pcap-0.4.4: A system-independent interface for user-level packet capture

Portabilitynon-portable
Stabilityexperimental
Maintainerbos@serpentine.com

Network.Pcap.Base

Contents

Description

The Network.Pcap.Base module is a low-level binding to all of the functions in libpcap. See http://www.tcpdump.org for more information.

Only a minimum of marshaling is done. For a higher-level interface that's more friendly, use the Network.Pcap module.

To convert captured packet data to a list, extract the length of the captured buffer from the packet header record and use peekArray to convert the captured data to a list. For illustration: 

	import Network.Pcap.Base
	import Foreign.Marshal.Array (peekArray)

	main = do
        let printIt :: PktHdr -> Ptr Word8 -> IO ()
		printIt ph bytep = do
	          a <- peekArray (fromIntegral (hdrCaptureLength ph)) bytep 
	       	  print a

	    p <- openLive "em0" 100 True 10000
	    s <- withForeignPtr p $ \ptr -> do
	           dispatch ptr (-1) printIt
	    return ()

Note that the SockAddr exported here is not the SockAddr from Network.Socket. The SockAddr from Network.Socket corresponds to struct sockaddr_in in BSD terminology. The SockAddr record here is BSD's struct sockaddr. See W.R.Stevens, TCP Illustrated, volume 2, for further elucidation.

This binding should be portable across systems that can use the libpcap library from tcpdump.org. It will not work with Winpcap, a similar library for Windows, although adapting it should not prove difficult.

Synopsis

Types

data PcapTag Source

data PcapDumpTag Source

packet capture descriptor

type Pdump = ForeignPtr PcapDumpTagSource

dump file descriptor

type BpfProgram = ForeignPtr BpfProgramTagSource

Compiled Berkeley Packet Filter program

data BpfProgramTag Source

type Callback = PktHdr -> Ptr Word8 -> IO ()Source

the type of the callback function passed to dispatch or loop.

data Direction Source

The direction in which packets are to be captured. See setDirection.

Constructors

InOut

incoming and outgoing packets (the default

In

incoming packets

Out

outgoing packets

Instances

data Link Source

Datalink types.

This covers all of the datalink types defined in bpf.h. Types defined on your system may vary.

Constructors

DLT_NULL

no link layer encapsulation

DLT_UNKNOWN Int

unknown encapsulation

DLT_EN10MB

10 Mbit per second (or faster) ethernet

DLT_EN3MB

original 3 Mbit per second ethernet

DLT_AX25

amateur radio AX.25

DLT_PRONET

Proteon ProNET Token Ring

DLT_CHAOS

Chaos

DLT_IEEE802

IEEE 802 networks

DLT_ARCNET

ARCNET

DLT_SLIP

Serial line IP

DLT_PPP

Point-to-point protocol

DLT_FDDI

FDDI

DLT_ATM_RFC1483

LLC SNAP encapsulated ATM

DLT_RAW

raw IP

DLT_SLIP_BSDOS

BSD OS serial line IP

DLT_PPP_BSDOS

BSD OS point-to-point protocol

DLT_ATM_CLIP

Linux classical IP over ATM

DLT_REDBACK_SMARTEDGE

Redback SmartEdge 400/800

DLT_PPP_SERIAL

PPP over serial with HDLC encapsulation

DLT_PPP_ETHER

PPP over ethernet

DLT_SYMANTEC_FIREWALL

Symantec Enterprise Firewall

DLT_C_HDLC

Cisco HDLC

DLT_IEEE802_11

IEEE 802.11 wireless

DLT_FRELAY

Frame Relay

DLT_LOOP

OpenBSD loopback device

DLT_ENC

Encapsulated packets for IPsec

DLT_LINUX_SLL

Linux cooked sockets

DLT_LTALK

Apple LocalTalk

DLT_ECONET

Acorn Econet

DLT_IPFILTER

OpenBSD's old ipfilter

DLT_PFLOG

OpenBSD's pflog

DLT_CISCO_IOS

Cisco IOS

DLT_PRISM_HEADER

Intersil Prism II wireless chips

DLT_AIRONET_HEADER

Aironet (Cisco) 802.11 wireless

DLT_HHDLC

Siemens HiPath HDLC

DLT_IP_OVER_FC

RFC 2625 IP-over-Fibre Channel

DLT_SUNATM

Full Frontal ATM on Solaris with SunATM

DLT_IEEE802_11_RADIO
  1. 11 plus a number of bits of link-layer information
DLT_ARCNET_LINUX

Linux ARCNET header

DLT_APPLE_IP_OVER_IEEE1394

Apple IP-over-IEEE 1394

DLT_MTP2_WITH_PHDR

SS7, C7 MTP2 with pseudo-header

DLT_MTP2

SS7, C7 Message Transfer Part 2 (MPT2)

DLT_MTP3

SS7, C7 Message Transfer Part 3 (MPT3)

