| Portability | non-portable | 
|---|---|
| Stability | experimental | 
| Maintainer | bos@serpentine.com | 
Network.Pcap
Contents
Description
The Network.Pcap module is a high(ish) level binding to all of
 the functions in libpcap.  See http://www.tcpdump.org for more
 information.
This module is built on the lower-level Network.Pcap.Base module,
 which is slightly more efficient.  Don't use Network.Pcap.Base
 unless profiling data indicates that you need to.
Only a minimum of marshaling is done on received packets.  To
 convert captured packet data to a ByteString (space efficient,
 and with O(1) access to every byte in a captured packet), use
 toBS.
Note that the SockAddr exported here is not the SockAddr from
 Network.Socket. The SockAddr from Network.Socket corresponds
 to struct sockaddr_in in BSD terminology. The SockAddr record
 here is BSD's struct sockaddr. See W.R.Stevens, TCP Illustrated,
 volume 2, for further elucidation.
This binding should be portable across systems that can use the
 libpcap from tcpdump.org. It does not yet work with Winpcap, a
 similar library for Windows, although adapting it should not prove
 difficult.
- data PcapHandle
- data DumpHandle
- type BpfProgram = ForeignPtr BpfProgramTag
- type Callback = PktHdr -> Ptr Word8 -> IO ()
- type CallbackBS = PktHdr -> ByteString -> IO ()
- data Direction
- data  Link - = DLT_NULL
- | DLT_UNKNOWN Int
- | DLT_EN10MB
- | DLT_EN3MB
- | DLT_AX25
- | DLT_PRONET
- | DLT_CHAOS
- | DLT_IEEE802
- | DLT_ARCNET
- | DLT_SLIP
- | DLT_PPP
- | DLT_FDDI
- | DLT_ATM_RFC1483
- | DLT_RAW
- | DLT_SLIP_BSDOS
- | DLT_PPP_BSDOS
- | DLT_ATM_CLIP
- | DLT_REDBACK_SMARTEDGE
- | DLT_PPP_SERIAL
- | DLT_PPP_ETHER
- | DLT_SYMANTEC_FIREWALL
- | DLT_C_HDLC
- | DLT_IEEE802_11
- | DLT_FRELAY
- | DLT_LOOP
- | DLT_ENC
- | DLT_LINUX_SLL
- | DLT_LTALK
- | DLT_ECONET
- | DLT_IPFILTER
- | DLT_PFLOG
- | DLT_CISCO_IOS
- | DLT_PRISM_HEADER
- | DLT_AIRONET_HEADER
- | DLT_HHDLC
- | DLT_IP_OVER_FC
- | DLT_SUNATM
- | DLT_IEEE802_11_RADIO
- | DLT_ARCNET_LINUX
- | DLT_APPLE_IP_OVER_IEEE1394
- | DLT_MTP2_WITH_PHDR
- | DLT_MTP2
- | DLT_MTP3
- | DLT_SCCP
- | DLT_DOCSIS
- | DLT_LINUX_IRDA
- | DLT_USER0
- | DLT_USER1
- | DLT_USER2
- | DLT_USER3
- | DLT_USER4
- | DLT_USER5
- | DLT_USER6
- | DLT_USER7
- | DLT_USER8
- | DLT_USER9
- | DLT_USER10
- | DLT_USER11
- | DLT_USER12
- | DLT_USER13
- | DLT_USER14
- | DLT_USER15
- | DLT_PPP_PPPD
- | DLT_GPRS_LLC
- | DLT_GPF_T
- | DLT_GPF_F
- | DLT_LINUX_LAPD
- | DLT_A429
- | DLT_A653_ICM
- | DLT_USB
- | DLT_BLUETOOTH_HCI_H4
- | DLT_MFR
- | DLT_IEEE802_16_MAC_CPS
- | DLT_USB_LINUX
