documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005
CACE technologies. All rights reserved.The format for dump files is the libpcap one. This format contains the data of the captured packets in binary form and is a standard used by many network tools including WinDump, Ethereal and Snort.
Saving packets to a dump file
First of all, let's see how to write packets in libpcap format.
The following example captures the packets from the selected interface and saves them on a file whose name is provided by the user.
#include "pcap.h" /* prototype of the packet handler */ void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data); main(int argc, char **argv) { pcap_if_t *alldevs; pcap_if_t *d; int inum; int i=0; pcap_t *adhandle; char errbuf[PCAP_ERRBUF_SIZE]; pcap_dumper_t *dumpfile; /* Check command line */ if(argc != 2) { printf("usage: %s filename", argv[0]); return -1; } /* Retrieve the device list on the local machine */ if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1) { fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); exit(1); } /* Print the list */ for(d=alldevs; d; d=d->next) { printf("%d. %s", ++i, d->name); if (d->description) printf(" (%s)\n", d->description); else printf(" (No description available)\n"); } if(i==0) { printf("\nNo interfaces found! Make sure WinPcap is installed.\n"); return -1; } printf("Enter the interface number (1-%d):",i); scanf("%d", &inum); if(inum < 1 || inum > i) { printf("\nInterface number out of range.\n"); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } /* Jump to the selected adapter */ for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++); /* Open the device */ if ( (adhandle= pcap_open(d->name, // name of the device 65536, // portion of the packet to capture // 65536 guarantees that the whole packet will be captured on all the link layers PCAP_OPENFLAG_PROMISCUOUS, // promiscuous mode 1000, // read timeout NULL, // authentication on the remote machine errbuf // error buffer ) ) == NULL) { fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } /* Open the dump file */ dumpfile = pcap_dump_open(adhandle, argv[1]); if(dumpfile==NULL) { fprintf(stderr,"\nError opening output file\n"); return -1; } printf("\nlistening on %s... Press Ctrl+C to stop...\n", d->description); /* At this point, we no longer need the device list. Free it */ pcap_freealldevs(alldevs); /* start the capture */ pcap_loop(adhandle, 0, packet_handler, (unsigned char *)dumpfile); return 0; } /* Callback function invoked by libpcap for every incoming packet */ void packet_handler(u_char *dumpfile, const struct pcap_pkthdr *header, const u_char *pkt_data) { /* save the packet on the dump file */ pcap_dump(dumpfile, header, pkt_data); }
00001 #include "pcap.h" 00002 00003 /* prototype of the packet handler */ 00004 void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data); 00005 00006 main(int argc, char **argv) 00007 { 00008 pcap_if_t *alldevs; 00009 pcap_if_t *d; 00010 int inum; 00011 int i=0; 00012 pcap_t *adhandle; 00013 char errbuf[PCAP_ERRBUF_SIZE]; 00014 pcap_dumper_t *dumpfile; 00015 00016 00017 00018 /* Check command line */ 00019 if(argc != 2) 00020 { 00021 printf("usage: %s filename", argv[0]); 00022 return -1; 00023 } 00024 00025 /* Retrieve the device list on the local machine */ 00026 if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1) 00027 { 00028 fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); 00029 exit(1); 00030 } 00031 00032 /* Print the list */ 00033 for(d=alldevs; d; d=d->next) 00034 { 00035 printf("%d. %s", ++i, d->name); 00036 if (d->description) 00037 printf(" (%s)\n", d->description); 00038 else 00039 printf(" (No description available)\n"); 00040 } 00041 00042 if(i==0) 00043 { 00044 printf("\nNo interfaces found! Make sure WinPcap is installed.\n"); 00045 return -1; 00046 } 00047 00048 printf("Enter the interface number (1-%d):",i); 00049 scanf("%d", &inum); 00050 00051 if(inum < 1 || inum > i) 00052 { 00053 printf("\nInterface number out of range.\n"); 00054 /* Free the device list */ 00055 pcap_freealldevs(alldevs); 00056 return -1; 00057 } 00058 00059 /* Jump to the selected adapter */ 00060 for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++); 00061 00062 00063 /* Open the device */ 00064 if ( (adhandle= pcap_open(d->name, // name of the device 00065 65536, // portion of the packet to capture 00066 // 65536 guarantees that the whole packet will be captured on all the link layers 00067 PCAP_OPENFLAG_PROMISCUOUS, // promiscuous mode 00068 1000, // read timeout 00069 NULL, // authentication on the remote machine 00070 errbuf // error buffer 00071 ) ) == NULL) 00072 { 00073 fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name); 00074 /* Free the device list */ 00075 pcap_freealldevs(alldevs); 00076 return -1; 00077 } 00078 00079 /* Open the dump file */ 00080 dumpfile = pcap_dump_open(adhandle, argv[1]); 00081 00082 if(dumpfile==NULL) 00083 { 00084 fprintf(stderr,"\nError opening output file\n"); 00085 return -1; 00086 } 00087 00088 printf("\nlistening on %s... Press Ctrl+C to stop...