode)>
985
Sets the working mode of the interface C<$pcap> to C<$mode>.
986
Valid values for C<$mode> are C<MODE_CAPT> (default capture mode) and
987
C<MODE_STAT> (statistical mode).
990
=item B<pcap_setmintocopy($pcap_t, $size)>
992
Changes the minimum amount of data in the kernel buffer that causes a read
993
from the application to return (unless the timeout expires).
996
=item B<pcap_getevent($pcap)>
998
Returns the C<Win32::Event> object associated with the interface
999
C<$pcap>. Can be used to wait until the driver's buffer contains some
1000
data without performing a read. See L<Win32::Event>.
1003
=item B<pcap_sendpacket($pcap, $packet)>
1005
Send a raw packet to the network. C<$pcap> is the interface that will be
1006
used to send the packet, C<$packet> contains the data of the packet to send
1007
(including the various protocol headers). The MAC CRC doesn't need to be
1008
included, because it is transparently calculated and added by the network
1009
interface driver. The return value is 0 if the packet is successfully sent,
1013
=item B<pcap_sendqueue_alloc($memsize)>
1015
This function allocates and returns a send queue, i.e. a buffer containing
1016
a set of raw packets that will be transmitted on the network with
1017
C<sendqueue_transmit()>.
1019
C<$memsize> is the size, in bytes, of the queue, therefore it determines
1020
the maximum amount of data that the queue will contain. This memory is
1021
automatically deallocated when the queue ceases to exist.
1024
=item B<pcap_sendqueue_queue($queue, \%header, $packet)>
1026
Adds a packet at the end of the send queue pointed by C<$queue>. The packet
1027
header C<%header> has the same format as that passed to the C<loop()>
1028
callback. C<$ackekt> is a buffer with the data of the packet.
1030
The C<%headerr> header structure is the same used by WinPcap and libpcap to
1031
store the packets in a file, therefore sending a capture file is
1032
straightforward. "Raw packet" means that the sending application will have
1033
to include the protocol headers, since every packet is sent to the network
1034
I<as is>. The CRC of the packets needs not to be calculated, because it will
1035
be transparently added by the network interface.
1038
=item B<pcap_sendqueue_transmit($pcap, $queue, $sync)>
1040
This function transmits the content of a queue to the wire. C<$pcapt> is
1041
the interface on which the packets will be sent, C<$queue> is to a
1042
C<send_queue> containing the packets to send, C<$sync> determines if the
1043
send operation must be synchronized: if it is non-zero, the packets are
1044
sent respecting the timestamps, otherwise they are sent as fast as
1047
The return value is the amount of bytes actually sent. If it is smaller
1048
than the size parameter, an error occurred during the send. The error can
1049
be caused by a driver/adapter problem or by an inconsistent/bogus send
1057
C<Net::Pcap> exports by default the names of several constants in order to
1058
ease the development of programs. See L</"EXPORTS"> for details about which
1059
constants are exported.
1061
Here are the descriptions of a few data link types. See L<pcap(3)> for a more
1062
complete description and semantics associated with each data link.
1068
C<DLT_NULL> - BSD loopback encapsulation
1072
C<DLT_EN10MB> - Ethernet (10Mb, 100Mb, 1000Mb, and up)
1080
C<DLT_IEEE802> - IEEE 802.5 Token Ring
1084
C<DLT_IEEE802_11> - IEEE 802.11 wireless LAN
1088
C<DLT_FRELAY> - Frame Relay
1096
C<DLT_SLIP> - Serial Line IP
1100
C<DLT_PPP> - PPP (Point-to-point Protocol)
1104
C<DLT_PPP_SERIAL> - PPP over serial with HDLC encapsulation
1108
C<DLT_PPP_ETHER> - PPP over Ethernet
1112
C<DLT_IP_OVER_FC> - RFC 2625 IP-over-Fibre Channel
1116
C<DLT_AX25> - Amateur Radio AX.25
1120
C<DLT_LINUX_IRDA> - Linux-IrDA
1124
C<DLT_LTALK> - Apple LocalTalk
1128
C<DLT_APPLE_IP_OVER_IEEE1394> - Apple IP-over-IEEE 1394 (a.k.a. Firewire)
1137
=item C<arg%d not a scalar ref>
1139
=item C<arg%d not a hash ref>
1141
=item C<arg%d not a reference>
1143
B<(F)> These errors occur if you forgot to give a reference to a function
1144
which expect one or more of its arguments to be references.