- | DLT_CAN20B
- | DLT_IEEE802_15_4_LINUX
- | DLT_PPI
- | DLT_IEEE802_16_MAC_CPS_RADIO
- | DLT_IEEE802_15_4
 
- data  Interface  = Interface {- ifName :: String
- ifDescription :: String
- ifAddresses :: [PcapAddr]
- ifFlags :: Word32
 
- data PcapAddr = PcapAddr {}
- data  SockAddr  = SockAddr {- saFamily :: !Family
- saAddr :: !ByteString
 
- data Network = Network {}
- data  PktHdr  = PktHdr {- hdrSeconds :: !Word32
- hdrUseconds :: !Word32
- hdrCaptureLength :: !Word32
- hdrWireLength :: !Word32
 
- data  Statistics  = Statistics {- statReceived :: !Word32
- statDropped :: !Word32
- statIfaceDropped :: !Word32
 
- openOffline :: FilePath -> IO PcapHandle
- openLive :: String -> Int -> Bool -> Int64 -> IO PcapHandle
- openDead :: Link -> Int -> IO PcapHandle
- openDump :: PcapHandle -> FilePath -> IO DumpHandle
- setFilter :: PcapHandle -> String -> Bool -> Word32 -> IO ()
- compileFilter :: Int -> Link -> String -> Bool -> Word32 -> IO BpfProgram
- lookupDev :: IO String
- findAllDevs :: IO [Interface]
- lookupNet :: String -> IO Network
- setNonBlock :: PcapHandle -> Bool -> IO ()
- getNonBlock :: PcapHandle -> IO Bool
- setDirection :: PcapHandle -> Direction -> IO ()
- datalink :: PcapHandle -> IO Link
- setDatalink :: PcapHandle -> Link -> IO ()
- listDatalinks :: PcapHandle -> IO [Link]
- dispatch :: PcapHandle -> Int -> Callback -> IO Int
- loop :: PcapHandle -> Int -> Callback -> IO Int
- next :: PcapHandle -> IO (PktHdr, Ptr Word8)
- dump :: DumpHandle -> Ptr PktHdr -> Ptr Word8 -> IO ()
- dispatchBS :: PcapHandle -> Int -> CallbackBS -> IO Int
- loopBS :: PcapHandle -> Int -> CallbackBS -> IO Int
- nextBS :: PcapHandle -> IO (PktHdr, ByteString)
- dumpBS :: DumpHandle -> Ptr PktHdr -> ByteString -> IO ()
- sendPacket :: PcapHandle -> Ptr Word8 -> Int -> IO ()
- sendPacketBS :: PcapHandle -> ByteString -> IO ()
- toBS :: (PktHdr, Ptr Word8) -> IO (PktHdr, ByteString)
- hdrTime :: PktHdr -> Int64
- hdrDiffTime :: PktHdr -> DiffTime
- statistics :: PcapHandle -> IO Statistics
- version :: PcapHandle -> IO (Int, Int)
- isSwapped :: PcapHandle -> IO Bool
- snapshotLen :: PcapHandle -> IO Int
Types
data PcapHandle Source
Packet capture handle.
data DumpHandle Source
Dump file handle.
type BpfProgram = ForeignPtr BpfProgramTagSource
Compiled Berkeley Packet Filter program.
type CallbackBS = PktHdr -> ByteString -> IO ()Source
Callback using ByteString for packet body.
The direction in which packets are to be captured.  See
 setDirection.
Datalink types.
This covers all of the datalink types defined in bpf.h. Types defined on your system may vary.