\n", d->description); 00089 00090 /* At this point, we no longer need the device list. Free it */ 00091 pcap_freealldevs(alldevs); 00092 00093 /* start the capture */ 00094 pcap_loop(adhandle, 0, packet_handler, (unsigned char *)dumpfile); 00095 00096 return 0; 00097 } 00098 00099 /* Callback function invoked by libpcap for every incoming packet */ 00100 void packet_handler(u_char *dumpfile, const struct pcap_pkthdr *header, const u_char *pkt_data) 00101 { 00102 /* save the packet on the dump file */ 00103 pcap_dump(dumpfile, header, pkt_data); 00104 }
As you can see, the structure of the program is very similar to the ones we have seen in the previous lessons. The differences are:
Reading packets from a dump file
Now that we have a dump file available, we can try to read its content. The following code opens a WinPcap/libpcap dump file and displays every packet contained in the file. The file is opened with pcap_open_offline(), then the usual pcap_loop() is used to sequence through the packets. As you can see, reading packets from an offline capture is nearly identical to receiving them from a physical interface.
This example introduces another function: pcap_createsrcsrc(). This function is required to create a source string that begins with a marker used to tell WinPcap the type of the source, e.g. "rpcap://" if we are going to open an adapter, or "file://" if we are going to open a file. This step is not required when pcap_findalldevs_ex() is used (the returned values already contain these strings). However, it is required in this example because the name of the file is read from the user input.
#include <stdio.h> #include <pcap.h> #define LINE_LEN 16 void dispatcher_handler(u_char *, const struct pcap_pkthdr *, const u_char *); main(int argc, char **argv) { pcap_t *fp; char errbuf[PCAP_ERRBUF_SIZE]; char source[PCAP_BUF_SIZE]; if(argc != 2){ printf("usage: %s filename", argv[0]); return -1; } /* Create the source string according to the new WinPcap syntax */ if ( pcap_createsrcstr( source, // variable that will keep the source string PCAP_SRC_FILE, // we want to open a file NULL, // remote host NULL, // port on the remote host argv[1], // name of the file we want to open errbuf // error buffer ) != 0) { fprintf(stderr,"\nError creating a source string\n"); return -1; } /* Open the capture file */ if ( (fp= pcap_open(source, // name of the device 65536, // portion of the packet to capture // 65536 guarantees that the whole packet will be captured on all the link layers PCAP_OPENFLAG_PROMISCUOUS, // promiscuous mode 1000, // read timeout NULL, // authentication on the remote machine errbuf // error buffer ) ) == NULL) { fprintf(stderr,"\nUnable to open the file %s.\n", source); return -1; } // read and dispatch packets until EOF is reached pcap_loop(fp, 0, dispatcher_handler, NULL); return 0; } void dispatcher_handler(u_char *temp1, const struct pcap_pkthdr *header, const u_char *pkt_data) { u_int i=0; /* print pkt timestamp and pkt len */ printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len); /* Print the packet */ for (i=1; (i < header->caplen + 1 ) ; i++) { printf("%.2x ", pkt_data[i-1]); if ( (i % LINE_LEN) == 0) printf("\n"); } printf("\n\n"); }
00001 #include <stdio.h> 00002 #include <pcap.h> 00003 00004 #define LINE_LEN 16 00005 00006 void dispatcher_handler(u_char *, const struct pcap_pkthdr *, const u_char *); 00007 00008 main(int argc, char **argv) 00009 { 00010 pcap_t *fp; 00011 char errbuf[PCAP_ERRBUF_SIZE]; 00012 char source[PCAP_BUF_SIZE]; 00013 00014 if(argc != 2){ 00015 00016 printf("usage: %s filename", argv[0]); 00017 return -1; 00018 00019 } 00020 00021 /* Create the source string according to the new WinPcap syntax */ 00022 if ( pcap_createsrcstr( source, // variable that will keep the source string 00023 PCAP_SRC_FILE, // we want to open a file 00024 NULL, // remote host 00025 NULL, // port on the remote host 00026 argv[1], // name of the file we want to open 00027 errbuf // error buffer 00028 ) != 0) 00029 { 00030 fprintf(stderr,"\nError creating a source string\n"); 00031 return -1; 00032 } 00033 00034 /* Open the capture file */ 00035 if ( (fp= pcap_open(source, // name of the device 00036 65536, // portion of the packet to capture 00037 // 65536 guarantees that the whole packet will be captured on all the link layers 00038 PCAP_OPENFLAG_PROMISCUOUS, // promiscuous mode 00039 1000, // read timeout 00040 NULL, // authentication on the remote machine 00041 errbuf // error buffer 00042 ) ) == NULL) 00043 { 00044 fprintf(stderr,"\nUnable to open the file %s.