To open a handle for a live capture, given the name of the network or other
  interface on which the capture should be done, call pcap_create(), set
  the appropriate options on the handle, and then activate it with
  pcap_activate().
To obtain a list of devices that can be opened for a live capture,
    call pcap_findalldevs(); to free the list returned by
    pcap_findalldevs(), call pcap_freealldevs().
    pcap_lookupdev() will return the first device on that list that is
    not a ``loopback`` network interface.
To open a handle for a ``savefile'' from which to read packets,
    given the pathname of the ``savefile'', call pcap_open_offline(); to
    set up a handle for a ``savefile'', given a FILE * referring
    to a file already opened for reading, call pcap_fopen_offline().
In order to get a ``fake'' pcap_t for use in routines that
    require a pcap_t as an argument, such as routines to open a
    ``savefile'' for writing and to compile a filter expression, call
    pcap_open_dead().
pcap_create(), pcap_open_offline(),
    pcap_fopen_offline(), and pcap_open_dead() return a pointer to
    a pcap_t, which is the handle used for reading packets from the
    capture stream or the ``savefile'', and for finding out information about
    the capture stream or ``savefile''. To close a handle, use
    pcap_close().
The options that can be set on a capture handle include
  - snapshot length
- If, when capturing, you capture the entire contents of the packet, that
      requires more CPU time to copy the packet to your application, more disk
      and possibly network bandwidth to write the packet data to a file, and
      more disk space to save the packet. If you don't need the entire contents
      of the packet - for example, if you are only interested in the TCP headers
      of packets - you can set the "snapshot length" for the capture
      to an appropriate value. If the snapshot length is set to snaplen,
      and snaplen is less than the size of a packet that is captured,
      only the first snaplen bytes of that packet will be captured and
      provided as packet data.
- A snapshot length of 65535 should be sufficient, on most if not all
      networks, to capture all the data available from the packet.
- The snapshot length is set with pcap_set_snaplen().
- promiscuous mode
- On broadcast LANs such as Ethernet, if the network isn't switched, or if
      the adapter is connected to a "mirror port" on a switch to which
      all packets passing through the switch are sent, a network adapter
      receives all packets on the LAN, including unicast or multicast packets
      not sent to a network address that the network adapter isn't configured to
      recognize.
- Normally, the adapter will discard those packets; however, many network
      adapters support "promiscuous mode", which is a mode in which
      all packets, even if they are not sent to an address that the adapter
      recognizes, are provided to the host. This is useful for passively
      capturing traffic between two or more other hosts for analysis.
- Note that even if an application does not set promiscuous mode, the
      adapter could well be in promiscuous mode for some other reason.
- For now, this doesn't work on the "any" device; if an argument
      of "any" or NULL is supplied, the setting of promiscuous mode is
      ignored.
- Promiscuous mode is set with pcap_set_promisc().
- monitor mode
- On IEEE 802.11 wireless LANs, even if an adapter is in promiscuous mode,
      it will supply to the host only frames for the network with which it's
      associated. It might also supply only data frames, not management or
      control frames, and might not provide the 802.11 header or radio
      information pseudo-header for those frames.
- In "monitor mode", sometimes also called "rfmon mode"
      (for "Radio Frequency MONitor"), the adapter will supply all
      frames that it receives, with 802.11 headers, and might supply a
      pseudo-header with radio information about the frame as well.
- Note that in monitor mode the adapter might disassociate from the network
      with which it's associated, so that you will not be able to use any
      wireless networks with that adapter. This could prevent accessing files on
      a network server, or resolving host names or network addresses, if you are
      capturing in monitor mode and are not connected to another network with
      another adapter.
- Monitor mode is set with pcap_set_rfmon(), and
      pcap_can_set_rfmon() can be used to determine whether an adapter
      can be put into monitor mode.
- packet buffer timeout
- If, when capturing, packets are delivered as soon as they arrive, the
      application capturing the packets will be woken up for each packet as it
      arrives, and might have to make one or more calls to the operating system
      to fetch each packet.
- If, instead, packets are not delivered as soon as they arrive, but are
      delivered after a short delay (called a "packet buffer
      timeout"), more than one packet can be accumulated before the packets
      are delivered, so that a single wakeup would be done for multiple packets,
      and each set of calls made to the operating system would supply multiple
      packets, rather than a single packet. This reduces the per-packet CPU
      overhead if packets are arriving at a high rate, increasing the number of
      packets per second that can be captured.
- The packet buffer timeout is required so that an application won't wait
      for the operating system's capture buffer to fill up before packets are
      delivered; if packets are arriving slowly, that wait could take an
      arbitrarily long period of time.
