Information on WinPCAP and WinDUMP
|Mail:||firstname.lastname@example.org (also used for WinDump)|
From: Guy Harris <email@example.com> Subject: Re: [tcpdump-workers] libpcap On Thu, Nov 23, 2000 at 04:39:45PM -0700, Mark Reimer wrote: > In the sample programs from netgroup..., I have tried to translate a couple > of them to VB using Declares. The one that I think would be the easiest to > use has the following functions: This is from testapp.c > > PacketGetAdapterNames
Perhaps that would be easier to use; it depends on what you're doing.
Some history on libpcap might make the relationship between
wpcap.dll a bit clearer.
libpcap was originally the code in tcpdump that hid from the bulk of tcpdump the differences between the mechanisms provided by various flavors of UNIX to allow raw link-layer packets to be transmitted and received; tcpdump merely receives link-layer packets, and doesn't send them, so libpcap doesn't have any routines to transmit packets. (There's no reason why it couldn't have those routines; it just doesn't happen to have them.)
wpcap.dll implements the libpcap API (plus some extensions) for Win32
packet.dll, and the drivers for various Win32 operating
systems, provide a Win32-specific raw link-layer packet access
wpcap.dll provides an API that should work on BSD, Linux, Solaris,
HP-UX, Irix, AIX, Windows 9x, Windows NT, etc., allowing applications to
capture packets on a network without themselves having to do that
capture differently on different OSes. (Well, there are some minor
glitches that require some slightly different behavior on some OSes, but
the latest version of libpcap should handle at least one of those.)
packet.dll provides a Win32-specific API for capturing and sending
packets, just as the BPF driver on BSD,
PF_PACKET sockets on Linux, DLPI
on Solaris and HP-UX and some other flavors of UNIX, etc. provide APIs
that are somewhat OS-specific for capturing and sending packets on those
The routines with names beginning with
Packet are the
routines; that's the
The routines with names beginning with
pcap_ are the
routines; that's the libpcap API.
The libpcap API is a somewhat "higher-level" API, hiding, as it does,
various low-level details of BPF or
PF_PACKET sockets or DLPI or
packet.dll or… That might make it easier to use; however, it also
might mean that it wouldn't allow you to do some things you could do
by directly using the
The page at http://netgroup-serv.polito.it/winpcap/2.1beta.htm describes that thus:
WinPcap is an architecture for packet capture and network analysis for the Win32 platforms, based on the model of BPF and libpcap for UNIX. It includes a kernel-level packet filter driver, a low-level dynamic link library (
packet.dll), and a high-level and system-independent library (
The packet capture driver is a device driver that adds to Windows 95, Windows 98, Windows NT and Windows 2000 the ability to capture and send raw packets in a way similar to the Berkeley Packet Filter of UNIX kernels.
packet.dllis an API that can be used to access directly the functions of the capture driver.
WinPcap exports a set of functions fully compatible with libpcap 0.5.2. It allows capturing packets in a way independent from the underlying network hardware and operating system.
> Also I would need to come up with proper types (structures) for LPADAPTER > and LPPACKET. These use packet.dll. > > The other is from pktdump.c and uses the following: > > pcap_open_live > pcap_loop > > For this one, it uses structure of pcap (which I haven't found defined > anywhere). I assume because wpcap.dll is loaded as needed, it is defined in > there, and not anywhere else.
No, it's because the
pcap_t structure's layout is relevant only if
you're trying to write programs that use libpcap…
LPPACKET are relevant only if you're trying to
write programs that use
Given that you're planning on writing programs that use libpcap and/or
packet.dll, they are relevant.
LPADAPTER is just a pointer to an
PACKET32.H, which comes as part of the WinPcap 2.1 beta
LPPACKET is just a pointer to a
PACKET is also defined in
pcap_t is a handle returned when you open a capture device with
libpcap; it's defined in
pcap.h, which also comes as part of the
WinPcap 2.1 beta developer's pack.
> I'm trying to write an update to a packet capture program that runs in DOS > (yes, pre-Windows), so I just need to capture the packets, then I know what > I'm doing.
I assume the update is to make it run on Win32 operating systems (Windows 95/98 and Windows NT/2000), as WinPcap won't work on plain DOS.
If it's just a packet capture program, the libpcap API, rather than the
packet.dll API, may be easier. (If you download the WinPcap 2.1
beta source, and look at
pcap-win32.c in the
directory, that shows you the stuff that the libpcap library hides; it's
not that complicated—take a look, for example, at
that directory, which shows you the stuff libpcap has to hide from you
on a platform using DLPI, although
pcap-bpf.c is a bit simpler, which
is perhaps not surprising given that BPF was designed by the same folks
who designed libpcap and tcpdump…)