Performing Packet Capture
This section describes the steps used to perform the packet capture.
To accomplish packet capture, follow these steps:
- Decide which network device will be the packet capture device. Use the pcap_lookupdev subroutine to do this.
- Obtain a packet capture descriptor by using the pcap_open_live subroutine.
- Choose a packet filter. The filter expression identifies which packets you are interested in capturing.
- Compile the packet filter into a filter program using the pcap_compile subroutine. The packet filter expression is specified in an ASCII string. Refer to Packet Capture Library Filter Expressions for more information.
- After a BPF filter program is compiled, notify the packet capture device of the filter using the pcap_setfilter subroutine. If the packet capture data is to be saved to a file for processing later, open the previously saved packet capture data file, known as the savefile, using the pcap_dump_open subroutine.
- Use the pcap_dispatch or pcap_loop subroutine to read in the captured packets and call the subroutine to process them. This processing subroutine can be the pcap_dump subroutine, if the packets are to be written to a savefile, or some other subroutine you provide.
- Call the pcap_close subroutine to clean up the open files and deallocate the resources used by the packet capture descriptor.