- Not all platforms support a packet buffer timeout; on platforms that
      don't, the packet buffer timeout is ignored. A zero value for the timeout,
      on platforms that support a packet buffer timeout, will cause a read to
      wait forever to allow enough packets to arrive, with no timeout. A
      negative value is invalid; the result of setting the timeout to a negative
      value is unpredictable.
- NOTE: the packet buffer timeout cannot be used to cause calls that
      read packets to return within a limited period of time, because, on some
      platforms, the packet buffer timeout isn't supported, and, on other
      platforms, the timer doesn't start until at least one packet arrives. This
      means that the packet buffer timeout should NOT be used, for
      example, in an interactive application to allow the packet capture loop to
      ``poll'' for user input periodically, as there's no guarantee that a call
      reading packets will return after the timeout expires even if no packets
      have arrived.
- The packet buffer timeout is set with pcap_set_timeout().
- buffer size
- Packets that arrive for a capture are stored in a buffer, so that they do
      not have to be read by the application as soon as they arrive. On some
      platforms, the buffer's size can be set; a size that's too small could
      mean that, if too many packets are being captured and the snapshot length
      doesn't limit the amount of data that's buffered, packets could be dropped
      if the buffer fills up before the application can read packets from it,
      while a size that's too large could use more non-pageable operating system
      memory than is necessary to prevent packets from being dropped.
- The buffer size is set with pcap_set_buffer_size().
- timestamp type
- On some platforms, the time stamp given to packets on live captures can
      come from different sources that can have different resolutions or that
      can have different relationships to the time values for the current time
      supplied by routines on the native operating system. See
      pcap-tstamp(7) for a list of time stamp types.
- The time stamp type is set with pcap_set_tstamp_type().
Reading packets from a network interface may require that you have
    special privileges:
  - Under SunOS 3.x or 4.x with NIT or BPF:
- You must have read access to /dev/nit or /dev/bpf*.
- Under Solaris with DLPI:
- You must have read/write access to the network pseudo device, e.g.
      /dev/le. On at least some versions of Solaris, however, this is not
      sufficient to allow tcpdump to capture in promiscuous mode; on
      those versions of Solaris, you must be root, or the application capturing
      packets must be installed setuid to root, in order to capture in
      promiscuous mode. Note that, on many (perhaps all) interfaces, if you
      don't capture in promiscuous mode, you will not see any outgoing packets,
      so a capture not done in promiscuous mode may not be very useful.
  
  - In newer versions of Solaris, you must have been given the
      net_rawaccess privilege; this is both necessary and sufficient to
      give you access to the network pseudo-device - there is no need to change
      the privileges on that device. A user can be given that privilege by, for
      example, adding that privilege to the user's defaultpriv key with
      the usermod (@MAN_ADMIN_COMMANDS@) command.
  - Under HP-UX with DLPI:
- You must be root or the application capturing packets must be installed
      setuid to root.
- Under IRIX with snoop:
- You must be root or the application capturing packets must be installed
      setuid to root.
- Under Linux:
- You must be root or the application capturing packets must be installed
      setuid to root (unless your distribution has a kernel that supports
      capability bits such as CAP_NET_RAW and code to allow those capability
      bits to be given to particular accounts and to cause those bits to be set
      on a user's initial processes when they log in, in which case you must
      have CAP_NET_RAW in order to capture and CAP_NET_ADMIN to enumerate
      network devices with, for example, the -D flag).
- Under ULTRIX and Digital UNIX/Tru64 UNIX:
- Any user may capture network traffic. However, no user (not even the
      super-user) can capture in promiscuous mode on an interface unless the
      super-user has enabled promiscuous-mode operation on that interface using
      pfconfig(8), and no user (not even the super-user) can capture
      unicast traffic received by or sent by the machine on an interface unless
      the super-user has enabled copy-all-mode operation on that interface using
      pfconfig, so useful packet capture on an interface probably
      requires that either promiscuous-mode or copy-all-mode operation, or both
      modes of operation, be enabled on that interface.
- Under BSD (this includes macOS):
- You must have read access to /dev/bpf* on systems that don't have a
      cloning BPF device, or to /dev/bpf on systems that do. On BSDs with
      a devfs (this includes macOS), this might involve more than just having
      somebody with super-user access setting the ownership or permissions on
      the BPF devices - it might involve configuring devfs to set the ownership
      or permissions every time the system is booted, if the system even
      supports that; if it doesn't support that, you might have to find some
      other way to make that happen at boot time.
Reading a saved packet file doesn't require special
  privileges.
The packets read from the handle may include a ``pseudo-header''
    containing various forms of packet meta-data, and probably includes a
    link-layer header whose contents can differ for different network
    interfaces. To determine the format of the packets supplied by the handle,
    call pcap_datalink(); https://www.tcpdump.org/linktypes.html
    lists the values it returns and describes the packet formats that correspond
    to those values.
