| pcap-0.3: A system-independent interface for user-level packet capture | Contents | Index |
|
Network.Pcap | Portability | non-portable | Stability | experimental | Maintainer | bos@serpentine.com |
|
|
|
|
|
Description |
The Pcap module is a high(ish) level binding to all of
the functions in libpcap. See http://www.tcpdump.org for more
information.
This module is built on the lower-level Base module,
which is slightly more efficient. Don't use Base
unless profiling data indicates that you need to.
Only a minimum of marshaling is done on received packets. To
convert captured packet data to a ByteString (space efficient,
and with O(1) access to every byte in a captured packet), use
toBS.
Note that the SockAddr exported here is not the SockAddr from
Socket. The SockAddr from Socket corresponds
to struct sockaddr_in in BSD terminology. The SockAddr record
here is BSD's struct sockaddr. See W.R.Stevens, TCP Illustrated,
volume 2, for further elucidation.
This binding should be portable across systems that can use the
libpcap from tcpdump.org. It does not yet work with Winpcap, a
similar library for Windows, although adapting it should not prove
difficult.
|
|
Synopsis |
|
|
|
|
Types
|
|
data PcapHandle |
|
|
data DumpHandle |
|
|
type BpfProgram = ForeignPtr BpfProgramTag |
Compiled Berkeley Packet Filter program
|
|
type Callback = PktHdr -> Ptr Word8 -> IO () |
the type of the callback function passed to dispatch or loop.
|
|
data Direction |
The direction in which packets are to be captured. See
setDirection.
| Constructors | InOut | incoming and outgoing packets (the default
| In | incoming packets
| Out | outgoing packets
|
| Instances | |
|
|
data Link |
Datalink types.
This covers all of the datalink types defined in bpf.h.
Types defined on your system may vary.
| Constructors | DLT_NULL | no link layer encapsulation
| DLT_UNKNOWN Int | unknown encapsulation
| DLT_EN10MB | 10 Mbit per second (or faster) ethernet
| DLT_EN3MB | original 3 Mbit per second ethernet
| DLT_AX25 | amateur radio AX.25
| DLT_PRONET | Proteon ProNET Token Ring
| DLT_CHAOS | Chaos
| DLT_IEEE802 | IEEE 802 networks
| DLT_ARCNET | ARCNET
| DLT_SLIP | Serial line IP
| DLT_PPP | Point-to-point protocol
| DLT_FDDI | FDDI
| DLT_ATM_RFC1483 | LLC SNAP encapsulated ATM
| DLT_RAW | raw IP
| DLT_SLIP_BSDOS | BSD OS serial line IP
| DLT_PPP_BSDOS | BSD OS point-to-point protocol
| DLT_ATM_CLIP | Linux classical IP over ATM
| DLT_REDBACK_SMARTEDGE | Redback SmartEdge 400/800
| DLT_PPP_SERIAL | PPP over serial with HDLC encapsulation
| DLT_PPP_ETHER | PPP over ethernet
| DLT_SYMANTEC_FIREWALL | Symantec Enterprise Firewall
| DLT_C_HDLC | Cisco HDLC
| DLT_IEEE802_11 | IEEE 802.11 wireless
| DLT_FRELAY | Frame Relay
| DLT_LOOP | OpenBSD loopback device
| DLT_ENC | Encapsulated packets for IPsec
| DLT_LINUX_SLL | Linux cooked sockets
| DLT_LTALK | Apple LocalTalk
| DLT_ECONET | Acorn Econet
| DLT_IPFILTER | OpenBSD's old ipfilter
| DLT_PFLOG | OpenBSD's pflog
| DLT_CISCO_IOS | Cisco IOS
| DLT_PRISM_HEADER | Intersil Prism II wireless chips
| DLT_AIRONET_HEADER | Aironet (Cisco) 802.11 wireless
| DLT_HHDLC | Siemens HiPath HDLC
| DLT_IP_OVER_FC | RFC 2625 IP-over-Fibre Channel
| DLT_SUNATM | Full Frontal ATM on Solaris with SunATM
| DLT_IEEE802_11_RADIO | 802.11 plus a number of bits of link-layer information
| DLT_ARCNET_LINUX | Linux ARCNET header
| DLT_APPLE_IP_OVER_IEEE1394 | Apple IP-over-IEEE 1394
| DLT_MTP2_WITH_PHDR | SS7, C7 MTP2 with pseudo-header
| DLT_MTP2 | SS7, C7 Message Transfer Part 2 (MPT2)
| DLT_MTP3 | SS7, C7 Message Transfer Part 3 (MPT3)
| DLT_SCCP | SS7, C7 SCCP
| DLT_DOCSIS | DOCSIS MAC frame
| DLT_LINUX_IRDA | Linux IrDA packet
| DLT_USER0 | Reserved for private use
| DLT_USER1 | Reserved for private use
| DLT_USER2 | Reserved for private use
