libpcap

问题 Why am I not capturing all Beacon Frames? Are they being dropped by AP? I'm using libpcap in Linux for capturing Beacon Frames and parsing the timestamp. I use the timestamps to compute the interval between captured Beacon Frames. Most of the time the interval is what it should be, namely 102.4ms. However, every 5-6 packets show an interval of a multiple of 102.4ms, this can be 204, 306 and up to 800ms. I don't know if this is due to AP not sending those Beacon Frames or my pcap not capturing

问题 I want to parse packets captured by wireshark offline using libpcap. I am capturing packets from a wireless network in monitor mode. I have read that "libpcap" can be used to capture and parse packets captured in the ethernet. Can it be used for wireless networks too? If yes, can anyone suggest me some tutorial? and if No, which library is suitable for it and how to use it? 回答1: libpcap, and its Windows port, WinPcap can be used to capture network traffic (in fact, they're what Wireshark uses

问题 I am trying to compile a C program on Mac OS X that uses AF_PACKET sockets and libpcap, what is the equivalent in OS X? 回答1: The closest equivalent to AF_PACKET sockets in Mac OS X (and in other BSD-flavored OSes, such as FreeBSD, NetBSD, OpenBSD, Dragonfly BSD, and so on) is BPF, but it doesn't work very much like AF_PACKET sockets; see "man bpf". The exact equivalent to libpcap in Mac OS X (and in other BSD-flavored UN*Xes) is, well, libpcap. (libpcap is also the exact equivalent to libpcap

问题 I was getting a bit confused on using of raw sockets and libcap. Can, anyone in simple point out advantages of using both. I read few links, but, its making me confused. 回答1: "libpcap" and "raw sockets" are different topics. Libpcap is a packet capture library for linux which is used to capture the traffic/packets that pass through a network interface like eth0. On windows the Winpcap library does the same thing. Raw sockets are a feature of the socket api provided by the OS that can be used

问题 I'd like to be able to intercept/ modify data in tcp flow, on the side of tcp client. Examples for pcap show how to parse tcp packet header/ payload. But suppose, i want to modify packet payload before tcp client reads it, or drop the packet entirely. How can i do that with pcap capure? 回答1: As above, you can't do interception/modification with pcap. For this you need one of the following OS-dependent techniques: Linux : libnetfilter_queue + iptables MacOS , FreeBSD : divert sockets + ipfw

问题 The pcap_lookupdev() fills in the errbuf variable when run as non-root user, while the same functions returns the value of the first available network interface when run as root. Is this access disabled by the OS or the library. I think it is the OS. What is the right answer? This is not a homework question 回答1: In general, when it comes to accessing files, devices and other services provided by the OS, access models in Unix (and, thus, Linux) are implemented in the OS. Userspace programs are

问题 I have a nanosecond libpcap (nanosec.pcap) file and the nanosecond timestamp (eg 2.123456789) can be displayed by using Wireshark. Now i would like to open the nanosecond libpcap file using C language and have the source code as following. When I try to open the the nanosec.pcap by using pcap_open_offine(), it would return "unknown file format" error. Additionally, by changing the magic number at the header of nanosec.pcap to that of normal pcap (0x1A2B3C4D) and I got a segmentation fault

问题 I have a nanosecond libpcap (nanosec.pcap) file and the nanosecond timestamp (eg 2.123456789) can be displayed by using Wireshark. Now i would like to open the nanosecond libpcap file using C language and have the source code as following. When I try to open the the nanosec.pcap by using pcap_open_offine(), it would return "unknown file format" error. Additionally, by changing the magic number at the header of nanosec.pcap to that of normal pcap (0x1A2B3C4D) and I got a segmentation fault

问题 I'm programming application using libpcap. when I debug the application in normal mode, pcap cannot get the network device. it seems that I have to debug the application in root. How can I debug the application in root? I have the root password. I think eclipse has such an option that can add root for the debugging application,but I don't know how to do it. please help. 回答1: Enable your user to run gdb as root without being asked for any password: sudo visudo Add the following line after all

问题 How do I tell libpcap v1.6.2 to store nanosecond values in struct pcap_pkthdr::ts.tv_usec (instead of microsecond values) when capturing live packets? (Note: This question is similar to How to enable nanosecond resolution when capturing live packets in libpcap? but that question is vague enough that I decided to ask a new question.) For offline and "dead" captures, the following functions can be used to tell libpcap to fill the struct pcap_pkthdr 's ts.tv_usec member with nanosecond values: