pcap_loop.3pcap

.\" @(#) $Header: /tcpdump/master/libpcap/pcap_loop.3pcap,v 1.4 2008-12-25 02:01:32 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH PCAP_LOOP 3PCAP "24 December 2008"
.SH NAME
pcap_loop, pcap_dispatch \- process packets from a live capture or savefile
.SH SYNOPSIS
.nf
.ft B
#include <pcap/pcap.h>
.ft
.LP
.ft B
typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h,
.ti +8
			     const u_char *bytes);
.ft
.LP
.ft B
int pcap_loop(pcap_t *p, int cnt,
.ti +8
pcap_handler callback, u_char *user);
int pcap_dispatch(pcap_t *p, int cnt,
.ti +8
pcap_handler callback, u_char *user);
.ft
.fi
.SH DESCRIPTION
.B pcap_loop()
processes packets from a live capture or ``savefile'' until
.I cnt
packets are processed, the end of the ``savefile'' is
reached when reading from a ``savefile'',
.B pcap_breakloop()
is called, or an error occurs.
It does
.B not
return when live read timeouts occur.
A value of \-1 or 0 for
.I cnt
is equivalent to infinity, so that packets are processed until another
ending condition occurs.
.PP
.B pcap_dispatch()
processes packets from a live capture or ``savefile'' until
.I cnt
packets are processed, the end of the current bufferful of packets is
reached when doing a live capture, the end of the ``savefile'' is
reached when reading from a ``savefile'',
.B pcap_breakloop()
is called, or an error occurs.
Thus, when doing a live capture,
.I cnt
is the maximum number of packets to process before returning, but is not
a minimum number; when reading a live capture, only one
bufferful of packets is read at a time, so fewer than
.I cnt
packets may be processed. A value of \-1 or 0 for
.I cnt
causes all the packets received in one buffer to be processed when
reading a live capture, and causes all the packets in the file to be
processed when reading a ``savefile''.
.PP
.ft B
(In older versions of libpcap, the behavior when
\fIcnt\fP
was 0 was undefined; different platforms and devices behaved
differently, so code that must work with older versions of libpcap
should use \-1, not 0, as the value of
\fIcnt\fP.)
.ft R
.PP
.I callback
specifies a
.I pcap_handler
routine to be called with three arguments:
a
.I u_char
pointer which is passed in the
.I user
argument to
.B pcap_loop()
or
.BR pcap_dispatch() ,
a
.I const struct pcap_pkthdr
pointer pointing to the packet time stamp and lengths, and a
.I const u_char
pointer to the first
.B caplen
(as given in the
.I struct pcap_pkthdr
a pointer to which is passed to the callback routine)
bytes of data from the packet.  The
.I struct pcap_pkthdr
and the packet data are not to be freed by the callback routine, and are
not guaranteed to be valid after the callback routine returns; if the
code needs them to be valid after the callback, it must make a copy of
them.
.PP
The bytes of data from the packet begin with a link-layer header.  The
format of the link-layer header is indicated by the return value of the
.B pcap_datalink()
routine when handed the
.B pcap_t
value also passed to
.B pcap_loop()
or
.BR pcap_dispatch() .
.I http://www.tcpdump.org/linktypes.html
lists the values
.B pcap_datalink()
can return and describes the packet formats that
correspond to those values.  The value it returns will be valid for all
packets received unless and until
.B pcap_set_datalink()
is called; after a successful call to
.BR pcap_set_datalink() ,
all subsequent packets will have a link-layer header of the type
specified by the link-layer header type value passed to
.BR pcap_set_datalink() .
.PP
Do
.B NOT
assume that the packets for a given capture or ``savefile`` will have
any given link-layer header type, such as
.B DLT_EN10MB
for Ethernet.  For example, the "any" device on Linux will have a
link-layer header type of
.B DLT_LINUX_SLL
even if all devices on the system at the time the "any" device is opened
have some other data link type, such as
.B DLT_EN10MB
for Ethernet.
.SH RETURN VALUE
.B pcap_loop()
returns 0 if
.I cnt
is exhausted or if, when reading from a ``savefile'', no more packets
are available.  It returns \-1 if an error occurs or \-2 if the loop
terminated due to a call to
.B pcap_breakloop()
before any packets were processed.
It does
.B not
return when live read timeouts occur; instead, it attempts to read more
packets.
.PP
.B pcap_dispatch()
returns the number of packets processed on success; this can be 0 if no
packets were read from a live capture (if, for example, they were
discarded because they didn't pass the packet filter, or if, on
platforms that support a read timeout that starts before any packets
arrive, the timeout expires before any packets arrive, or if the file
descriptor for the capture device is in non-blocking mode and no packets
were available to be read) or if no more packets are available in a
``savefile.''  It returns \-1 if an error occurs or \-2 if the loop
terminated due to a call to
.B pcap_breakloop()
before any packets were processed.
.ft B
If your application uses pcap_breakloop(),
make sure that you explicitly check for \-1 and \-2, rather than just
checking for a return value < 0.
.ft R
.PP
If \-1 is returned,
.B pcap_geterr()
or
.B pcap_perror()
may be called with
.I p
as an argument to fetch or display the error text.
.SH SEE ALSO
pcap(3PCAP), pcap_geterr(3PCAP), pcap_breakloop(3PCAP),
pcap_datalink(3PCAP)