


Ubuntu 11.04,IP:,广播地址:,子网掩码:
sudo ifconfig eth0 broadcast netmask

sudo make install

  1. all: test.c
  2. gcc -g -Wall -o test test.c -lpcap
  3. clean:
  4. rm -rf *.o test
all: test.c
	gcc -g -Wall -o test test.c -lpcap

	rm -rf *.o test


  1. #include <pcap.h>
  2. #include <stdio.h>
  3. int main()
  4. {
  5. char errBuf[PCAP_ERRBUF_SIZE], * device;
  6. device = pcap_lookupdev(errBuf);
  7. if(device)
  8. {
  9. printf("success: device: %s\n", device);
  10. }
  11. else
  12. {
  13. printf("error: %s\n", errBuf);
  14. }
  15. return 0;
  16. }
#include <pcap.h>
#include <stdio.h>

int main()
  char errBuf[PCAP_ERRBUF_SIZE], * device;
  device = pcap_lookupdev(errBuf);
    printf("success: device: %s\n", device);
    printf("error: %s\n", errBuf);
  return 0;


运行test的时候输出"no suitable device found",原因是我们没有以root权限运行,root权限运行后就正常了


char * pcap_lookupdev(char * errbuf)

void pcap_close(pcap_t * p)

pcap_t * pcap_open_live(const char * device, int snaplen, int promisc, int to_ms, char * errbuf)
第三个参数指定是否打开混杂模式(Promiscuous Mode),0表示非混杂模式,任何其他值表示混合模式。如果要打开混杂模式,那么网卡必须也要打开混杂模式,可以使用如下的命令打开eth0混杂模式:
ifconfig eth0 promisc

u_char * pcap_next(pcap_t * p, struct pcap_pkthdr * h)
  1. struct pcap_pkthdr
  2. {
  3. struct timeval ts; /* time stamp */
  4. bpf_u_int32 caplen; /* length of portion present */
  5. bpf_u_int32 len; /* length this packet (off wire) */
  6. };
struct pcap_pkthdr
  struct timeval ts;    /* time stamp */
  bpf_u_int32 caplen;   /* length of portion present */
  bpf_u_int32 len;      /* length this packet (off wire) */


int pcap_loop(pcap_t * p, int cnt, pcap_handler callback, u_char * user)
void callback(u_char * userarg, const struct pcap_pkthdr * pkthdr, const u_char * packet)

int pcap_dispatch(pcap_t * p, int cnt, pcap_handler callback, u_char * user)




  1. #include <pcap.h>
  2. #include <time.h>
  3. #include <stdlib.h>
  4. #include <stdio.h>
  5. int main()
  6. {
  7. char errBuf[PCAP_ERRBUF_SIZE], * devStr;
  8. /* get a device */
  9. devStr = pcap_lookupdev(errBuf);
  10. if(devStr)
  11. {
  12. printf("success: device: %s\n", devStr);
  13. }
  14. else
  15. {
  16. printf("error: %s\n", errBuf);
  17. exit(1);
  18. }
  19. /* open a device, wait until a packet arrives */
  20. pcap_t * device = pcap_open_live(devStr, 65535, 1, 0, errBuf);
  21. if(!device)
  22. {
  23. printf("error: pcap_open_live(): %s\n", errBuf);
  24. exit(1);
  25. }
  26. /* wait a packet to arrive */
  27. struct pcap_pkthdr packet;
  28. const u_char * pktStr = pcap_next(device, &packet);
  29. if(!pktStr)
  30. {
  31. printf("did not capture a packet!\n");
  32. exit(1);
  33. }
  34. printf("Packet length: %d\n", packet.len);
  35. printf("Number of bytes: %d\n", packet.caplen);
  36. printf("Recieved time: %s\n", ctime((consttime_t *)&packet.ts.tv_sec));
  37. pcap_close(device);
  38. return 0;
  39. }
#include <pcap.h>
#include <time.h>
#include <stdlib.h>
#include <stdio.h>

int main()
  char errBuf[PCAP_ERRBUF_SIZE], * devStr;
  /* get a device */
  devStr = pcap_lookupdev(errBuf);
    printf("success: device: %s\n", devStr);
    printf("error: %s\n", errBuf);
  /* open a device, wait until a packet arrives */
  pcap_t * device = pcap_open_live(devStr, 65535, 1, 0, errBuf);
    printf("error: pcap_open_live(): %s\n", errBuf);

