- Forum
- UNIX/Linux Programming
- Empty file on pcap_dump
Empty file on pcap_dump
Hi,
I am trying to capture packets using a pcap library API.
I am used pcap_dump to dump my packest to a file. But i see that the file is empty.
Please can you let me know if i am missing something below.
I am passing interface as "any" and file is ceretade with root permission.
code:
=
NOTE: dev = "any" and filetexp= "udp port 53"
248 static int
249 capturepackets(const char *dev, const char *filterexpr)
250 {
251 char errbuf[PCAP_ERRBUF_SIZE];
252 struct bpf_program prog; /* Compiled bpf filter program */
253 bpf_u_int32 mask; /* The netmask of our sniffing device */
254 bpf_u_int32 net; /* The IP of our sniffing device */
255 int rc;
256 pcap_dumper_t *pd;
257
258 memset(&stats, 0, sizeof(stats));
259
260 restart:
261 if (pcap_lookupnet((char *)dev, &net, &mask, errbuf) == -1) {
262 fprintf(stderr, "Can't get netmask for interface %s\n", dev);
263
264 return 1;
265 }
266
267 if ((pc = pcap_open_live((char *)dev, 65535, PROMISC, READTIMEOUT, errbuf))
268 == NULL)
269 {
270 fprintf(stderr, "Couldn't open interface %s: %s\n", dev, errbuf);
271
272 return 2;
273 }
274
275 if (init_my_addresses(dev) == -1) {
276 fprintf(stderr, "Couldn't find our addresses (dev=%s)\n", dev);
277
278 pcap_close(pc);
279 pc = NULL;
280 return 6;
281 }
282
283 if (pcap_compile(pc, &prog, (char *)filterexpr, 0, net) == -1) {
284 fprintf(stderr, "Couldn't parse filter %s: %s\n", filterexpr,
285 pcap_geterr(pc));
286 DBG1("Couldn't parse filter %s: %s", filterexpr, pcap_geterr(pc));
287 pcap_freecode(&prog);
288 pcap_close(pc);
289 pc = NULL;
290 return 3;
291 }
292
293 if (pcap_setfilter(pc, &prog) == -1) {
294 fprintf(stderr, "Couldn't install filter %s: %s\n", filterexpr,
295 pcap_geterr(pc));
296 DBG1("Couldn't install filter %s: %s", filterexpr, pcap_geterr(pc));
297 pcap_freecode(&prog);
298 pcap_close(pc);
299 pc = NULL;
300 return 4;
301 }
302
303 datalinktype = pcap_datalink(pc);
304
305 DBG6("Datalink type is %s (%s)", pcap_datalink_val_to_name(datalinktype),
306 pcap_datalink_val_to_description(datalinktype));
307
308 if (datalinktype != DLT_LINUX_SLL && datalinktype != DLT_EN10MB) {
309 fprintf(stderr, "Unknown datalink type (%d: %s), exiting",
310 datalinktype, pcap_datalink_val_to_name(datalinktype));
311 DBG1("Unknown datalink type (%d: %s), can't handle, exiting",
312 datalinktype, pcap_datalink_val_to_name(datalinktype));
313 pcap_freecode(&prog);
314 pcap_close(pc);
315 pc = NULL;
316 return 6;
317 }
318
320
321 pd = pcap_dump_open(pc,"/tmp/sniff.pcap");
322 if(pd==NULL){
323 fprintf(stderr,"\nError opening output file\n");
324 DBG9("arai:dump open err opening pcap file");
325 return -1;
326 }
327
3331 rc = pcap_loop(pc, 20, &pcap_dump, (unsigned char *)pd);
332 if (rc == -2) {
334 DBG1("Restarting packet handler.");
335 pcap_freecode(&prog);
336 pcap_dump_close(pd);
337 pcap_close(pc);
338 pc = NULL;
339 goto restart;
340 }
341
342 DBG0("Return from capture loop!");
343 pcap_freecode(&prog);
344 pcap_dump_close(pd);
345 pcap_close(pc);
346 pc = NULL;
347 return 5;
348 }
This is the file cretaed with zero size:
==========
-bash-4.0# ls -lrt sniff.pcap
-rw-rw-rw- 1 root root 0 Jun 4 09:51 sniff.pcap
-bash-4.0#
I am trying to capture packets using a pcap library API.