Constructors
| DLT_NULL | no link layer encapsulation | 
| DLT_UNKNOWN Int | unknown encapsulation | 
| DLT_EN10MB | 10 Mbit per second (or faster) ethernet | 
| DLT_EN3MB | original 3 Mbit per second ethernet | 
| DLT_AX25 | amateur radio AX.25 | 
| DLT_PRONET | Proteon ProNET Token Ring | 
| DLT_CHAOS | Chaos | 
| DLT_IEEE802 | IEEE 802 networks | 
| DLT_ARCNET | ARCNET | 
| DLT_SLIP | Serial line IP | 
| DLT_PPP | Point-to-point protocol | 
| DLT_FDDI | FDDI | 
| DLT_ATM_RFC1483 | LLC SNAP encapsulated ATM | 
| DLT_RAW | raw IP | 
| DLT_SLIP_BSDOS | BSD OS serial line IP | 
| DLT_PPP_BSDOS | BSD OS point-to-point protocol | 
| DLT_ATM_CLIP | Linux classical IP over ATM | 
| DLT_REDBACK_SMARTEDGE | Redback SmartEdge 400/800 | 
| DLT_PPP_SERIAL | PPP over serial with HDLC encapsulation | 
| DLT_PPP_ETHER | PPP over ethernet | 
| DLT_SYMANTEC_FIREWALL | Symantec Enterprise Firewall | 
| DLT_C_HDLC | Cisco HDLC | 
| DLT_IEEE802_11 | IEEE 802.11 wireless | 
| DLT_FRELAY | Frame Relay | 
| DLT_LOOP | OpenBSD loopback device | 
| DLT_ENC | Encapsulated packets for IPsec | 
| DLT_LINUX_SLL | Linux cooked sockets | 
| DLT_LTALK | Apple LocalTalk | 
| DLT_ECONET | Acorn Econet | 
| DLT_IPFILTER | OpenBSD's old ipfilter | 
| DLT_PFLOG | OpenBSD's pflog | 
| DLT_CISCO_IOS | Cisco IOS | 
| DLT_PRISM_HEADER | Intersil Prism II wireless chips | 
| DLT_AIRONET_HEADER | Aironet (Cisco) 802.11 wireless | 
| DLT_HHDLC | Siemens HiPath HDLC | 
| DLT_IP_OVER_FC | RFC 2625 IP-over-Fibre Channel | 
| DLT_SUNATM | Full Frontal ATM on Solaris with SunATM | 
| DLT_IEEE802_11_RADIO | 
 | 
| DLT_ARCNET_LINUX | Linux ARCNET header | 
| DLT_APPLE_IP_OVER_IEEE1394 | Apple IP-over-IEEE 1394 | 
| DLT_MTP2_WITH_PHDR | SS7, C7 MTP2 with pseudo-header | 
| DLT_MTP2 | SS7, C7 Message Transfer Part 2 (MPT2) | 
| DLT_MTP3 | SS7, C7 Message Transfer Part 3 (MPT3) | 
| DLT_SCCP | SS7, C7 SCCP | 
| DLT_DOCSIS | DOCSIS MAC frame | 
| DLT_LINUX_IRDA | Linux IrDA packet | 
| DLT_USER0 | Reserved for private use | 
| DLT_USER1 | Reserved for private use | 
| DLT_USER2 | Reserved for private use | 
| DLT_USER3 | Reserved for private use | 
| DLT_USER4 | Reserved for private use | 
| DLT_USER5 | Reserved for private use | 
| DLT_USER6 | Reserved for private use | 
| DLT_USER7 | Reserved for private use | 
| DLT_USER8 | Reserved for private use | 
| DLT_USER9 | Reserved for private use | 
| DLT_USER10 | Reserved for private use | 
| DLT_USER11 | Reserved for private use | 
| DLT_USER12 | Reserved for private use | 
| DLT_USER13 | Reserved for private use | 
| DLT_USER14 | Reserved for private use | 
| DLT_USER15 | Reserved for private use | 
| DLT_PPP_PPPD | Outgoing packets for ppp daemon | 
| DLT_GPRS_LLC | GPRS LLC | 
| DLT_GPF_T | GPF-T (ITU-T G.7041/Y.1303) | 
| DLT_GPF_F | GPF-F (ITU-T G.7041/Y.1303) | 
| DLT_LINUX_LAPD | Raw LAPD for vISDN (not generic LAPD) | 
| DLT_A429 | ARINC 429 | 
| DLT_A653_ICM | ARINC 653 Interpartition Communication messages | 
| DLT_USB | USB packet | 
| DLT_BLUETOOTH_HCI_H4 | Bluetooth HCI UART transport layer (part H:4) | 
| DLT_MFR | Multi Link Frame Relay (FRF.16) | 
| DLT_IEEE802_16_MAC_CPS | IEEE 802.16 MAC Common Part Sublayer | 
| DLT_USB_LINUX | USB packets, beginning with a Linux USB header | 
| DLT_CAN20B | Controller Area Network (CAN) v2.0B | 
| DLT_IEEE802_15_4_LINUX | IEEE 802.15.4, with address fields padded | 
| DLT_PPI | Per Packet Information encapsulated packets | 
| DLT_IEEE802_16_MAC_CPS_RADIO | 
 | 
| DLT_IEEE802_15_4 | IEEE 802.15.4, exactly as in the spec | 
The interface structure.
