#include "pcap.h"


void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);

int main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
pcap_t *adhandle;
char errbuf[PCAP_ERRBUF_SIZE];
   
   
    if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1)
    {
        fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
        exit(1);
    }
   
   
    for(d=alldevs; d; d=d->next)
    {
        printf("%d. %s", ++i, d->name);
        if (d->description)
            printf(" (%s)\n", d->description);
        else
            printf(" (No description available)\n");
    }
   
    if(i==0)
    {
        printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
        return -1;
    }
   
    printf("Enter the interface number (1-%d):",i);
    scanf_s("%d", &inum);
   
    if(inum < 1 || inum > i)
    {
        printf("\nInterface number out of range.\n");
       
        pcap_freealldevs(alldevs);
        return -1;
    }
   
   
    for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
   
   
    if ( (adhandle= pcap_open(d->name,          // name of the device
                              65536,            // portion of the packet to capture
                                                // 65536 guarantees that the whole packet will be captured on all the link layers
                              PCAP_OPENFLAG_PROMISCUOUS,    // promiscuous mode
                              1000,             // read timeout
                              NULL,             // authentication on the remote machine
                              errbuf            // error buffer
                              ) ) == NULL)
    {
        fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);
       
        pcap_freealldevs(alldevs);
        return -1;
    }
   
    printf("\nlistening on %s\n", d->description);
   
   
    pcap_freealldevs(alldevs);
   
   
    pcap_loop(adhandle, 0, packet_handler, NULL);
   
    return 0;
}



void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
    struct tm ltime;
    char timestr[16];
    time_t local_tv_sec;

   
    (VOID)(param);
    (VOID)(pkt_data);

   
    local_tv_sec = header->ts.tv_sec;
    localtime_s(&ltime, &local_tv_sec);
    strftime( timestr, sizeof timestr, "%H:%M:%S", &ltime);
   
    printf("%s,%.6d len:%d\n", timestr, header->ts.tv_usec, header->len);
   
}

這里主要是想說明下回調(diào)函數(shù)的各個(gè)參數(shù)，順便講下pcap_loop

int pcap_loop (

pcap_t * p,

int cnt,

pcap_handler callback,

u_char * user  

)

pcap_t結(jié)構(gòu)對開發(fā)者是不透明的，一般是由pcap_open返回，可以認(rèn)為是抓包的句柄。cnt表示抓到cnt個(gè)包后loop結(jié)束，callback就是處理包的回調(diào)函數(shù)了。user只是用來描述這次抓包，可以置為NULL，如果覺得需要，也可以把抓包的目的啊什么的寫上去。

-1 is returned on an error; 0 is returned if cnt is exhausted; -2 is returned if the loop terminated due to a call to pcap_breakloop() before any packets were processed. If your application uses pcap_breakloop(), make sure that you explicitly check for -1 and -2, rather than just checking for a return value < 0.

出錯(cuò)返回-1，抓完了cnt個(gè)包返回0，在處理包之前就調(diào)用pcap_breakloop()終結(jié)loop則返回-2.所有如果調(diào)用了pcap_breakloop() ，必須檢查返回值是-1還是-2，不能來籠統(tǒng)檢查是否小于0.

int pcap_dispatch (

pcap_t * p,

int cnt,

pcap_handler callback,

u_char * user  

)

pcap_dispatch和pcap_loop的唯一區(qū)別是pcap_dispatch會(huì)因?yàn)槌瑫r(shí)而結(jié)束（這個(gè)時(shí)間是在pcap_open里面設(shè)置的），pcap_loop則不管，一定要抓玩cnt個(gè)包

pcap_t* pcap_open  ( const char *  source, 
  int  snaplen, 
  int  flags, 
  int  read_timeout,  //就是這個(gè)設(shè)置超時(shí)了，單位是毫秒
  struct pcap_rmtauth *  auth, 
  char *  errbuf  
 )

typedef void(* pcap_handler)(u_char *user, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data)

user就是pcap_loop里的u_char*user

pkt_header是winpcap給抓到的包附上的頭，不是IP報(bào)文頭部、UDP報(bào)文頭部等等協(xié)議頭部。

struct pcap_pkthdr {
 struct timeval ts; 
 bpf_u_int32 caplen; 
 bpf_u_int32 len; 
};

pkt_data是抓到的包數(shù)據(jù)，這里包括了協(xié)議的頭部。