WinPcap: Using WinPcap in your programs

Creating an application that uses wpcap.dll

To create an application that uses wpcap.dll with Microsoft Visual C++, follow these steps:

Include the file pcap.h at the beginning of every source file that uses the functions exported by library.

If your program uses Win32 specific functions of WinPcap, remember to include WPCAP among the preprocessor definitions.

Set the options of the linker to include the wpcap.lib library file. wpcap.lib can be found in the WinPcap developer's pack.

Set the options of the linker to include the winsock library file (for example wsock32.lib). This file is distributed with the C compiler and contains the socket functions for Windows. It is needed by some libpcap functions.

Remember that:

To add a preprocessor definition, you must select Settings from the Project menu, then select C/C++ from the tab control, and under the category General, you must add the definition under the Preprocessor Definitions text box.

To add a new library to the project with Microsoft Visual C++, you must select Settings from the Project menu, then select Link from the tab control, and then add the name of the new library in the Objcet/library modules editbox.

To add a new path where Microsoft Visual C++ will look for the libraries, you must select Options from the Tools menu, then Directories from the tab control, Library files from the Show directories for combobox, and the add the path in the Directories box.

To add a new path where Microsoft Visual C++ will look for include files, you must select Options from the Tools menu, then Directories from the tab control, Include files from the Show directories for combobox, and the add the path in the Directories box.

Sample programs

A couple of sample programs are provided to show the usage of the WinPcap API. The source of the examples, along with all the files needed to compile and run them, can be found in the Developer's Pack. For didactic purpose we provide here a browsable version of the code: it is possible to click on the variables and functions to jump the documentation of each of them. For a more complete set of samples, try WinPcap Tutorial Section.

Packet Dump

This program reads packets from a file or a network adapter, depending on a command line switch. If a source is not provided, the program shows a list of available adapters, one of which can be selected. Once the capture is started, the program prints the timestamp, the length and the raw contents of the packets. Once compiled, it will run on all the Win32 platforms. It can be compiled to run on Unix as well (the makefile is provided).

/* * Copyright (c) 1999 - 2003 * NetGroup, Politecnico di Torino (Italy) * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the Politecnico di Torino nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ #include <stdlib.h> #include <stdio.h> #include <pcap.h> #define LINE_LEN 16 main(int argc, char **argv) { pcap_if_t *alldevs, *d; pcap_t *fp; u_int inum, i=0; char errbuf[PCAP_ERRBUF_SIZE]; int res; struct pcap_pkthdr *header; u_char *pkt_data; printf("pktdump_ex: prints the packets of the network using WinPcap.\n"); printf(" Usage: pktdump_ex [-s source]\n\n" " Examples:\n" " pktdump_ex -s file://c:/temp/file.acp\n" " pktdump_ex -s rpcap://\\Device\\NPF_{C8736017-F3C3-4373-94AC-9A34B7DAD998}\n\n"); if(argc < 3) { printf("\nNo adapter selected: printing the device list:\n"); /* The user didn't provide a packet source: Retrieve the local device list */ if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1) { fprintf(stderr,"Error in pcap_findalldevs_ex: %s\n", errbuf); exit(1); } /* Print the list */ for(d=alldevs; d; d=d->next) { printf("%d. %s\n ", ++i, d->name); if (d->description) printf(" (%s)\n", d->description); else printf(" (No description available)\n"); } if (i==0) { printf("\nNo interfaces found! Make sure WinPcap is installed.\n"); return -1; } printf("Enter the interface number (1-%d):",i); scanf("%d", &inum); if (inum < 1 || inum > i) { printf("\nInterface number out of range.\n"); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } /* Jump to the selected adapter */ for (d=alldevs, i=0; i< inum-1 ;d=d->next, i++); /* Open the device */ if ( (fp= pcap_open(d->name, 100 /*snaplen*/, PCAP_OPENFLAG_PROMISCUOUS /*flags*/, 20 /*read timeout*/, NULL /* remote authentication */, errbuf) ) == NULL) { fprintf(stderr,"\nError opening adapter\n"); return -1; } } else { // Do not check for the switch type ('-s') if ( (fp= pcap_open(argv[2], 100 /*snaplen*/, PCAP_OPENFLAG_PROMISCUOUS /*flags*/, 20 /*read timeout*/, NULL /* remote authentication */, errbuf) ) == NULL) { fprintf(stderr,"\nError opening source: %s\n", errbuf); return -1; } } /* Read the packets */ while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0) { if(res == 0) /* Timeout elapsed */ continue; /* print pkt timestamp and pkt len */ printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len); /* Print the packet */ for (i=1; (i < header->caplen + 1 ) ; i++) { printf("%.2x ", pkt_data[i-1]); if ( (i % LINE_LEN) == 0) printf("\n"); } printf("\n\n"); } if(res == -1) { printf("Error reading the packets: %s\n", pcap_geterr(fp)); return -1; } return 0; }

