Performing Packet Capture

This section describes the steps used to perform the packet capture.

To accomplish packet capture, follow these steps:

  1. Decide which network device will be the packet capture device. Use the pcap_lookupdev subroutine to do this.
  2. Obtain a packet capture descriptor by using the pcap_open_live subroutine.
  3. Choose a packet filter. The filter expression identifies which packets you are interested in capturing.
  4. Compile the packet filter into a filter program using the pcap_compile subroutine. The packet filter expression is specified in an ASCII string. Refer to Packet Capture Library Filter Expressions for more information.
  5. After a BPF filter program is compiled, notify the packet capture device of the filter using the pcap_setfilter subroutine. If the packet capture data is to be saved to a file for processing later, open the previously saved packet capture data file, known as the savefile, using the pcap_dump_open subroutine.
  6. Use the pcap_dispatch or pcap_loop subroutine to read in the captured packets and call the subroutine to process them. This processing subroutine can be the pcap_dump subroutine, if the packets are to be written to a savefile, or some other subroutine you provide.
  7. Call the pcap_close subroutine to clean up the open files and deallocate the resources used by the packet capture descriptor.