  /* wait a packet to arrive */
  struct pcap_pkthdr packet;
  const u_char * pktStr = pcap_next(device, &packet);

    printf("did not capture a packet!\n");
  printf("Packet length: %d\n", packet.len);
  printf("Number of bytes: %d\n", packet.caplen);
  printf("Recieved time: %s\n", ctime((const time_t *)&packet.ts.tv_sec)); 
  return 0;


  1. #include <pcap.h>
  2. #include <time.h>
  3. #include <stdlib.h>
  4. #include <stdio.h>
  5. void getPacket(u_char * arg, const struct pcap_pkthdr * pkthdr, const u_char * packet)
  6. {
  7. int * id = (int *)arg;
  8. printf("id: %d\n", ++(*id));
  9. printf("Packet length: %d\n", pkthdr->len);
  10. printf("Number of bytes: %d\n", pkthdr->caplen);
  11. printf("Recieved time: %s", ctime((consttime_t *)&pkthdr->ts.tv_sec));
  12. int i;
  13. for(i=0; i<pkthdr->len; ++i)
  14. {
  15. printf(" %02x", packet[i]);
  16. if( (i + 1) % 16 == 0 )
  17. {
  18. printf("\n");
  19. }
  20. }
  21. printf("\n\n");
  22. }
  23. int main()
  24. {
  25. char errBuf[PCAP_ERRBUF_SIZE], * devStr;
  26. /* get a device */
  27. devStr = pcap_lookupdev(errBuf);
  28. if(devStr)
  29. {
  30. printf("success: device: %s\n", devStr);
  31. }
  32. else
  33. {
  34. printf("error: %s\n", errBuf);
  35. exit(1);
  36. }
  37. /* open a device, wait until a packet arrives */
  38. pcap_t * device = pcap_open_live(devStr, 65535, 1, 0, errBuf);
  39. if(!device)
  40. {
  41. printf("error: pcap_open_live(): %s\n", errBuf);
  42. exit(1);
  43. }
  44. /* wait loop forever */
  45. int id = 0;
  46. pcap_loop(device, -1, getPacket, (u_char*)&id);
  47. pcap_close(device);
  48. return 0;
  49. }
#include <pcap.h>
#include <time.h>
#include <stdlib.h>
#include <stdio.h>

void getPacket(u_char * arg, const struct pcap_pkthdr * pkthdr, const u_char * packet)
  int * id = (int *)arg;
  printf("id: %d\n", ++(*id));
  printf("Packet length: %d\n", pkthdr->len);
  printf("Number of bytes: %d\n", pkthdr->caplen);
  printf("Recieved time: %s", ctime((const time_t *)&pkthdr->ts.tv_sec)); 
  int i;
  for(i=0; i<pkthdr->len; ++i)
    printf(" %02x", packet[i]);
    if( (i + 1) % 16 == 0 )

int main()
  char errBuf[PCAP_ERRBUF_SIZE], * devStr;
  /* get a device */
  devStr = pcap_lookupdev(errBuf);
    printf("success: device: %s\n", devStr);
    printf("error: %s\n", errBuf);
  /* open a device, wait until a packet arrives */
  pcap_t * device = pcap_open_live(devStr, 65535, 1, 0, errBuf);
    printf("error: pcap_open_live(): %s\n", errBuf);
  /* wait loop forever */
  int id = 0;
  pcap_loop(device, -1, getPacket, (u_char*)&id);

  return 0;




几乎所有的操作系统(BSD, AIX, Mac OS, Linux等)都会在内核中提供过滤数据包的方法,主要都是基于BSD Packet Filter(BPF)结构的。libpcap利用BPF来过滤数据包。
a) 构造一个过滤表达式
b) 编译这个表达式
c) 应用这个过滤器


