PCAP_OPEN_LIVE(3PCAP) PCAP_OPEN_LIVE(3PCAP)

pcap_open_live - open a device for capturing

#include <pcap/pcap.h>
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap_open_live(const char *device, int snaplen,
    int promisc, int to_ms, char *errbuf);

pcap_open_live() is used to obtain a packet capture handle to look at packets on the network. device is a string that specifies the network device to open; on all supported Linux systems, as well as on recent versions of macOS and Solaris, a device argument of "any" or NULL can be used to capture packets from all network interfaces. The latter should not be confused with all available capture devices as seen by pcap_findalldevs(3PCAP), which may also include D-Bus, USB etc.

snaplen specifies the snapshot length to be set on the handle. If the packet data should not be truncated at the end, a value of 262144 should be sufficient for most devices, but D-Bus devices require a value of 128MB (128*1024*1024).

promisc specifies whether the interface is to be put into promiscuous mode. If promisc is non-zero, promiscuous mode will be set, otherwise it will not be set.

to_ms specifies the packet buffer timeout, as a non-negative value, in milliseconds. (See pcap(3PCAP) for an explanation of the packet buffer timeout.)

errbuf is a buffer large enough to hold at least PCAP_ERRBUF_SIZE chars.

pcap_open_live() returns a pcap_t * on success and NULL on failure. If NULL is returned, errbuf is filled in with an appropriate error message. errbuf may also be set to warning text when pcap_open_live() succeeds; to detect this case the caller should store a zero-length string in errbuf before calling pcap_open_live() and display the warning to the user if errbuf is no longer a zero-length string.

pcap_create(3PCAP), pcap_activate(3PCAP)

4 March 2024