\n", source); 00045 return -1; 00046 } 00047 00048 // read and dispatch packets until EOF is reached 00049 pcap_loop(fp, 0, dispatcher_handler, NULL); 00050 00051 return 0; 00052 } 00053 00054 00055 00056 void dispatcher_handler(u_char *temp1, 00057 const struct pcap_pkthdr *header, const u_char *pkt_data) 00058 { 00059 u_int i=0; 00060 00061 /* print pkt timestamp and pkt len */ 00062 printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len); 00063 00064 /* Print the packet */ 00065 for (i=1; (i < header->caplen + 1 ) ; i++) 00066 { 00067 printf("%.2x ", pkt_data[i-1]); 00068 if ( (i % LINE_LEN) == 0) printf("\n"); 00069 } 00070 00071 printf("\n\n"); 00072 00073 }
The following example has the same purpose of the last one, but pcap_next_ex() is used instead of the pcap_loop() callback method.
#include <stdio.h> #include <pcap.h> #define LINE_LEN 16 main(int argc, char **argv) { pcap_t *fp; char errbuf[PCAP_ERRBUF_SIZE]; char source[PCAP_BUF_SIZE]; struct pcap_pkthdr *header; u_char *pkt_data; u_int i=0; int res; if(argc != 2) { printf("usage: %s filename", argv[0]); return -1; } /* Create the source string according to the new WinPcap syntax */ if ( pcap_createsrcstr( source, // variable that will keep the source string PCAP_SRC_FILE, // we want to open a file NULL, // remote host NULL, // port on the remote host argv[1], // name of the file we want to open errbuf // error buffer ) != 0) { fprintf(stderr,"\nError creating a source string\n"); return -1; } /* Open the capture file */ if ( (fp= pcap_open(source, // name of the device 65536, // portion of the packet to capture // 65536 guarantees that the whole packet will be captured on all the link layers PCAP_OPENFLAG_PROMISCUOUS, // promiscuous mode 1000, // read timeout NULL, // authentication on the remote machine errbuf // error buffer ) ) == NULL) { fprintf(stderr,"\nUnable to open the file %s.\n", source); return -1; } /* Retrieve the packets from the file */ while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0) { /* print pkt timestamp and pkt len */ printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len); /* Print the packet */ for (i=1; (i < header->caplen + 1 ) ; i++) { printf("%.2x ", pkt_data[i-1]); if ( (i % LINE_LEN) == 0) printf("\n"); } printf("\n\n"); } if (res == -1) { printf("Error reading the packets: %s\n", pcap_geterr(fp)); } return 0; }
00001 #include <stdio.h> 00002 #include <pcap.h> 00003 00004 #define LINE_LEN 16 00005 00006 main(int argc, char **argv) 00007 { 00008 pcap_t *fp; 00009 char errbuf[PCAP_ERRBUF_SIZE]; 00010 char source[PCAP_BUF_SIZE]; 00011 struct pcap_pkthdr *header; 00012 u_char *pkt_data; 00013 u_int i=0; 00014 int res; 00015 00016 if(argc != 2) 00017 { 00018 printf("usage: %s filename", argv[0]); 00019 return -1; 00020 } 00021 00022 /* Create the source string according to the new WinPcap syntax */ 00023 if ( pcap_createsrcstr( source, // variable that will keep the source string 00024 PCAP_SRC_FILE, // we want to open a file 00025 NULL, // remote host 00026 NULL, // port on the remote host 00027 argv[1], // name of the file we want to open 00028 errbuf // error buffer 00029 ) != 0) 00030 { 00031 fprintf(stderr,"\nError creating a source string\n"); 00032 return -1; 00033 } 00034 00035 /* Open the capture file */ 00036 if ( (fp= pcap_open(source, // name of the device 00037 65536, // portion of the packet to capture 00038 // 65536 guarantees that the whole packet will be captured on all the link layers 00039 PCAP_OPENFLAG_PROMISCUOUS, // promiscuous mode 00040 1000, // read timeout 00041 NULL, // authentication on the remote machine 00042 errbuf // error buffer 00043 ) ) == NULL) 00044 { 00045 fprintf(stderr,"\nUnable to open the file %s.\n", source); 00046 return -1; 00047 } 00048 00049 /* Retrieve the packets from the file */ 00050 while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0) 00051 { 00052 /* print pkt timestamp and pkt len */ 00053 printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len); 00054 00055 /* Print the packet */ 00056 for (i=1; (i < header->caplen + 1 ) ; i++) 00057 { 00058 printf("%.2x ", pkt_data[i-1]); 00059 if ( (i % LINE_LEN) == 0) printf("\n"); 00060 } 00061 00062 printf("\n\n"); 00063 } 00064 00065 00066 if (res == -1) 00067 { 00068 printf("Error reading the packets: %s\n", pcap_geterr(fp)); 00069 } 00070 00071 return 0; 00072 } 00073
Writing packets to a dump file with pcap_live_dump
NOTE: At the moment, due to some problems with the new kernel buffer, this feature has been disabled.
