pcap_open_live vs pcap_create & pcap_activate

the-tcpdump-group / libpcap

the LIBpcap interface to various kernel packet capture mechanism

https://www.tcpdump.org/

Other

2.64k stars 841 forks source link

pcap_open_live vs pcap_create & pcap_activate #1117

Closed rexlManu closed 2 years ago

rexlManu commented 2 years ago

Hey, I want to know the difference from them.

I got a setup with a remote rpcap and trying to capture from that. I found out that it works with pcap_open_live but I receive NoSuchDevice when trying with pcap_activate.

As example my testing code:

    char        error_buffer[PCAP_ERRBUF_SIZE];
    pcap_t   *handle;
    const u_char *packet;
    struct pcap_pkthdr packet_header;
    int packet_count_limit = 1;
    int timeout_limit = 10000; /* In milliseconds */

//   handle = pcap_create("rpcap://192.168.2.115:1337/\\Device\\NPF_{D55DEB80-AD97-4004-9F0C-FD5661D9FC45}", error_buffer);

//     pcap_set_promisc(handle, packet_count_limit);
//     pcap_set_snaplen(handle, BUFSIZ);
//     pcap_set_timeout(handle, timeout_limit);

//     int code = pcap_activate(handle);
//     if (code < 0) {
//         fprintf(stderr, "Error activating packet capture handle: %s\n", pcap_geterr(handle));
//         return -1;
//     }
// Leads to no such device

   /* open device for live capture */
    handle = pcap_open_live("rpcap://192.168.2.115:1337/\\Device\\NPF_{D55DEB80-AD97-4004-9F0C-FD5661D9FC45}", BUFSIZ, packet_count_limit, timeout_limit, error_buffer);

    if (handle == NULL) {
        fprintf(stderr, "Error creating packet capture handle: %s\n", error_buffer);
        return -1;
    }

    /* Attempt to capture one packet. If there is no network traffic
     and the timeout is reached, it will return NULL */
    packet = pcap_next(handle, &packet_header);
    if (packet == NULL) {
        printf("No packet found.\n");
        return 2;
    }

    // I found a packet and can even print len

So my question is what is the difference. I thought that pcap_open_live is like in a deprecated state.

guyharris commented 2 years ago

I got a setup with a remote rpcap and trying to capture from that. I found out that it works with pcap_open_live but I receive NoSuchDevice when trying with pcap_activate.

Currently:

pcap_open() (without _live) fully supports opening remote devices;
pcap_open_live() supports it, but doesn't support passing a user name/password as arguments and doesn't support flags such as "use UDP for the data channel";
pcap_create()/pcap_activate() don't support it.

The ultimate goal is to support it with pcap_create() (or, perhaps, an extended version of pcap_create()) and pcap_activate().

So my question is what is the difference. I thought that pcap_open_live is like in a deprecated state.

It is. For local capture, pcap_create()/pcap_activate() can do everything pcap_open_live() can do and more. For remote capture, pcap_open() can do everything pcap_open_live() can do and more.

rexlManu commented 2 years ago

I finally checked the code behind the api, actually im using https://github.com/dotpcap/sharppcap and just created a dummy c project to test it and after reviewing the code I found out, that pcap_open_live does much more than pcap_create / activate.

So thanks for your answer.

So for future coders, that get the some problem. Use pcap open :)

guyharris commented 2 years ago

I found out, that pcap_open_live does much more than pcap_create / activate.

What it's doing is a combination of

working around, for backwards source (and, for WinPcap/Npcap, binary) compatibility, the current lack of support for remote capture in the create/activate API (that's the stuff in the beginning inside #ifdef ENABLE_REMOTE/#endif);
implementing everything else atop the create/activate API.

The goal is to eliminate the first of those, once there's a create/activate API to support remote capture as well as local capture.