00001 /* 00002 * Copyright (c) 1999 - 2003 00003 * NetGroup, Politecnico di Torino (Italy) 00004 * All rights reserved. 00005 * 00006 * Redistribution and use in source and binary forms, with or without 00007 * modification, are permitted provided that the following conditions 00008 * are met: 00009 * 00010 * 1. Redistributions of source code must retain the above copyright 00011 * notice, this list of conditions and the following disclaimer. 00012 * 2. Redistributions in binary form must reproduce the above copyright 00013 * notice, this list of conditions and the following disclaimer in the 00014 * documentation and/or other materials provided with the distribution. 00015 * 3. Neither the name of the Politecnico di Torino nor the names of its 00016 * contributors may be used to endorse or promote products derived from 00017 * this software without specific prior written permission. 00018 * 00019 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 00020 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 00021 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 00022 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 00023 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 00024 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 00025 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 00026 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 00027 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 00028 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 00029 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 00030 * 00031 */ 00032 00033 00034 #include <stdlib.h> 00035 #include <stdio.h> 00036 00037 #include <pcap.h> 00038 00039 #define LINE_LEN 16 00040 00041 00042 main(int argc, char **argv) 00043 { 00044 pcap_if_t *alldevs, *d; 00045 pcap_t *fp; 00046 u_int inum, i=0; 00047 char errbuf[PCAP_ERRBUF_SIZE]; 00048 int res; 00049 struct pcap_pkthdr *header; 00050 u_char *pkt_data; 00051 00052 printf("pktdump_ex: prints the packets of the network using WinPcap.\n"); 00053 printf(" Usage: pktdump_ex [-s source]\n\n" 00054 " Examples:\n" 00055 " pktdump_ex -s file://c:/temp/file.acp\n" 00056 " pktdump_ex -s rpcap://\\Device\\NPF_{C8736017-F3C3-4373-94AC-9A34B7DAD998}\n\n"); 00057 00058 if(argc < 3) 00059 { 00060 00061 printf("\nNo adapter selected: printing the device list:\n"); 00062 /* The user didn't provide a packet source: Retrieve the local device list */ 00063 if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1) 00064 { 00065 fprintf(stderr,"Error in pcap_findalldevs_ex: %s\n", errbuf); 00066 exit(1); 00067 } 00068 00069 /* Print the list */ 00070 for(d=alldevs; d; d=d->next) 00071 { 00072 printf("%d. %s\n ", ++i, d->name); 00073 00074 if (d->description) 00075 printf(" (%s)\n", d->description); 00076 else 00077 printf(" (No description available)\n"); 00078 } 00079 00080 if (i==0) 00081 { 00082 printf("\nNo interfaces found! Make sure WinPcap is installed.\n"); 00083 return -1; 00084 } 00085 00086 printf("Enter the interface number (1-%d):",i); 00087 scanf("%d", &inum); 00088 00089 if (inum < 1 || inum > i) 00090 { 00091 printf("\nInterface number out of range.\n"); 00092 00093 /* Free the device list */ 00094 pcap_freealldevs(alldevs); 00095 return -1; 00096 } 00097 00098 /* Jump to the selected adapter */ 00099 for (d=alldevs, i=0; i< inum-1 ;d=d->next, i++); 00100 00101 /* Open the device */ 00102 if ( (fp= pcap_open(d->name, 00103 100 /*snaplen*/, 00104 PCAP_OPENFLAG_PROMISCUOUS /*flags*/, 00105 20 /*read timeout*/, 00106 NULL /* remote authentication */, 00107 errbuf) 00108 ) == NULL) 00109 { 00110 fprintf(stderr,"\nError opening adapter\n"); 00111 return -1; 00112 } 00113 } 00114 else 00115 { 00116 // Do not check for the switch type ('-s') 00117 if ( (fp= pcap_open(argv[2], 00118 100 /*snaplen*/, 00119 PCAP_OPENFLAG_PROMISCUOUS /*flags*/, 00120 20 /*read timeout*/, 00121 NULL /* remote authentication */, 00122 errbuf) 00123 ) == NULL) 00124 { 00125 fprintf(stderr,"\nError opening source: %s\n", errbuf); 00126 return -1; 00127 } 00128 } 00129 00130 /* Read the packets */ 00131 while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0) 00132 { 00133 00134 if(res == 0) 00135 /* Timeout elapsed */ 00136 continue; 00137 00138 /* print pkt timestamp and pkt len */ 00139 printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len); 00140 00141 /* Print the packet */ 00142 for (i=1; (i < header->caplen + 1 ) ; i++) 00143 { 00144 printf("%.2x ", pkt_data[i-1]); 00145 if ( (i % LINE_LEN) == 0) printf("\n"); 00146 } 00147 00148 printf("\n\n"); 00149 } 00150 00151 if(res == -1) 00152 { 00153 printf("Error reading the packets: %s\n", pcap_geterr(fp)); 00154 return -1; 00155 } 00156 00157 return 0; 00158 }