DLT_SCCP

SS7, C7 SCCP

DLT_DOCSIS

DOCSIS MAC frame

DLT_LINUX_IRDA

Linux IrDA packet

DLT_USER0

Reserved for private use

DLT_USER1

Reserved for private use

DLT_USER2

Reserved for private use

DLT_USER3

Reserved for private use

DLT_USER4

Reserved for private use

DLT_USER5

Reserved for private use

DLT_USER6

Reserved for private use

DLT_USER7

Reserved for private use

DLT_USER8

Reserved for private use

DLT_USER9

Reserved for private use

DLT_USER10

Reserved for private use

DLT_USER11

Reserved for private use

DLT_USER12

Reserved for private use

DLT_USER13

Reserved for private use

DLT_USER14

Reserved for private use

DLT_USER15

Reserved for private use

DLT_PPP_PPPD

Outgoing packets for ppp daemon

DLT_GPRS_LLC

GPRS LLC

DLT_GPF_T

GPF-T (ITU-T G.7041/Y.1303)

DLT_GPF_F

GPF-F (ITU-T G.7041/Y.1303)

DLT_LINUX_LAPD

Raw LAPD for vISDN (not generic LAPD)

DLT_A429

ARINC 429

DLT_A653_ICM

ARINC 653 Interpartition Communication messages

DLT_USB

USB packet

DLT_BLUETOOTH_HCI_H4

Bluetooth HCI UART transport layer (part H:4)

DLT_MFR

Multi Link Frame Relay (FRF.16)

DLT_IEEE802_16_MAC_CPS

IEEE 802.16 MAC Common Part Sublayer

DLT_USB_LINUX

USB packets, beginning with a Linux USB header

DLT_CAN20B

Controller Area Network (CAN) v2.0B

DLT_IEEE802_15_4_LINUX

IEEE 802.15.4, with address fields padded

DLT_PPI

Per Packet Information encapsulated packets

DLT_IEEE802_16_MAC_CPS_RADIO
  1. 16 MAC Common Part Sublayer with radiotap radio header
DLT_IEEE802_15_4

IEEE 802.15.4, exactly as in the spec

data Interface Source

The interface structure.

Constructors

Interface 

Fields

ifName :: String

the interface name

ifDescription :: String

interface description string (if any)

ifAddresses :: [PcapAddr]

address families supported by this interface

ifFlags :: Word32
 

Instances

data PcapAddr Source

The address structure.

Constructors

PcapAddr 

Fields

addrSA :: SockAddr

interface address

addrMask :: Maybe SockAddr

network mask

addrBcast :: Maybe SockAddr

broadcast address

addrPeer :: Maybe SockAddr

address of peer, of a point-to-point link

Instances

data SockAddr Source

The socket address record. Note that this is not the same as SockAddr from Network.Socket. (That is a Haskell version of C's struct sockaddr_in. This is the real struct sockaddr from the BSD network stack.)

Constructors

SockAddr 

Fields

saFamily :: !Family

an address family exported by Network.Socket

saAddr :: !ByteString
 

Instances

data Network Source

The network address record. Both the address and mask are in network byte order.

Constructors

Network 

Fields

netAddr :: !Word32

IPv4 network address

netMask :: !Word32

IPv4 netmask

Instances

data PktHdr Source

Constructors

PktHdr 

Fields

hdrSeconds :: !Word32

timestamp (seconds)

hdrUseconds :: !Word32

timestamp (microseconds)

hdrCaptureLength :: !Word32

number of bytes present in capture

hdrWireLength :: !Word32

number of bytes on the wire

Instances

data Statistics Source

Constructors

Statistics 

Fields

statReceived :: !Word32

packets received

statDropped :: !Word32

packets dropped by libpcap

statIfaceDropped :: !Word32

packets dropped by the network interface

Instances

Device opening

openOfflineSource

Arguments

:: FilePath

filename

-> IO (ForeignPtr PcapTag) 

openOffline opens a dump file for reading. The file format is the same as used by tcpdump and Wireshark. The string "-" is a synonym for stdin.

openLiveSource

Arguments

:: String

device name

-> Int

snapshot length

-> Bool

set to promiscuous mode?

-> Int

timeout in milliseconds

-> IO (ForeignPtr PcapTag) 

openLive is used to get a packet descriptor that can be used to look at packets on the network. The arguments are the device name, the snapshot legnth (in bytes), the promiscuity of the interface (True == promiscuous) and a timeout in milliseconds.

Using "any" as the device name will capture packets from all interfaces. On some systems, reading from the "any" device is incompatible with setting the interfaces into promiscuous mode. In that case, only packets whose link layer addresses match those of the interfaces are captured.

openDeadSource

Arguments

:: Link

datalink type

-> Int

snapshot length

-> IO (ForeignPtr PcapTag)

packet capture descriptor

openDead is used to get a packet capture descriptor without opening a file or device. It is typically used to test packet filter compilation by setFilter. The arguments are the link type and the snapshot length.

openDumpSource

Arguments

:: Ptr PcapTag

packet capture descriptor

-> FilePath

dump file name

-> IO Pdump

davefile descriptor

openDump opens a dump file for writing. This dump file is written to by the dump function. The arguments are a raw packet capture descriptor and the file name, with "-" as a synonym for stdout.