BPF使用一种类似于汇编语言的语法书写过滤表达式,不过libpcap和tcpdump都把它封装成更高级且更容易的语法了,具体可以man tcpdump,以下是一些例子:
src host

dst port 80

not tcp

tcp[13] == 0x02 and (dst port 22 or dst port 23)

icmp[icmptype] == icmp-echoreply or icmp[icmptype] == icmp-echo

ehter dst 00:e0:09:c1:0e:82

ip[8] == 5

int pcap_compile(pcap_t * p, struct bpf_program * fp, char * str, int optimize, bpf_u_int32 netmask)

int pcap_setfilter(pcap_t * p, struct bpf_program * fp)


  1. #include <pcap.h>
  2. #include <time.h>
  3. #include <stdlib.h>
  4. #include <stdio.h>
  5. void getPacket(u_char * arg, const struct pcap_pkthdr * pkthdr, const u_char * packet)
  6. {
  7. int * id = (int *)arg;
  8. printf("id: %d\n", ++(*id));
  9. printf("Packet length: %d\n", pkthdr->len);
  10. printf("Number of bytes: %d\n", pkthdr->caplen);
  11. printf("Recieved time: %s", ctime((consttime_t *)&pkthdr->ts.tv_sec));
  12. int i;
  13. for(i=0; i<pkthdr->len; ++i)
  14. {
  15. printf(" %02x", packet[i]);
  16. if( (i + 1) % 16 == 0 )
  17. {
  18. printf("\n");
  19. }
  20. }
  21. printf("\n\n");
  22. }
  23. int main()
  24. {
  25. char errBuf[PCAP_ERRBUF_SIZE], * devStr;
  26. /* get a device */
  27. devStr = pcap_lookupdev(errBuf);
  28. if(devStr)
  29. {
  30. printf("success: device: %s\n", devStr);
  31. }
  32. else
  33. {
  34. printf("error: %s\n", errBuf);
  35. exit(1);
  36. }
  37. /* open a device, wait until a packet arrives */
  38. pcap_t * device = pcap_open_live(devStr, 65535, 1, 0, errBuf);
  39. if(!device)
  40. {
  41. printf("error: pcap_open_live(): %s\n", errBuf);
  42. exit(1);
  43. }
  44. /* construct a filter */
  45. struct bpf_program filter;
  46. pcap_compile(device, &filter, "dst port 80", 1, 0);
  47. pcap_setfilter(device, &filter);
  48. /* wait loop forever */
  49. int id = 0;
  50. pcap_loop(device, -1, getPacket, (u_char*)&id);
  51. pcap_close(device);
  52. return 0;
  53. }
#include <pcap.h>
#include <time.h>
#include <stdlib.h>
#include <stdio.h>

void getPacket(u_char * arg, const struct pcap_pkthdr * pkthdr, const u_char * packet)
  int * id = (int *)arg;
  printf("id: %d\n", ++(*id));
  printf("Packet length: %d\n", pkthdr->len);
  printf("Number of bytes: %d\n", pkthdr->caplen);
  printf("Recieved time: %s", ctime((const time_t *)&pkthdr->ts.tv_sec)); 
  int i;
  for(i=0; i<pkthdr->len; ++i)
    printf(" %02x", packet[i]);
    if( (i + 1) % 16 == 0 )

int main()
  char errBuf[PCAP_ERRBUF_SIZE], * devStr;
  /* get a device */
  devStr = pcap_lookupdev(errBuf);
    printf("success: device: %s\n", devStr);
    printf("error: %s\n", errBuf);
  /* open a device, wait until a packet arrives */
  pcap_t * device = pcap_open_live(devStr, 65535, 1, 0, errBuf);
    printf("error: pcap_open_live(): %s\n", errBuf);
  /* construct a filter */
  struct bpf_program filter;
  pcap_compile(device, &filter, "dst port 80", 1, 0);
  pcap_setfilter(device, &filter);
  /* wait loop forever */
  int id = 0;
  pcap_loop(device, -1, getPacket, (u_char*)&id);

  return 0;