| DLT_USER3 | Reserved for private use
| DLT_USER4 | Reserved for private use
| DLT_USER5 | Reserved for private use
| DLT_USER6 | Reserved for private use
| DLT_USER7 | Reserved for private use
| DLT_USER8 | Reserved for private use
| DLT_USER9 | Reserved for private use
| DLT_USER10 | Reserved for private use
| DLT_USER11 | Reserved for private use
| DLT_USER12 | Reserved for private use
| DLT_USER13 | Reserved for private use
| DLT_USER14 | Reserved for private use
| DLT_USER15 | Reserved for private use
| DLT_PPP_PPPD | Outgoing packets for ppp daemon
| DLT_GPRS_LLC | GPRS LLC
| DLT_GPF_T | GPF-T (ITU-T G.7041/Y.1303)
| DLT_GPF_F | GPF-F (ITU-T G.7041/Y.1303)
| DLT_LINUX_LAPD | Raw LAPD for vISDN (not generic LAPD)
| DLT_A429 | ARINC 429
| DLT_A653_ICM | ARINC 653 Interpartition Communication messages
| DLT_USB | USB packet
| DLT_BLUETOOTH_HCI_H4 | Bluetooth HCI UART transport layer (part H:4)
| DLT_MFR | Multi Link Frame Relay (FRF.16)
| DLT_IEEE802_16_MAC_CPS | IEEE 802.16 MAC Common Part Sublayer
| DLT_USB_LINUX | USB packets, beginning with a Linux USB header
| DLT_CAN20B | Controller Area Network (CAN) v2.0B
| DLT_IEEE802_15_4_LINUX | IEEE 802.15.4, with address fields padded
| DLT_PPI | Per Packet Information encapsulated packets
| DLT_IEEE802_16_MAC_CPS_RADIO | 802.16 MAC Common Part Sublayer with radiotap radio header
| DLT_IEEE802_15_4 | IEEE 802.15.4, exactly as in the spec
|
| Instances | |
|
|
data Interface |
The interface structure.
| Constructors | Interface | | ifName :: String | the interface name
| ifDescription :: String | interface description string (if any)
| ifAddresses :: [PcapAddr] | address families supported by this interface
| ifFlags :: Word32 | |
|
| Instances | |
|
|
data PcapAddr |
The address structure.
| Constructors | | Instances | |
|
|
data SockAddr |
The socket address record. Note that this is not the same as
SockAddr from Socket. (That is a Haskell version of C's
struct sockaddr_in. This is the real struct sockaddr from the
BSD network stack.)
| Constructors | SockAddr | | saFamily :: !Family | an address family exported by Network.Socket
| saAddr :: !ByteString | |
|
| Instances | |
|
|
data Network |
The network address record. Both the address and mask are in
network byte order.
| Constructors | Network | | netAddr :: !Word32 | IPv4 network address
| netMask :: !Word32 | IPv4 netmask
|
|
| Instances | |
|
|
data PktHdr |
Constructors | PktHdr | | hdrSeconds :: !Word32 | timestamp (seconds)
| hdrUseconds :: !Word32 | timestamp (microseconds)
| hdrCaptureLength :: !Word32 | number of bytes present in capture
| hdrWireLength :: !Word32 | number of bytes on the wire
|
|
| Instances | |
|
|
data Statistics |
Constructors | Statistics | | statReceived :: !Word32 | packets received
| statDropped :: !Word32 | packets dropped by libpcap
| statIfaceDropped :: !Word32 | packets dropped by the network interface
|
|
| Instances | |
|
|
Device opening
|
|
openOffline |
:: FilePath | name of dump file to read
| -> IO PcapHandle | | openOffline opens a dump file for reading. The file format
is the same as used by tcpdump and Wireshark. The string "-"
is a synonym for stdin.
|
|
|
openLive |
:: String | device name
| -> Int | snapshot length
| -> Bool | set interface to promiscuous mode?
| -> Int64 | timeout in microseconds
| -> IO PcapHandle | | openLive is used to get a PcapHandle that can be used to look
at packets on the network. The arguments are the device name, the
snapshot length (in bytes), the promiscuity of the interface
(True == promiscuous) and a timeout in microseconds.
The timeout allows the packet filter to delay while accumulating
multiple packets, which is more efficient than reading packets one
by one. A timeout of zero will wait indefinitely for "enough"
packets to arrive.