Packet Filter

This is a more complete example of libpcap usage. It shows, among other things, how to create and set filters and how to save a capture to disk. It can be compiled under Win32 or Unix (projects and makefiles are provided). Pcap_filter (pf.exe) is a general-purpose packet filtering application: its input parameters are a source of packets (it can be a physical interface or a file), a filter and an output file. It takes packets from the source until CTRL+C is pressed or the whole file is processed, applies the filter to the incoming packets and saves them to the output file if they satisfy the filter. Pcap_filter can be used to dump network data according to a particular filter, but also to extract a set of packets from a previously saved file. The format of both input and output files is the format used by libpcap, i.e. same of WinDump, tcpdump and many other network tools.

/* * Copyright (c) 1999 - 2003 * NetGroup, Politecnico di Torino (Italy) * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the Politecnico di Torino nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ #include <stdlib.h> #include <stdio.h> #include <pcap.h> #define MAX_PRINT 80 #define MAX_LINE 16 void usage(); void main(int argc, char **argv) { pcap_t *fp; char errbuf[PCAP_ERRBUF_SIZE]; char *source=NULL; char *ofilename=NULL; char *filter=NULL; int i; pcap_dumper_t *dumpfile; struct bpf_program fcode; bpf_u_int32 NetMask; int res; struct pcap_pkthdr *header; u_char *pkt_data; if (argc == 1) { usage(); return; } for(i=1;i < argc; i+= 2) { switch (argv[i] [1]) { case 's': { source=argv[i+1]; }; break; case 'o': { ofilename=argv[i+1]; }; break; case 'f': { filter=argv[i+1]; }; break; } } // open a capture from the network if (source != NULL) { if ( (fp= pcap_open(source, 1514 /*snaplen*/, PCAP_OPENFLAG_PROMISCUOUS /*flags*/, 20 /*read timeout*/, NULL /* remote authentication */, errbuf) ) == NULL) { fprintf(stderr,"\nUnable to open the adapter.\n"); return; } } else usage(); if (filter != NULL) { // We should loop through the adapters returned by the pcap_findalldevs_ex() // in order to locate the correct one. // // Let's do things simpler: we suppose to be in a C class network ;-) NetMask=0xffffff; //compile the filter if(pcap_compile(fp, &fcode, filter, 1, NetMask) < 0) { fprintf(stderr,"\nError compiling filter: wrong syntax.\n"); return; } //set the filter if(pcap_setfilter(fp, &fcode)<0) { fprintf(stderr,"\nError setting the filter\n"); return; } } //open the dump file if (ofilename != NULL) { dumpfile= pcap_dump_open(fp, ofilename); if (dumpfile == NULL) { fprintf(stderr,"\nError opening output file\n"); return; } } else usage(); //start the capture while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0) { if(res == 0) /* Timeout elapsed */ continue; //save the packet on the dump file pcap_dump((unsigned char *) dumpfile, header, pkt_data); } } void usage() { printf("\npf - Generic Packet Filter.\n"); printf("\nUsage:\npf -s source -o output_file_name [-f filter_string]\n\n"); exit(0); }