  1. all: tcp_client.c tcp_server.c
  2. gcc -g -Wall -o tcp_client tcp_client.c
  3. gcc -g -Wall -o tcp_server tcp_server.c
  4. clean:
  5. rm -rf *.o tcp_client tcp_server
all: tcp_client.c tcp_server.c
	gcc -g -Wall -o tcp_client tcp_client.c
	gcc -g -Wall -o tcp_server tcp_server.c

	rm -rf *.o tcp_client tcp_server


  1. #include <sys/types.h>
  2. #include <sys/socket.h>
  3. #include <netinet/in.h>
  4. #include <arpa/inet.h>
  5. #include <unistd.h>
  6. #include <stdlib.h>
  7. #include <stdio.h>
  8. #define PORT 9832
  9. #define SERVER_IP ""
  10. int main()
  11. {
  12. /* create a socket */
  13. int server_sockfd = socket(AF_INET, SOCK_STREAM, 0);
  14. struct sockaddr_in server_addr;
  15. server_addr.sin_family = AF_INET;
  16. server_addr.sin_addr.s_addr = inet_addr(SERVER_IP);
  17. server_addr.sin_port = htons(PORT);
  18. /* bind with the local file */
  19. bind(server_sockfd, (struct sockaddr *)&server_addr,sizeof(server_addr));
  20. /* listen */
  21. listen(server_sockfd, 5);
  22. char ch;
  23. int client_sockfd;
  24. struct sockaddr_in client_addr;
  25. socklen_t len = sizeof(client_addr);
  26. while(1)
  27. {
  28. printf("server waiting:\n");
  29. /* accept a connection */
  30. client_sockfd = accept(server_sockfd, (struct sockaddr *)&client_addr, &len);
  31. /* exchange data */
  32. read(client_sockfd, &ch, 1);
  33. printf("get char from client: %c\n", ch);
  34. ++ch;
  35. write(client_sockfd, &ch, 1);
  36. /* close the socket */
  37. close(client_sockfd);
  38. }
  39. return 0;
  40. }
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

#define PORT 9832
#define SERVER_IP ""

int main()
  /* create a socket */
  int server_sockfd = socket(AF_INET, SOCK_STREAM, 0);
  struct sockaddr_in server_addr;
  server_addr.sin_family = AF_INET;
  server_addr.sin_addr.s_addr = inet_addr(SERVER_IP);
  server_addr.sin_port = htons(PORT);
  /* bind with the local file */
  bind(server_sockfd, (struct sockaddr *)&server_addr, sizeof(server_addr));
  /* listen */
  listen(server_sockfd, 5);
  char ch;
  int client_sockfd;
  struct sockaddr_in client_addr;
  socklen_t len = sizeof(client_addr);
    printf("server waiting:\n");
    /* accept a connection */
    client_sockfd = accept(server_sockfd, (struct sockaddr *)&client_addr, &len);
    /* exchange data */
    read(client_sockfd, &ch, 1);
    printf("get char from client: %c\n", ch);
    write(client_sockfd, &ch, 1);
    /* close the socket */
  return 0;


  1. #include <sys/types.h>
  2. #include <sys/socket.h>
  3. #include <netinet/in.h>
  4. #include <arpa/inet.h>
  5. #include <unistd.h>
  6. #include <stdlib.h>
  7. #include <stdio.h>
  8. #define PORT 9832
  9. #define SERVER_IP ""
  10. int main()
  11. {
  12. /* create a socket */
  13. int sockfd = socket(AF_INET, SOCK_STREAM, 0);
  14. struct sockaddr_in address;
  15. address.sin_family = AF_INET;
  16. address.sin_addr.s_addr = inet_addr(SERVER_IP);
  17. address.sin_port = htons(PORT);
  18. /* connect to the server */
  19. int result = connect(sockfd, (struct sockaddr *)&address,sizeof(address));
  20. if(result == -1)
  21. {
  22. perror("connect failed: ");
  23. exit(1);
  24. }
  25. /* exchange data */
  26. char ch = 'A';
  27. write(sockfd, &ch, 1);
  28. read(sockfd, &ch, 1);
  29. printf("get char from server: %c\n", ch);
  30. /* close the socket */
  31. close(sockfd);
  32. return 0;
  33. }
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