I am used pcap_dump to dump my packest to a file. But i see that the file is empty.
Please can you let me know if i am missing something below.
I am passing interface as "any" and file is ceretade with root permission.
code:
=
NOTE: dev = "any" and filetexp= "udp port 53"
248 static int
249 capturepackets(const char *dev, const char *filterexpr)
250 {
251 char errbuf[PCAP_ERRBUF_SIZE];
252 struct bpf_program prog; /* Compiled bpf filter program */
253 bpf_u_int32 mask; /* The netmask of our sniffing device */
254 bpf_u_int32 net; /* The IP of our sniffing device */
255 int rc;
256 pcap_dumper_t *pd;
257
258 memset(&stats, 0, sizeof(stats));
259
260 restart:
261 if (pcap_lookupnet((char *)dev, &net, &mask, errbuf) == -1) {
262 fprintf(stderr, "Can't get netmask for interface %s\n", dev);
263
264 return 1;
265 }
266
267 if ((pc = pcap_open_live((char *)dev, 65535, PROMISC, READTIMEOUT, errbuf))
268 == NULL)
269 {
270 fprintf(stderr, "Couldn't open interface %s: %s\n", dev, errbuf);
271
272 return 2;
273 }
274
275 if (init_my_addresses(dev) == -1) {
276 fprintf(stderr, "Couldn't find our addresses (dev=%s)\n", dev);
277
278 pcap_close(pc);
279 pc = NULL;
280 return 6;
281 }
282
283 if (pcap_compile(pc, &prog, (char *)filterexpr, 0, net) == -1) {
284 fprintf(stderr, "Couldn't parse filter %s: %s\n", filterexpr,
285 pcap_geterr(pc));
286 DBG1("Couldn't parse filter %s: %s", filterexpr, pcap_geterr(pc));
287 pcap_freecode(&prog);
288 pcap_close(pc);
289 pc = NULL;
290 return 3;
291 }
292
293 if (pcap_setfilter(pc, &prog) == -1) {
294 fprintf(stderr, "Couldn't install filter %s: %s\n", filterexpr,
295 pcap_geterr(pc));
296 DBG1("Couldn't install filter %s: %s", filterexpr, pcap_geterr(pc));
297 pcap_freecode(&prog);
298 pcap_close(pc);
299 pc = NULL;
300 return 4;
301 }
302
303 datalinktype = pcap_datalink(pc);
304
305 DBG6("Datalink type is %s (%s)", pcap_datalink_val_to_name(datalinktype),
306 pcap_datalink_val_to_description(datalinktype));
307
308 if (datalinktype != DLT_LINUX_SLL && datalinktype != DLT_EN10MB) {
309 fprintf(stderr, "Unknown datalink type (%d: %s), exiting",
310 datalinktype, pcap_datalink_val_to_name(datalinktype));
311 DBG1("Unknown datalink type (%d: %s), can't handle, exiting",
312 datalinktype, pcap_datalink_val_to_name(datalinktype));
313 pcap_freecode(&prog);
314 pcap_close(pc);
315 pc = NULL;
316 return 6;
317 }
318
320
321 pd = pcap_dump_open(pc,"/tmp/sniff.pcap");
322 if(pd==NULL){
323 fprintf(stderr,"\nError opening output file\n");
324 DBG9("arai:dump open err opening pcap file");
325 return -1;
326 }
327
3331 rc = pcap_loop(pc, 20, &pcap_dump, (unsigned char *)pd);
332 if (rc == -2) {
334 DBG1("Restarting packet handler.");
335 pcap_freecode(&prog);
336 pcap_dump_close(pd);
337 pcap_close(pc);
338 pc = NULL;
339 goto restart;
340 }
341
342 DBG0("Return from capture loop!");
343 pcap_freecode(&prog);
344 pcap_dump_close(pd);
345 pcap_close(pc);
346 pc = NULL;
347 return 5;
348 }
This is the file cretaed with zero size:
==========
-bash-4.0# ls -lrt sniff.pcap
-rw-rw-rw- 1 root root 0 Jun 4 09:51 sniff.pcap
-bash-4.0#
First, please edit your post and use the formatting features to properly format the code.
If you pass the same sort of rules to tcpdump via the command-line, do you get data?
If you pass the same sort of rules to tcpdump via the command-line, do you get data?
Topic archived. No new replies allowed.