00001 /* 00002 * Copyright (c) 1999 - 2003 00003 * NetGroup, Politecnico di Torino (Italy) 00004 * All rights reserved. 00005 * 00006 * Redistribution and use in source and binary forms, with or without 00007 * modification, are permitted provided that the following conditions 00008 * are met: 00009 * 00010 * 1. Redistributions of source code must retain the above copyright 00011 * notice, this list of conditions and the following disclaimer. 00012 * 2. Redistributions in binary form must reproduce the above copyright 00013 * notice, this list of conditions and the following disclaimer in the 00014 * documentation and/or other materials provided with the distribution. 00015 * 3. Neither the name of the Politecnico di Torino nor the names of its 00016 * contributors may be used to endorse or promote products derived from 00017 * this software without specific prior written permission. 00018 * 00019 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 00020 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 00021 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 00022 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 00023 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 00024 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 00025 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 00026 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 00027 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 00028 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 00029 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 00030 * 00031 */ 00032 00033 00034 #include <stdlib.h> 00035 #include <stdio.h> 00036 00037 #include <pcap.h> 00038 00039 #define MAX_PRINT 80 00040 #define MAX_LINE 16 00041 00042 00043 void usage(); 00044 00045 00046 void main(int argc, char **argv) 00047 { 00048 pcap_t *fp; 00049 char errbuf[PCAP_ERRBUF_SIZE]; 00050 char *source=NULL; 00051 char *ofilename=NULL; 00052 char *filter=NULL; 00053 int i; 00054 pcap_dumper_t *dumpfile; 00055 struct bpf_program fcode; 00056 bpf_u_int32 NetMask; 00057 int res; 00058 struct pcap_pkthdr *header; 00059 u_char *pkt_data; 00060 00061 if (argc == 1) 00062 { 00063 usage(); 00064 return; 00065 } 00066 00067 for(i=1;i < argc; i+= 2) 00068 { 00069 00070 switch (argv[i] [1]) 00071 { 00072 case 's': 00073 { 00074 source=argv[i+1]; 00075 }; 00076 break; 00077 00078 case 'o': 00079 { 00080 ofilename=argv[i+1]; 00081 }; 00082 break; 00083 00084 case 'f': 00085 { 00086 filter=argv[i+1]; 00087 }; 00088 break; 00089 } 00090 } 00091 00092 // open a capture from the network 00093 if (source != NULL) 00094 { 00095 if ( (fp= pcap_open(source, 00096 1514 /*snaplen*/, 00097 PCAP_OPENFLAG_PROMISCUOUS /*flags*/, 00098 20 /*read timeout*/, 00099 NULL /* remote authentication */, 00100 errbuf) 00101 ) == NULL) 00102 { 00103 fprintf(stderr,"\nUnable to open the adapter.\n"); 00104 return; 00105 } 00106 } 00107 00108 else usage(); 00109 00110 if (filter != NULL) 00111 { 00112 // We should loop through the adapters returned by the pcap_findalldevs_ex() 00113 // in order to locate the correct one. 00114 // 00115 // Let's do things simpler: we suppose to be in a C class network ;-) 00116 NetMask=0xffffff; 00117 00118 //compile the filter 00119 if(pcap_compile(fp, &fcode, filter, 1, NetMask) < 0) 00120 { 00121 fprintf(stderr,"\nError compiling filter: wrong syntax.\n"); 00122 return; 00123 } 00124 00125 //set the filter 00126 if(pcap_setfilter(fp, &fcode)<0) 00127 { 00128 fprintf(stderr,"\nError setting the filter\n"); 00129 return; 00130 } 00131 00132 } 00133 00134 //open the dump file 00135 if (ofilename != NULL) 00136 { 00137 dumpfile= pcap_dump_open(fp, ofilename); 00138 00139 if (dumpfile == NULL) 00140 { 00141 fprintf(stderr,"\nError opening output file\n"); 00142 return; 00143 } 00144 } 00145 else usage(); 00146 00147 //start the capture 00148 while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0) 00149 { 00150 00151 if(res == 0) 00152 /* Timeout elapsed */ 00153 continue; 00154 00155 //save the packet on the dump file 00156 pcap_dump((unsigned char *) dumpfile, header, pkt_data); 00157 00158 } 00159 } 00160 00161 00162 void usage() 00163 { 00164 00165 printf("\npf - Generic Packet Filter.\n"); 00166 printf("\nUsage:\npf -s source -o output_file_name [-f filter_string]\n\n"); 00167 exit(0); 00168 }

Using WinPcap in your programs [WinPcap user's manual]

Creating an application that uses wpcap.dll

Sample programs

Packet Dump

Packet Filter

Using WinPcap in your programs
[WinPcap user's manual]