<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><title>WinPcap: Opening an adapter and capturing the packets</title><link href="style.css" rel="stylesheet" type="text/css"><link href="tabs.css" rel="stylesheet" type="text/css"></head><body><!-- Generated by Doxygen 1.5.6 --><div class="navigation" id="top">  <div class="tabs">    <ul>      <li><a href="main.html"><span>Main&nbsp;Page</span></a></li>      <li><a href="pages.html"><span>Related&nbsp;Pages</span></a></li>      <li><a href="modules.html"><span>Modules</span></a></li>      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>      <li><a href="files.html"><span>Files</span></a></li>    </ul>  </div></div><div class="contents"><h1>Opening an adapter and capturing the packets</h1><table border="0" cellpadding="0" cellspacing="0"><tr><td></td></tr></table>Now that we've seen how to obtain an adapter to play with, let's start the real job, opening an adapter and capturing some traffic. In this lesson we'll write a program that prints some information about each packet flowing through the adapter.<p>The function that opens a capture device is <a class="el" href="group__wpcapfunc.html#g2b64c7b6490090d1d37088794f1f1791" title="Open a generic source in order to capture / send (WinPcap only) traffic.">pcap_open()</a>. The parameters, <em>snaplen</em>, <em>flags</em> and <em>to_ms</em> deserve some explanation.<p><em>snaplen</em> specifies the portion of the packet to capture. On some OSes (like xBSD and Win32), the packet driver can be configured to capture only the initial part of any packet: this decreases the amount of data to copy to the application and therefore improves the efficiency of the capture. In this case we use the value 65536 which is higher than the greatest MTU that we could encounter. In this manner we ensure that the application will always receive the whole packet.<p><em>flags:</em> the most important flag is the one that indicates if the adapter will be put in promiscuous mode. In normal operation, an adapter only captures packets from the network that are destined to it; the packets exchanged by other hosts are therefore ignored. Instead, when the adapter is in promiscuous mode it captures all packets whether they are destined to it or not. This means that on shared media (like non-switched Ethernet), WinPcap will be able to capture the packets of other hosts. Promiscuous mode is the default for most capture applications, so we enable it in the following example.<p><em>to_ms</em> specifies the read timeout, in milliseconds. A read on the adapter (for example, with <a class="el" href="group__wpcapfunc.html#g60ce104cdf28420d3361cd36d15be44c" title="Collect a group of packets.">pcap_dispatch()</a> or <a class="el" href="group__wpcapfunc.html#g439439c2eae61161dc1efb1e03a81133" title="Read a packet from an interface or from an offline capture.">pcap_next_ex()</a>) will always return after <em>to_ms</em> milliseconds, even if no packets are available from the network. <em>to_ms</em> also defines the interval between statistical reports if the adapter is in statistical mode (see the lesson "\ref wpcap_tut9" for information about statistical mode). Setting <em>to_ms</em> to 0 means no timeout, a read on the adapter never returns if no packets arrive. A -1 timeout on the other side causes a read on the adapter to always return immediately.<p><div class="fragment"><pre class="fragment"><span class="preprocessor">#include "pcap.h"</span><span class="comment">/* prototype of the packet handler */</span><span class="keywordtype">void</span> packet_handler(u_char *param, <span class="keyword">const</span> <span class="keyword">struct</span> <a class="code" href="structpcap__pkthdr.html" title="Header of a packet in the dump file.">pcap_pkthdr</a> *header, <span class="keyword">const</span> u_char *pkt_data);<span class="keywordtype">int</span> main(){<a class="code" href="structpcap__if.html" title="Item in a list of interfaces, used by pcap_findalldevs().">pcap_if_t</a> *alldevs;<a class="code" href="structpcap__if.html" title="Item in a list of interfaces, used by pcap_findalldevs().">pcap_if_t</a> *d;<span class="keywordtype">int</span> inum;<span class="keywordtype">int</span> i=0;<a class="code" href="group__wpcap__def.html#g4711d025f83503ce692efa5e45ec60a7" title="Descriptor of an open capture instance. This structure is opaque to the user, that...">pcap_t</a> *adhandle;<span class="keywordtype">char</span> errbuf[<a class="code" href="group__wpcap__def.html#gcd448353957d92c98fccc29e1fc8d927" title="Size to use when allocating the buffer that contains the libpcap errors.">PCAP_ERRBUF_SIZE</a>];        <span class="comment">/* Retrieve the device list on the local machine */</span>    <span class="keywordflow">if</span> (<a class="code" href="group__wpcapfunc.html#g98f36e62c95c6ad81eaa8b2bbeb8f16e" title="Create a list of network devices that can be opened with pcap_open().">pcap_findalldevs_ex</a>(<a class="code" href="group__remote__source__string.html#g6d7103b8a7e1eca8c325bd8f32c361c3" title="String that will be used to determine the type of source in use (file, remote/local...">PCAP_SRC_IF_STRING</a>, NULL, &amp;alldevs, errbuf) == -1)    {        fprintf(stderr,<span class="stringliteral">"Error in pcap_findalldevs: %s\n"</span>, errbuf);        exit(1);    }        <span class="comment">/* Print the list */</span>    <span class="keywordflow">for</span>(d=alldevs; d; d=d-&gt;<a class="code" href="structpcap__if.html#81508e6e4e41ca4235c8d6b51913c536" title="if not NULL, a pointer to the next element in the list; NULL for the last element...">next</a>)    {        printf(<span class="stringliteral">"%d. %s"</span>, ++i, d-&gt;<a class="code" href="structpcap__if.html#5ac083a645d964373f022d03df4849c8" title="a pointer to a string giving a name for the device to pass to pcap_open_live()">name</a>);        <span class="keywordflow">if</span> (d-&gt;<a class="code" href="structpcap__if.html#8444d6e0dfe2bbab0b5e7b24308f1559" title="if not NULL, a pointer to a string giving a human-readable description of the device...">description</a>)            printf(<span class="stringliteral">" (%s)\n"</span>, d-&gt;<a class="code" href="structpcap__if.html#8444d6e0dfe2bbab0b5e7b24308f1559" title="if not NULL, a pointer to a string giving a human-readable description of the device...">description</a>);        <span class="keywordflow">else</span>            printf(<span class="stringliteral">" (No description available)\n"</span>);    }        <span class="keywordflow">if</span>(i==0)    {        printf(<span class="stringliteral">"\nNo interfaces found! Make sure WinPcap is installed.\n"</span>);        <span class="keywordflow">return</span> -1;    }        printf(<span class="stringliteral">"Enter the interface number (1-%d):"</span>,i);    scanf_s(<span class="stringliteral">"%d"</span>, &amp;inum);        <span class="keywordflow">if</span>(inum &lt; 1 || inum &gt; i)    {        printf(<span class="stringliteral">"\nInterface number out of range.\n"</span>);