#define PORT 9832
#define SERVER_IP ""

int main()
  /* create a socket */
  int sockfd = socket(AF_INET, SOCK_STREAM, 0);
  struct sockaddr_in address;
  address.sin_family = AF_INET;
  address.sin_addr.s_addr = inet_addr(SERVER_IP);
  address.sin_port = htons(PORT);
  /* connect to the server */
  int result = connect(sockfd, (struct sockaddr *)&address, sizeof(address));
  if(result == -1)
    perror("connect failed: ");
  /* exchange data */
  char ch = 'A';
  write(sockfd, &ch, 1);
  read(sockfd, &ch, 1);
  printf("get char from server: %c\n", ch);
  /* close the socket */
  return 0;

sudo arp -d
arp -a



  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <pcap.h>
  4. #include <errno.h>
  5. #include <netinet/in.h>
  6. #include <arpa/inet.h>
  7. int main()
  8. {
  9. /* ask pcap to find a valid device for use to sniff on */
  10. char * dev; /* name of the device */
  11. char errbuf[PCAP_ERRBUF_SIZE];
  12. dev = pcap_lookupdev(errbuf);
  13. /* error checking */
  14. if(!dev)
  15. {
  16. printf("pcap_lookupdev() error: %s\n", errbuf);
  17. exit(1);
  18. }
  19. /* print out device name */
  20. printf("dev name: %s\n", dev);
  21. /* ask pcap for the network address and mask of the device */
  22. bpf_u_int32 netp; /* ip */
  23. bpf_u_int32 maskp; /* subnet mask */
  24. int ret; /* return code */
  25. ret = pcap_lookupnet(dev, &netp, &maskp, errbuf);
  26. if(ret == -1)
  27. {
  28. printf("pcap_lookupnet() error: %s\n", errbuf);
  29. exit(1);
  30. }
  31. /* get the network address in a human readable form */
  32. char * net; /* dot notation of the network address */
  33. char * mask; /* dot notation of the network mask */
  34. struct in_addr addr;
  35. addr.s_addr = netp;
  36. net = inet_ntoa(addr);
  37. if(!net)
  38. {
  39. perror("inet_ntoa() ip error: ");
  40. exit(1);
  41. }
  42. printf("ip: %s\n", net);
  43. /* do the same as above for the device's mask */
  44. addr.s_addr = maskp;
  45. mask = inet_ntoa(addr);
  46. if(!mask)
  47. {
  48. perror("inet_ntoa() sub mask error: ");
  49. exit(1);
  50. }
  51. printf("sub mask: %s\n", mask);
  52. return 0;
  53. }
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <errno.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main()
  /* ask pcap to find a valid device for use to sniff on */
  char * dev;   /* name of the device */ 
  char errbuf[PCAP_ERRBUF_SIZE];
  dev = pcap_lookupdev(errbuf);

  /* error checking */
    printf("pcap_lookupdev() error: %s\n", errbuf);

  /* print out device name */
  printf("dev name: %s\n", dev);

  /* ask pcap for the network address and mask of the device */
  bpf_u_int32 netp;   /* ip */
  bpf_u_int32 maskp;  /* subnet mask */
  int ret;            /* return code */
  ret = pcap_lookupnet(dev, &netp, &maskp, errbuf);

  if(ret == -1)
    printf("pcap_lookupnet() error: %s\n", errbuf);

  /* get the network address in a human readable form */
  char * net;   /* dot notation of the network address */
  char * mask;  /* dot notation of the network mask */
  struct in_addr addr;

  addr.s_addr = netp;
  net = inet_ntoa(addr);

    perror("inet_ntoa() ip error: ");

  printf("ip: %s\n", net);

  /* do the same as above for the device's mask */
  addr.s_addr = maskp;
  mask = inet_ntoa(addr);
    perror("inet_ntoa() sub mask error: ");
  printf("sub mask: %s\n", mask);

  return 0;


int pcap_lookupnet(const char * device, bpf_u_int32 * netp, bpf_u_int32 * maskp, char * errbuf)





更多参考可以man pcap







