pcap_next_ex(3PCAP) man page
This man page documents libpcap version 1.11.0-PRE-GIT (see also: 1.10.4, 1.10.2, 1.10.1, 1.10.0, 1.9.1, 1.8.1, 1.7.4, 1.6.2, 1.5.3).Your system may have a different version installed, possibly with some local modifications. To achieve the best results, please make sure this version of this man page suits your needs. If necessary, try to look for a different version on this web site or in the man pages available in your installation.
#include <pcap/pcap.h> int pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header, const u_char **pkt_data); const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h);
pcap_pkthdrstruct for the packet, and the pointer pointed to by the pkt_data argument is set to point to the data in the packet. The
struct pcap_pkthdrand the packet data are not to be freed by the caller, and are not guaranteed to be valid after the next call to pcap_next_ex(), pcap_next(), pcap_loop(3PCAP), or pcap_dispatch(3PCAP); if the code needs them to remain valid, it must make a copy of them.
reads the next packet (by calling
of 1) and returns a
pointer to the data in that packet. The
packet data is not to be freed by the caller, and is not
guaranteed to be valid after the next call to
if the code needs it to remain valid, it must make a copy of it.
structure pointed to by
is filled in with the appropriate values for the packet.
The bytes of data from the packet begin with a link-layer header. The
format of the link-layer header is indicated by the return value of the
routine when handed the
value also passed to
lists the values
can return and describes the packet formats that
correspond to those values. The value it returns will be valid for all
packets received unless and until
is called; after a successful call to
all subsequent packets will have a link-layer header of the type
specified by the link-layer header type value passed to
assume that the packets for a given capture or ``savefile`` will have
any given link-layer header type, such as
for Ethernet. For example, the "any" device on Linux will have a
link-layer header type of
even if all devices on the system at the time the "any" device is opened
have some other data link type, such as
PCAP_ERROR_BREAKif packets are being read from a ``savefile'' and there are no more packets to read from the savefile,
PCAP_ERROR_NOT_ACTIVATEDif called on a capture handle that has been created but not activated, or
PCAP_ERRORif an error occurred while reading the packet. If
PCAP_ERRORis returned, pcap_geterr(3PCAP) or pcap_perror(3PCAP) may be called with p as an argument to fetch or display the error text.
returns a pointer to the packet data on success, and returns
if an error occurred, or if no packets were read from a live capture
(if, for example, they were discarded because they didn't pass the
packet filter, or if, on platforms that support a packet buffer timeout
that starts before any packets arrive, the timeout expires before any
packets arrive, or if the file descriptor for the capture device is in
non-blocking mode and no packets were available to be read), or if no
more packets are available in a ``savefile.'' Unfortunately, there is no
way to determine whether an error occurred or not.