netraf
A Network Analyzer and Traffic Logger.


MYCAP Packet Capture Library


MYCAP scheme



MY[p]CAP - simple packet capture library...

    MYcap is a small set of functions that make packet capturing easy. It allows users to write their own packet processing functions and don't care about the methods to obtain the raw packets. All that user have to know is the way packets are built, and how to extract data from the raw packets.

    There are only three steps in capturing packets with mycap.

MYCAP steps

    Creating a new session with mycap, which causes a new raw packet listening socket is created in the system. Through this socket we'll be able to receive a raw binary stream from packets flow, going from and to any network interface installed on the system.
Running a packet capturing loop. This is the heart of mycap, here all the packets are actually captured and passed to packet handling function. Mycap loop is in fact a passive loop waiting for incoming packets, when called inside other program it will stop execution of code until it ends (end loop function). Starting the packet capturing loop requires a packet handling function, which will be associated with current session. Every time the packet loop captures a packet it passes it to an associated packet handling function.
    The only limitation is that the packet handling function must be of specific prototype:

void *function(void *, mycap_header *, unsigned char *);

    In the first argument it gets the parameters passed by user, then the header prepared by mycap loop (code below) and the pointer to the buffer containing the raw packet.

/* The header passed to the packet handling function,
contains additional information about the captured packet */

typedef struct mycap_header_s{
   /* size of the captured packet in bytes */
   int caplen;

   /* name of the interface the packet came through */
   char ifname[8];

   /* special field describing whether is is an incoming,
   outgoing or maybe a broadcast or mutlicast packet */

   unsigned char pkttype;

} mycap_header_t;

    After passing the packet to the function, the loop will wait for the function to finish its work, before it will pass it another packet. It's because the time required by the function to process the packet depends on the packet filters applied to that function and the execution time of the function itself, which can vary on slower cpu types. While reading packets, loop uses the system buffer, but if the packet processing function requires more time then the rate of incoming packets, instead of running another function to process the excess of packets, the loop drops them. This way even if some packets are dropped, the loop won't cause any overload to the system.
Using the end loop function on a mycap session will stop the packet reading loop and continue executing the code below the call to the mycap loop. The loop may be restarted at any later time.
    To end packet capturing finally, user closes the mycap session, the packet socket is closed and memory used by the session is freed. After this point, to run packet capturing loop, user must create another mycap session.

M.K.

back to "Theory" section


Copyright © 2005, M.K., T.J., M.S.
netraf is Open Source software, distributed under the terms of the New BSD License.
waldson.com activity involved