1151
The following limitations apply to this version of C<Net::Pcap>.
1157
At present, only one callback function and user data scalar can be
1158
current at any time as they are both stored in global variables.
1165
Please report any bugs or feature requests to
1166
C<bug-Net-Pcap@rt.cpan.org>, or through the web interface at
1167
L<http://rt.cpan.org/Dist/Display.html?Queue=Net-Pcap>.
1168
I will be notified, and then you'll automatically be notified
1169
of progress on your bug as I make changes.
1171
Currently known bugs:
1177
the C<ps_recv> field is not correctly set; see F<t/07-stats.t>
1181
C<pcap_file()> seems to always returns C<undef> for live
1182
connection and causes segmentation fault for dump files;
1183
see F<t/10-fileno.t>
1187
C<pcap_fileno()> is documented to return -1 when called
1188
on save file, but seems to always return an actual file number.
1189
See F<t/10-fileno.t>
1194
C<pcap_dump_file()> seems to corrupt something somewhere,
1195
and makes scripts dump core. See F<t/05-dump.t>
1202
See the F<eg/> and F<t/> directories of the C<Net::Pcap> distribution
1203
for examples on using this module.
1210
L<Net::Pcap::Reassemble> for reassembly of TCP/IP fragments.
1212
L<POE::Component::Pcap> for using C<Net::Pcap> within POE-based programs.
1214
L<Net::Packet> or L<NetPacket> for decoding and creating network packets.
1216
L<Net::Pcap::Easy> is a module which provides an easier, more Perl-ish
1217
API than C<Net::Pcap> and integrates some facilities from L<Net::Netmask>
1220
=head2 Base Libraries
1222
L<pcap(3)>, L<tcpdump(8)>
1224
The source code for the C<pcap(3)> library is available from
1225
L<http://www.tcpdump.org/>
1227
The source code and binary for the Win32 version of the pcap library,
1228
WinPcap, is available from L<http://www.winpcap.org/>
1232
I<Hacking Linux Exposed: Sniffing with Net::Pcap to stealthily managing iptables
1233
rules remotely>, L<http://www.hackinglinuxexposed.com/articles/20030730.html>
1235
I<PerlMonks node about Net::Pcap>, L<http://perlmonks.org/?node_id=170648>
1240
Current maintainer is SE<eacute>bastien Aperghis-Tramoni (SAPER)
1241
E<lt>sebastien@aperghis.netE<gt> with the help of Jean-Louis Morel (JLMOREL)
1242
E<lt>jl_morel@bribes.orgE<gt> for WinPcap support.
1244
Previous authors & maintainers:
1250
Marco Carnut (KCARNUT) E<lt>kiko@tempest.com.brE<gt>
1254
Tim Potter (TIMPOTTER) E<lt>tpot@frungy.orgE<gt>
1258
Bo Adler (BOADLER) E<lt>thumper@alumni.caltech.eduE<gt>
1262
Peter Lister (PLISTER) E<lt>p.lister@cranfield.ac.ukE<gt>
1267
=head1 ACKNOWLEDGEMENTS
1269
To Paul Johnson for his module C<Devel::Cover> and his patience for
1270
helping me using it with XS code, which revealed very useful for
1273
To the beta-testers: Jean-Louis Morel, Max Maischen, Philippe Bruhat,
1274
David Morel, Scott Lanning, Rafael Garcia-Suarez, Karl Y. Pradene.
1277
=head1 COPYRIGHT & LICENSE
1279
Copyright (C) 2005, 2006, 2007, 2008, 2009 SE<eacute>bastien Aperghis-Tramoni.
1280
All rights reserved.
1282
Copyright (C) 2003 Marco Carnut. All rights reserved.
1284
Copyright (C) 1999, 2000 Tim Potter. All rights reserved.
1286
Copyright (C) 1998 Bo Adler. All rights reserved.
1288
Copyright (C) 1997 Peter Lister. All rights reserved.
1290
This program is free software; you can redistribute it and/or modify
1291
it under the same terms as Perl itself.