Recent versions of WinPcap provide a further way to save network traffic to disk, the pcap_live_dump() function. pcap_live_dump() takes three parameters: a file name, the maximum size (in bytes) that this file is allowed to reach and the maximum amount of packets that the file is allowed to contain. Zero means no limit for both these values. Notice that the program can set a filter (with pcap_setfilter(), see the tutorial Filtering the traffic) before calling pcap_live_dump() to define the subset of the traffic that will be saved.
pcap_live_dump() is non-blocking, therefore it starts the dump and returns immediately: The dump process goes on asynchronously until the maximum file size or the maximum amount of packets has been reached.
The application can wait or check the end of the dump with pcap_live_dump_ended(). Beware that if the sync parameter is nonzero, this function will block your application forever if the limits are both 0.
/* * Copyright (c) 1999 - 2002 * Politecnico di Torino. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the Politecnico * di Torino, and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #include <stdlib.h> #include <stdio.h> #include <pcap.h> #error At the moment the kernel dump feature is not supported in the driver main(int argc, char **argv) { pcap_if_t *alldevs, *d; pcap_t *fp; u_int inum, i=0; char errbuf[PCAP_ERRBUF_SIZE]; printf("kdump: saves the network traffic to file using WinPcap kernel-level dump faeature.\n"); printf("\t Usage: %s [adapter] | dump_file_name max_size max_packs\n", argv[0]); printf("\t Where: max_size is the maximum size that the dump file will reach (0 means no limit)\n"); printf("\t Where: max_packs is the maximum number of packets that will be saved (0 means no limit)\n\n"); if(argc < 5){ /* The user didn't provide a packet source: Retrieve the device list */ if (pcap_findalldevs(&alldevs, errbuf) == -1) { fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); exit(1); } /* Print the list */ for(d=alldevs; d; d=d->next) { printf("%d. %s", ++i, d->name); if (d->description) printf(" (%s)\n", d->description); else printf(" (No description available)\n"); } if(i==0) { printf("\nNo interfaces found! Make sure WinPcap is installed.\n"); return -1; } printf("Enter the interface number (1-%d):",i); scanf("%d", &inum); if(inum < 1 || inum > i) { printf("\nInterface number out of range.\n"); /* Free the device list */ return -1; } /* Jump to the selected adapter */ for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++); /* Open the device */ if ( (fp = pcap_open_live(d->name, 100, 1, 20, errbuf) ) == NULL) { fprintf(stderr,"\nError opening adapter\n"); return -1; } /* Free the device list */ pcap_freealldevs(alldevs); /* Start the dump */ if(pcap_live_dump(fp, argv[1], atoi(argv[2]), atoi(argv[3]))==-1){ printf("Unable to start the dump, %s\n", pcap_geterr(fp)); return -1; } } else{ /* Open the device */ if ( (fp= pcap_open_live(argv[1], 100, 1, 20, errbuf) ) == NULL) { fprintf(stderr,"\nError opening adapter\n"); return -1; } /* Start the dump */ if(pcap_live_dump(fp, argv[0], atoi(argv[1]), atoi(argv[2]))==-1){ printf("Unable to start the dump, %s\n", pcap_geterr(fp)); return -1; } } /* Wait until the dump finishes, i.e. when max_size or max_packs is reached*/ pcap_live_dump_ended(fp, TRUE); /* Close the adapter, so that the file is correctly flushed */ pcap_close(fp); return 0; }
