-
Notifications
You must be signed in to change notification settings - Fork 50
/
wpcap.html
239 lines (200 loc) · 8.72 KB
/
wpcap.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
<!DOCTYPE html>
<html lang="en">
<!-- HEAD -->
<head>
<meta charset="utf-8">
<title>Information on WinPcap and WinDump | TCPDUMP & LIBPCAP</title>
<meta name="description" content="Web site of Tcpdump and Libpcap">
<link href="style.css" rel="stylesheet" type="text/css" media="screen">
<link href="images/T-32x32.png" rel="shortcut icon" type="image/png">
</head>
<!-- END OF HTML HEAD -->
<!-- BODY -->
<body>
<!-- TOP MENU -->
<div id="menu">
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="security.html">Security</a></li>
<li><a href="faq.html">FAQ</a></li>
<li><a href="manpages/">Man Pages</a></li>
<li><a href="ci.html">CI</a></li>
<li><a href="linktypes.html">Link-Layer Header Types</a></li>
<li><a href="bpfexam/">BPF Exam</a></li>
<li><a href="related.html">See Also</a></li>
<li><a href="old_releases.html">Old Releases</a></li>
</ul>
</div>
<!-- END OF TOP MENU -->
<!-- PAGE HEADER -->
<div id="splash">
<br><img src="images/logo.png" alt="">
</div>
<div id="logo">
<hr>
</div>
<!-- END OF PAGE HEADER -->
<!-- PAGE CONTENTS -->
<div id="page">
<div class="post">
<h2 class="title">Information on WinPCAP and WinDUMP</h2>
<div class="entry">
<TABLE>
<TR><TD> <TD>WinPCAP<TD>WinDUMP</TR>
<TR><TD> Home pages:
<TD> <A HREF="https://www.winpcap.org/">WinPcap</A>
<TD> <A HREF="https://www.winpcap.org/windump/">WinDump</A></TR>
<TR> <TD> Release notes:
<TD><A HREF="https://www.winpcap.org/misc/changelog.htm">winpcap</A>,
<TD> <A HREF="https://www.winpcap.org/windump/misc/changelog.htm">windump</A>
</TR>
<TR> <TD> Mail:
<TD> <A
HREF="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A>
(also used for WinDump)<TD> </TD></TR>
</TABLE>
</div>
<H2 class="title">Relationship of <code>WPCAP.DLL</code> and <code>PACKET.DLL</code></H2>
<div class="entry">
<PRE>
From: Guy Harris <gharris@flashcom.net>
Subject: Re: [tcpdump-workers] libpcap
On Thu, Nov 23, 2000 at 04:39:45PM -0700, Mark Reimer wrote:
> In the sample programs from netgroup..., I have tried to translate a couple
> of them to VB using Declares. The one that I think would be the easiest to
> use has the following functions: This is from testapp.c
>
> PacketGetAdapterNames
</PRE>
<P>
Perhaps that would be easier to use; it depends on what you're doing.
<P>
Some history on libpcap might make the relationship between <code>packet.dll</code>
and <code>wpcap.dll</code> a bit clearer.
<P>
libpcap was originally the code in tcpdump that hid from the bulk of
tcpdump the differences between the mechanisms provided by various
flavors of UNIX to allow raw link-layer packets to be transmitted and
received; tcpdump merely receives link-layer packets, and doesn't send
them, so libpcap doesn't have any routines to transmit packets.
(There's no reason why it <strong>couldn't</strong> have those routines; it just
doesn't happen to have them.)
<P>
<code>wpcap.dll</code> implements the libpcap API (plus some extensions) for Win32
systems; <code>packet.dll</code>, and the drivers for various Win32 operating
systems, provide a Win32-specific raw link-layer packet access
mechanism.
<P>
I.e., <code>wpcap.dll</code> provides an API that should work on BSD, Linux, Solaris,
HP-UX, Irix, AIX, Windows 9x, Windows NT, etc., allowing applications to
capture packets on a network without themselves having to do that
capture differently on different OSes. (Well, there are some minor
glitches that require some slightly different behavior on some OSes, but
the latest version of libpcap should handle at least one of those.)
<P>
<code>packet.dll</code> provides a Win32-specific API for capturing <strong>and</strong> sending
packets, just as the BPF driver on BSD, <code>PF_PACKET</code> sockets on Linux, DLPI
on Solaris and HP-UX and some other flavors of UNIX, etc. provide APIs
that are somewhat OS-specific for capturing and sending packets on those
OSes.