Constructors
| Interface | |
| Fields 
 | |
The address structure.
Constructors
| PcapAddr | |
The socket address record. Note that this is not the same as
 SockAddr from Network.Socket. (That is a Haskell version of C's
 struct sockaddr_in. This is the real struct sockaddr from the
 BSD network stack.)
Constructors
| SockAddr | |
| Fields 
 | |
The network address record. Both the address and mask are in network byte order.
Constructors
| PktHdr | |
| Fields 
 | |
data Statistics Source
Constructors
| Statistics | |
| Fields 
 | |
Instances
Device opening
Arguments
| :: FilePath | name of dump file to read | 
| -> IO PcapHandle | 
openOffline opens a dump file for reading. The file format is
 the same as used by tcpdump and Wireshark. The string "-" is
 a synonym for stdin.
Arguments
| :: String | device name | 
| -> Int | snapshot length | 
| -> Bool | set interface to promiscuous mode? | 
| -> Int64 | timeout in microseconds | 
| -> IO PcapHandle | 
openLive is used to get a PcapHandle that can be used to look
 at packets on the network. The arguments are the device name, the
 snapshot length (in bytes), the promiscuity of the interface
 (True == promiscuous) and a timeout in microseconds.
The timeout allows the packet filter to delay while accumulating multiple packets, which is more efficient than reading packets one by one. A timeout of zero will wait indefinitely for "enough" packets to arrive.
Using "any" as the device name will capture packets from all
 interfaces.  On some systems, reading from the "any" device is
 incompatible with setting the interfaces into promiscuous mode. In
 that case, only packets whose link layer addresses match those of
 the interfaces are captured.
Arguments
| :: Link | datalink type | 
| -> Int | snapshot length | 
| -> IO PcapHandle | 
openDead is used to get a PcapHandle without opening a file
 or device. It is typically used to test packet filter compilation
 by setFilter. The arguments are the link type and the snapshot
 length.
Arguments
| :: PcapHandle | packet capture handle | 
| -> FilePath | name of dump file to write to | 
| -> IO DumpHandle | 
Filter handling
Arguments
| :: PcapHandle | handle on which to set filter | 
| -> String | filter string | 
| -> Bool | optimize? | 
| -> Word32 | IPv4 network mask | 
| -> IO () | 
Set a filter on the specified packet capture handle. Valid filter
 strings are those accepted by tcpdump.
Arguments
| :: Int | snapshot length | 
| -> Link | datalink type | 
| -> String | filter string | 
| -> Bool | optimize? | 
| -> Word32 | IPv4 network mask | 
| -> IO BpfProgram | 
Compile a filter for use by another program using the Berkeley Packet Filter library.
Device utilities
lookupDev returns the name of a device suitable for use with
 openLive and lookupNet. If you only have one interface, it is
 the function of choice. If not, see findAllDevs.
findAllDevs :: IO [Interface]Source
findAllDevs returns a list of all the network devices that can
 be opened by openLive. It returns only those devices that the
 calling process has sufficient privileges to open, so it may not
 find every device on the system.
