Network Security Tools by Nitesh Dhanjani, Justin Clarke

Synopsis

Purpose: pcap_open_live is used to open a live packet-capturing session from the network interface device (for example, eth0 on Linux, or le0 on a Sun Sparc). device can be NULL or any on recent Linux systems, in which case all interfaces are used for packet capture. snaplen specifies the length in bytes to be captured. If you want to capture the entire packet, set this to more than the packet size, including headers for the link type you are capturing from (65,535 should be sufficient). promisc should be 1 if the interface should be put into promiscuous mode or 0 otherwise. When a network interface is in promiscuous mode, and promiscuous mode is supported by the underlying data link layer, it captures all traffic on the network, regardless of whether it is intended for the host running the packet capture. This does not have any effect if the device is set to NULL or any. The parameter to_ms specifies a read timeout in milliseconds for when read operations should not necessarily return immediately when a packet is seen, therefore allowing us to capture multiple packets in one read operation. to_ms is not supported on all platforms (for unsupported systems, this value is ignored), and is useful mostly if you’re going to use pcap_dispatch in nonblocking mode. A value of 0 causes libpcap to wait until packets arrive. pcap_open_live returns NULL is the ...