<P>
The routines with names beginning with <code>Packet</code> are the <code>packet.dll</code>
routines; that's the <code>packet.dll</code> API.
<P>
The routines with names beginning with <code>pcap_</code> are the <code>wpcap.dll</code>
routines; that's the libpcap API.
<P>
The libpcap API is a somewhat "higher-level" API, hiding, as it does,
various low-level details of BPF or <code>PF_PACKET</code> sockets or DLPI or
<code>packet.dll</code> or… That <strong>might</strong> make it easier to use; however, it also
<strong>might</strong> mean that it wouldn't allow you to do some things you could do
by directly using the <code>packet.dll</code> API.
<P>
The page at
<A HREF="https://web.archive.org/web/20010208082919/http://netgroup-serv.polito.it/winpcap/2.1beta.htm"> http://netgroup-serv.polito.it/winpcap/2.1beta.htm</A>
describes that thus:
<BLOCKQUOTE>
<P>
WinPcap is an architecture for packet capture and network
analysis for the Win32 platforms, based on the model of BPF and
libpcap for UNIX. It includes a kernel-level packet filter
driver, a low-level dynamic link library (<code>packet.dll</code>), and a
high-level and system-independent library (<code>wpcap.dll</code>).
<P>
The packet capture driver is a device driver that adds to
Windows 95, Windows 98, Windows NT and Windows 2000 the ability
to capture and send raw packets in a way similar to the Berkeley
Packet Filter of UNIX kernels.
<P>
<code>packet.dll</code> is an API that can be used to access directly the
functions of the capture driver.
<P>
WinPcap exports a set of functions fully compatible with libpcap
0.5.2. It allows capturing packets in a way independent from
the underlying network hardware and operating system.
</BLOCKQUOTE>
<PRE>
> Also I would need to come up with proper types (structures) for LPADAPTER
> and LPPACKET. These use packet.dll.
>
> The other is from pktdump.c and uses the following:
>
> pcap_open_live
> pcap_loop
>
> For this one, it uses structure of pcap (which I haven't found defined
> anywhere). I assume because wpcap.dll is loaded as needed, it is defined in
> there, and not anywhere else.
</PRE>
<P>
No, it's because the <code>pcap_t</code> structure's layout is relevant only if
you're trying to write programs that use libpcap…
<P>
…just as <code>LPADAPTER</code> and <code>LPPACKET</code> are relevant only if you're trying to
write programs that use <code>packet.dll</code>.
<P>
Given that you're planning on writing programs that use libpcap and/or
<code>packet.dll</code>, they are relevant.
<P>
<code>LPADAPTER</code> is just a pointer to an <code>ADAPTER</code> structure; <code>ADAPTER</code> is
defined in <code>PACKET32.H</code>, which comes as part of the WinPcap 2.1 beta
developer's pack. <code>LPPACKET</code> is just a pointer to a <code>PACKET</code> structure;
<code>PACKET</code> is also defined in <code>PACKET32.H</code>.
<P>
<code>pcap_t</code> is a handle returned when you open a capture device with
libpcap; it's defined in <code>pcap.h</code>, which <strong>also</strong> comes as part of the
WinPcap 2.1 beta developer's pack.
<PRE>
> I'm trying to write an update to a packet capture program that runs in DOS
> (yes, pre-Windows), so I just need to capture the packets, then I know what
> I'm doing.
</PRE>
<P>
I assume the update is to make it run on Win32 operating systems
(Windows 95/98 and Windows NT/2000), as WinPcap won't work on plain DOS.
<P>
If it's just a packet capture program, the libpcap API, rather than the
raw <code>packet.dll</code> API, may be easier. (If you download the WinPcap 2.1
beta source, and look at <code>pcap-win32.c</code> in the <code>WPCAP\LIBPCAP</code>
directory, that shows you the stuff that the libpcap library hides; it's
not <strong>that</strong> complicated—take a look, for example, at <code>pcap-dlpi.c</code> in
that directory, which shows you the stuff libpcap has to hide from you
on a platform using DLPI, although <code>pcap-bpf.c</code> is a bit simpler, which
is perhaps not surprising given that BPF was designed by the same folks
who designed libpcap and tcpdump…)
</div>
</div>
</div>
<!-- END OF PAGE CONTENTS -->
<!-- FOOTER -->
<div id="footer">
<p>
This web site is © 1999–2024 The Tcpdump Group
(<a href="https://github.com/the-tcpdump-group/tcpdump-htdocs/blob/master/README.md">more
information</a>).
</p>
</div>
<!-- END OF FOOTER -->
</body>
<!-- END OF HTML BODY -->
</html>