Return the network address and mask for the specified interface
 name. Only valid for IPv4. For other protocols, use findAllDevs
 and search the Interface list for the associated network mask.
Interface control
Arguments
| :: PcapHandle | must have been obtained from  | 
| -> Bool | set/unset blocking mode | 
| -> IO () | 
Set the given PcapHandle into non-blocking mode if the second
 argument is True, otherwise put it in blocking mode. Note that
 the PcapHandle must have been obtained from openLive.
getNonBlock :: PcapHandle -> IO BoolSource
Return the blocking status of the PcapHandle. True indicates
 that the handle is non-blocking. Handles referring to dump files
 opened by openDump always return False.
setDirection :: PcapHandle -> Direction -> IO ()Source
Specify the direction in which packets are to be captured. Complete functionality is not necessarily available on all platforms.
Link layer utilities
datalink :: PcapHandle -> IO LinkSource
Returns the datalink type associated with the given handle.
setDatalink :: PcapHandle -> Link -> IO ()Source
Sets the datalink type for the given handle.
listDatalinks :: PcapHandle -> IO [Link]Source
List all the datalink types supported by the given
 handle. Entries from the resulting list are valid arguments to
 setDatalink.
Packet processing
Arguments
| :: PcapHandle | |
| -> Int | number of packets to process | 
| -> Callback | packet processing function | 
| -> IO Int | number of packets read | 
Collect and process packets.
The count is the maximum number of packets to process before returning. A count of -1 means process all of the packets received in one buffer (if a live capture) or all of the packets in a dump file (if offline).
The callback function is passed two arguments, a packet header
 record and a pointer to the packet data (Ptr Word8). THe header
 record contains the number of bytes captured, which can be used to
 marshal the data into a list, array, or ByteString (using
 toBS).
Arguments
| :: PcapHandle | |
| -> Int | number of packets to read (-1 == loop forever) | 
| -> Callback | packet processing function | 
| -> IO Int | number of packets read | 
next :: PcapHandle -> IO (PktHdr, Ptr Word8)Source
Read the next packet (equivalent to calling dispatch with a
 count of 1).
ByteString variants
Arguments
| :: PcapHandle | |
| -> Int | number of packets to process | 
| -> CallbackBS | packet processing function | 
| -> IO Int | number of packets read | 
Variant of dispatch for use with ByteString.
Arguments
| :: PcapHandle | |
| -> Int | number of packets to read (-1 == loop forever) | 
| -> CallbackBS | packet processing function | 
| -> IO Int | number of packets read | 
Variant of loop for use with ByteString.
nextBS :: PcapHandle -> IO (PktHdr, ByteString)Source
Arguments
| :: DumpHandle | |
| -> Ptr PktHdr | packet header record | 
| -> ByteString | packet data | 
| -> IO () | 
Sending packets
Arguments
| :: PcapHandle | |
| -> Ptr Word8 | packet data (including link-level header) | 
| -> Int | packet size | 
| -> IO () | 
Send a raw packet through the network interface.
Arguments
| :: PcapHandle | |
| -> ByteString | packet data (including link-level header) | 
| -> IO () | 
Variant of sendPacket for use with ByteString.
Conversion
hdrTime :: PktHdr -> Int64Source
Get the timestamp of a packet as a single quantity, in microseconds.
hdrDiffTime :: PktHdr -> DiffTimeSource
Get the timestamp of a packet as a DiffTime.
Miscellaneous
statistics :: PcapHandle -> IO StatisticsSource
Returns the number of packets received, the number of packets dropped by the packet filter and the number of packets dropped by the interface (before processing by the packet filter).
version :: PcapHandle -> IO (Int, Int)Source
Version of the library. The returned pair consists of the major and minor version numbers.
isSwapped :: PcapHandle -> IO BoolSource
snapshotLen :: PcapHandle -> IO IntSource
The snapshot length that was used in the call to openLive.