00001 /* 00002 * Copyright (c) 1999 - 2002 00003 * Politecnico di Torino. All rights reserved. 00004 * 00005 * Redistribution and use in source and binary forms, with or without 00006 * modification, are permitted provided that: (1) source code distributions 00007 * retain the above copyright notice and this paragraph in its entirety, (2) 00008 * distributions including binary code include the above copyright notice and 00009 * this paragraph in its entirety in the documentation or other materials 00010 * provided with the distribution, and (3) all advertising materials mentioning 00011 * features or use of this software display the following acknowledgement: 00012 * ``This product includes software developed by the Politecnico 00013 * di Torino, and its contributors.'' Neither the name of 00014 * the University nor the names of its contributors may be used to endorse 00015 * or promote products derived from this software without specific prior 00016 * written permission. 00017 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 00018 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 00019 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 00020 */ 00021 00022 #include <stdlib.h> 00023 #include <stdio.h> 00024 00025 #include <pcap.h> 00026 00027 #error At the moment the kernel dump feature is not supported in the driver 00028 00029 main(int argc, char **argv) { 00030 00031 pcap_if_t *alldevs, *d; 00032 pcap_t *fp; 00033 u_int inum, i=0; 00034 char errbuf[PCAP_ERRBUF_SIZE]; 00035 00036 printf("kdump: saves the network traffic to file using WinPcap kernel-level dump faeature.\n"); 00037 printf("\t Usage: %s [adapter] | dump_file_name max_size max_packs\n", argv[0]); 00038 printf("\t Where: max_size is the maximum size that the dump file will reach (0 means no limit)\n"); 00039 printf("\t Where: max_packs is the maximum number of packets that will be saved (0 means no limit)\n\n"); 00040 00041 00042 if(argc < 5){ 00043 00044 /* The user didn't provide a packet source: Retrieve the device list */ 00045 if (pcap_findalldevs(&alldevs, errbuf) == -1) 00046 { 00047 fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); 00048 exit(1); 00049 } 00050 00051 /* Print the list */ 00052 for(d=alldevs; d; d=d->next) 00053 { 00054 printf("%d. %s", ++i, d->name); 00055 if (d->description) 00056 printf(" (%s)\n", d->description); 00057 else 00058 printf(" (No description available)\n"); 00059 } 00060 00061 if(i==0) 00062 { 00063 printf("\nNo interfaces found! Make sure WinPcap is installed.\n"); 00064 return -1; 00065 } 00066 00067 printf("Enter the interface number (1-%d):",i); 00068 scanf("%d", &inum); 00069 00070 if(inum < 1 || inum > i) 00071 { 00072 printf("\nInterface number out of range.\n"); 00073 /* Free the device list */ 00074 return -1; 00075 } 00076 00077 /* Jump to the selected adapter */ 00078 for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++); 00079 00080 /* Open the device */ 00081 if ( (fp = pcap_open_live(d->name, 100, 1, 20, errbuf) ) == NULL) 00082 { 00083 fprintf(stderr,"\nError opening adapter\n"); 00084 return -1; 00085 } 00086 00087 /* Free the device list */ 00088 pcap_freealldevs(alldevs); 00089 00090 /* Start the dump */ 00091 if(pcap_live_dump(fp, argv[1], atoi(argv[2]), atoi(argv[3]))==-1){ 00092 printf("Unable to start the dump, %s\n", pcap_geterr(fp)); 00093 return -1; 00094 } 00095 } 00096 else{ 00097 00098 /* Open the device */ 00099 if ( (fp= pcap_open_live(argv[1], 100, 1, 20, errbuf) ) == NULL) 00100 { 00101 fprintf(stderr,"\nError opening adapter\n"); 00102 return -1; 00103 } 00104 00105 /* Start the dump */ 00106 if(pcap_live_dump(fp, argv[0], atoi(argv[1]), atoi(argv[2]))==-1){ 00107 printf("Unable to start the dump, %s\n", pcap_geterr(fp)); 00108 return -1; 00109 } 00110 } 00111 00112 /* Wait until the dump finishes, i.e. when max_size or max_packs is reached*/ 00113 pcap_live_dump_ended(fp, TRUE); 00114 00115 /* Close the adapter, so that the file is correctly flushed */ 00116 pcap_close(fp); 00117 00118 return 0; 00119 }
The difference between pcap_live_dump() and pcap_dump(), apart from the possibility to set limits, is performance. pcap_live_dump() exploits the ability of the WinPcap NPF driver (see NPF driver internals manual) to write dumps from kernel level, minimizing the number of context switches and memory copies.
Obviously, since this feature is currently not available on other operating systems, pcap_live_dump() is WinPcap specific and is present only under Win32.
documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005
CACE technologies. All rights reserved.