libpcap

libpcap是unix/linux平台下的网络数据包捕获函数包，

大多数网络监控软件都以它为基础。
Libpcap可以在绝大多数类unix平台下工作.
Libpcap应用程序框架
Libpcap提供了系统独立的用户级别网络数据包捕获接口，并充分考虑到应用程序的可移植 性。Libpcap可以在绝大多数类unix平台下工作，参考资料 A 中是对基于 libpcap 的网络应用程序的一个详细列表。在windows平台下，一个与libpcap 很类似的函数包 winpcap 提供捕获功能

可以参考tcpdump，snort的使用方式！

To open a handle for a live capture, given the name of the network or other interface on which the capture should be done, call  pcap_create (), set the appropriate options on the handle, and then activate it with  pcap_activate ().

To obtain a list of devices that can be opened for a live capture, call pcap_findalldevs(); to free the list returned by pcap_findalldevs(), call pcap_freealldevs(). pcap_lookupdev() will return the first device on that list that is not a ``loopback`` network interface.

To open a handle for a ``savefile'' from which to read packets, given the pathname of the ``savefile'', call pcap_open_offline(); to set up a handle for a ``savefile'', given a FILE * referring to a file already opened for reading, call pcap_fopen_offline().

In order to get a ``fake'' pcap_t for use in routines that require a pcap_t as an argument, such as routines to open a ``savefile'' for writing and to compile a filter expression, call pcap_open_dead().

pcap_create(), pcap_open_offline(), pcap_fopen_offline(), and pcap_open_dead() return a pointer to a pcap_t, which is the handle used for reading packets from the capture stream or the ``savefile'', and for finding out information about the capture stream or ``savefile''. To close a handle, use pcap_close().