Using "any" as the device name will capture packets from all
interfaces. On some systems, reading from the "any" device is
incompatible with setting the interfaces into promiscuous mode. In
that case, only packets whose link layer addresses match those of
the interfaces are captured.
|
|
|
openDead |
:: Link | datalink type
| -> Int | snapshot length
| -> IO PcapHandle | | openDead is used to get a PcapHandle without opening a file
or device. It is typically used to test packet filter compilation
by setFilter. The arguments are the link type and the snapshot
length.
|
|
|
openDump |
|
|
Filter handling
|
|
setFilter |
:: PcapHandle | handle on which to set filter
| -> String | filter string
| -> Bool | optimize?
| -> Word32 | IPv4 network mask
| -> IO () | | Set a filter on the specified packet capture handle. Valid
filter strings are those accepted by tcpdump.
|
|
|
compileFilter |
:: Int | snapshot length
| -> Link | datalink type
| -> String | filter string
| -> Bool | optimize?
| -> Word32 | IPv4 network mask
| -> IO BpfProgram | | Compile a filter for use by another program using the Berkeley
Packet Filter library.
|
|
|
Device utilities
|
|
lookupDev :: IO String |
lookupDev returns the name of a device suitable for use with
openLive and lookupNet. If you only have one interface, it is
the function of choice. If not, see findAllDevs.
|
|
findAllDevs :: IO [Interface] |
findAllDevs returns a list of all the network devices that can
be opened by openLive. It returns only those devices that the
calling process has sufficient privileges to open, so it may not
find every device on the system.
|
|
lookupNet |
:: String | device name
| -> IO Network | | Return the network address and mask for the specified interface
name. Only valid for IPv4. For other protocols, use findAllDevs
and search the Interface list for the associated network mask.
|
|
|
Interface control
|
|
setNonBlock |
|
|
getNonBlock :: PcapHandle -> IO Bool |
Return the blocking status of the PcapHandle. True indicates
that the handle is non-blocking. Handles referring to dump files
opened by openDump always return False.
|
|
setDirection :: PcapHandle -> Direction -> IO () |
Specify the direction in which packets are to be captured.
Complete functionality is not necessarily available on all
platforms.
|
|
Link layer utilities
|
|
datalink :: PcapHandle -> IO Link |
Returns the datalink type associated with the given handle.
|
|
setDatalink :: PcapHandle -> Link -> IO () |
Sets the datalink type for the given handle.
|
|
listDatalinks :: PcapHandle -> IO [Link] |
List all the datalink types supported by the given
handle. Entries from the resulting list are valid arguments to
setDatalink.
|
|
Packet processing
|
|
dispatch |
:: PcapHandle | | -> Int | number of packets to process
| -> Callback | packet processing function
| -> IO Int | number of packets read
| Collect and process packets.
The count is the maximum number of packets to process before
returning. A count of -1 means process all of the packets received
in one buffer (if a live capture) or all of the packets in a
dump file (if offline).
The callback function is passed two arguments, a packet header
record and a pointer to the packet data (Ptr Word8). THe header
record contains the number of bytes captured, whcih can be used to
marshal the data into a list, array, or ByteString (using
toBS).
|
|
|
loop |
:: PcapHandle | | -> Int | number of packets to read (-1 == loop forever)
| -> Callback | packet processing function
| -> IO Int | number of packets read
| Similar to dispatch, but loop until the number of packets
specified by the second argument are read. A negative value loops
forever.
This function does not return when a live read tiemout occurs. Use
dispatch instead if you wnat to specify a timeout.
|
|
|
next :: PcapHandle -> IO (PktHdr, Ptr Word8) |
Read the next packet (equivalent to calling dispatch with a
count of 1).
|
|
dump |
:: DumpHandle | | -> Ptr PktHdr | packet header record
| -> Ptr Word8 | packet data
| -> IO () | | Write the packet data given by the second and third arguments to
a dump file opened by openDead. dump is designed so it can be
easily used as a default callback function by dispatch or loop.
|
|
|
Sending packets
|
|
sendPacket |
:: PcapHandle | | -> Ptr Word8 | packet data (including link-level header)
| -> Int | packet size
| -> IO () | | Send a raw packet through the network interface.
|
|
|
sendPacketBS |
:: PcapHandle | | -> ByteString | packet data (including link-level header)
| -> IO () | | Send a raw packet through the network interface.
|
|
|
Conversion
|
|
toBS :: (PktHdr, Ptr Word8) -> IO (PktHdr, ByteString) |
Represent a captured packet as a ByteString. Suitable for
use as is with the result of next, or use curry toBS inside
a Callback with dispatch.
|
|
hdrTime :: PktHdr -> Int64 |
Get the timestamp of a packet as a single quantity, in microseconds.
|
|
hdrDiffTime :: PktHdr -> DiffTime |
Get the timestamp of a packet as a DiffTime.
|
|
Miscellaneous
|
|
statistics :: PcapHandle -> IO Statistics |
Returns the number of packets received, the number of packets
dropped by the packet filter and the number of packets dropped by
the interface (before processing by the packet filter).
|
|
version :: PcapHandle -> IO (Int, Int) |
Version of the library. The returned pair consists of the major
and minor version numbers.
|
|
isSwapped :: PcapHandle -> IO Bool |
isSwapped returns True if the current dump file uses a
different byte order than the one native to the system.
|
|
snapshotLen :: PcapHandle -> IO Int |
The snapshot length that was used in the call to openLive.
|
|
Produced by Haddock version 0.8 |