Filter handling

setFilterSource

Arguments

:: Ptr PcapTag

packet capture descriptor

-> String

filter string

-> Bool

optimize?

-> Word32

IPv4 network mask

-> IO () 

Set a filter on the specified packet capture descriptor. Valid filter strings are those accepted by tcpdump.

compileFilterSource

Arguments

:: Int

snapshot length

-> Link

datalink type

-> String

filter string

-> Bool

optimize?

-> Word32

IPv4 network mask

-> IO BpfProgram 

Compile a filter for use by another program using the Berkeley Packet Filter library.

Device utilities

lookupDev :: IO StringSource

lookupDev returns the name of a device suitable for use with openLive and lookupNet. If you only have one interface, it is the function of choice. If not, see findAllDevs.

findAllDevs :: IO [Interface]Source

findAllDevs returns a list of all the network devices that can be opened by openLive. It returns only those devices that the calling process has sufficient privileges to open, so it may not find every device on the system.

lookupNetSource

Arguments

:: String

device name

-> IO Network 

Return the network address and mask for the specified interface name. Only valid for IPv4. For other protocols, use findAllDevs and search the Interface list for the associated network mask.

Interface control

setNonBlock :: Ptr PcapTag -> Bool -> IO ()Source

Set a packet capture descriptor into non-blocking mode if the second argument is True, otherwise put it in blocking mode. Note that the packet capture descriptor must have been obtaine from openLive.

getNonBlock :: Ptr PcapTag -> IO BoolSource

Return the blocking status of the packet capture descriptor. True indicates that the descriptor is non-blocking. Descriptors referring to dump files opened by openDump always return False.

setDirection :: Ptr PcapTag -> Direction -> IO ()Source

Specify the direction in which packets are to be captured. Complete functionality is not necessarily available on all platforms.

Link layer utilities

datalink :: Ptr PcapTag -> IO LinkSource

Returns the datalink type associated with the given pcap descriptor.

setDatalink :: Ptr PcapTag -> Link -> IO ()Source

Sets the datalink type for a given pcap descriptor.

listDatalinks :: Ptr PcapTag -> IO [Link]Source

List all the datalink types supported by a pcap descriptor. Entries from the resulting list are valid arguments to setDatalink.

Packet processing

dispatchSource

Arguments

:: Ptr PcapTag

packet capture descriptor

-> Int

number of packets to process

-> Callback

packet processing function

-> IO Int

number of packets read

Collect and process packets. The arguments are the packet capture descriptor, the count and a callback function.

The count is the maximum number of packets to process before returning. A count of -1 means process all of the packets received in one buffer (if a live capture) or all of the packets in a dump file (if offline).

The callback function is passed two arguments, a packet header record and a pointer to the packet data (Ptr Word8). THe header record contains the number of bytes captured, whcih can be used to marshal the data into a list or array.

loopSource

Arguments

:: Ptr PcapTag

packet capture descriptor

-> Int

number of packet to read

-> Callback

packet processing function

-> IO Int

number of packets read

Similar to dispatch, but loop until the number of packets specified by the second argument are read. A negative value loops forever.

This function does not return when a live read tiemout occurs. Use dispatch instead if you wnat to specify a timeout.

nextSource

Arguments

:: Ptr PcapTag

packet capture descriptor

-> IO (PktHdr, Ptr Word8)

packet header and data of the next packet

Read the next packet (equivalent to calling dispatch with a count of 1).

dumpSource

Arguments

:: Ptr PcapDumpTag

dump file descriptor

-> Ptr PktHdr

packet header record

-> Ptr Word8

packet data

-> IO () 

Write the packet data given by the second and third arguments to a dump file opened by openDead. dump is designed so it can be easily used as a default callback function by dispatch or loop.

Sending packets

sendPacketSource

Arguments

:: Ptr PcapTag 
-> Ptr Word8

packet data (including link-level header)

-> Int

packet size

-> IO () 

Send a raw packet through the network interface.

Conversion

toPktHdr :: Ptr PktHdr -> IO PktHdrSource

Miscellaneous

statistics :: Ptr PcapTag -> IO StatisticsSource

Returns the number of packets received, the number of packets dropped by the packet filter and the number of packets dropped by the interface (before processing by the packet filter).

version :: Ptr PcapTag -> IO (Int, Int)Source

Version of the library. The returned pair consists of the major and minor version numbers.

isSwapped :: Ptr PcapTag -> IO BoolSource

isSwapped returns True if the current dump file uses a different byte order than the one native to the system.

snapshotLen :: Ptr PcapTag -> IO IntSource

The snapshot length that was used in the call to openLive.