Do NOT assume that the packets for a given capture or
    ``savefile`` will have any given link-layer header type, such as
    DLT_EN10MB for Ethernet. For example, the "any" device on
    Linux will have a link-layer header type of DLT_LINUX_SLL even if all
    devices on the system at the time the "any" device is opened have
    some other data link type, such as DLT_EN10MB for Ethernet.
To obtain the FILE * corresponding to a
    pcap_t opened for a ``savefile'', call pcap_file().
  - Routines
  - pcap_create(3)
- get a pcap_t for live capture
- pcap_activate(3)
- activate a pcap_t for live capture
- pcap_findalldevs(3)
- get a list of devices that can be opened for a live capture
- pcap_freealldevs(3)
- free list of devices
- pcap_lookupdev(3)
- get first non-loopback device on that list
- pcap_open_offline(3)
- open a pcap_t for a ``savefile'', given a pathname
- pcap_open_offline_with_tstamp_precision(3)
- open a pcap_t for a ``savefile'', given a pathname, and specify the
      precision to provide for packet time stamps
- pcap_fopen_offline(3)
- open a pcap_t for a ``savefile'', given a FILE *
- pcap_fopen_offline_with_tstamp_precision(3)
- open a pcap_t for a ``savefile'', given a FILE *, and
      specify the precision to provide for packet time stamps
- pcap_open_dead(3)
- create a ``fake'' pcap_t
- pcap_close(3)
- close a pcap_t
- pcap_set_snaplen(3)
- set the snapshot length for a not-yet-activated pcap_t for live
      capture
- pcap_snapshot(3)
- get the snapshot length for a pcap_t
- pcap_set_promisc(3)
- set promiscuous mode for a not-yet-activated pcap_t for live
      capture
- pcap_set_protocol_linux(3)
- set capture protocol for a not-yet-activated pcap_t for live
      capture (Linux only)
- pcap_set_rfmon(3)
- set monitor mode for a not-yet-activated pcap_t for live
    capture
- pcap_can_set_rfmon(3)
- determine whether monitor mode can be set for a pcap_t for live
      capture
- pcap_set_timeout(3)
- set packet buffer timeout for a not-yet-activated pcap_t for live
      capture
- pcap_set_buffer_size(3)
- set buffer size for a not-yet-activated pcap_t for live
    capture
- pcap_set_tstamp_type(3)
- set time stamp type for a not-yet-activated pcap_t for live
    capture
- pcap_list_tstamp_types(3)
- get list of available time stamp types for a not-yet-activated
      pcap_t for live capture
- pcap_free_tstamp_types(3)
- free list of available time stamp types
- pcap_tstamp_type_val_to_name(3)
- get name for a time stamp type
- pcap_tstamp_type_val_to_description(3)
- get description for a time stamp type
- pcap_tstamp_type_name_to_val(3)
- get time stamp type corresponding to a name
- pcap_set_tstamp_precision(3)
- set time stamp precision for a not-yet-activated pcap_t for live
      capture
- pcap_get_tstamp_precision(3)
- get the time stamp precision of a pcap_t for live capture
- pcap_datalink(3)
- get link-layer header type for a pcap_t
- pcap_file(3)
- get the FILE * for a pcap_t opened for a
    ``savefile''
- pcap_is_swapped(3)
- determine whether a ``savefile'' being read came from a machine with the
      opposite byte order
- pcap_major_version(3)
- pcap_minor_version(3)
- get the major and minor version of the file format version for a
      ``savefile''
 
Packets are read with pcap_dispatch() or pcap_loop(), which
  process one or more packets, calling a callback routine for each packet, or
  with pcap_next() or pcap_next_ex(), which return the next
  packet. The callback for pcap_dispatch() and pcap_loop() is
  supplied a pointer to a struct pcap_pkthdr, which includes the
  following members:
  - ts
- a struct timeval containing the time when the packet was
    captured
- caplen
- a bpf_u_int32 giving the number of bytes of the packet that are
      available from the capture
- len
- a bpf_u_int32 giving the length of the packet, in bytes (which
      might be more than the number of bytes available from the capture, if the
      length of the packet is larger than the maximum number of bytes to
      capture).
 
The callback is also supplied a const u_char pointer to the
    first caplen (as given in the struct pcap_pkthdr mentioned
    above) bytes of data from the packet. This won't necessarily be the entire
    packet; to capture the entire packet, you will have to provide a value for
    snaplen in your call to pcap_set_snaplen() that is
    sufficiently large to get all of the packet's data - a value of 65535 should
    be sufficient on most if not all networks). When reading from a
    ``savefile'', the snapshot length specified when the capture was performed
    will limit the amount of packet data available.
pcap_next() is passed an argument that points to a
    struct pcap_pkthdr structure, and fills it in with the time stamp and
    length values for the packet. It returns a const u_char to the first
    caplen bytes of the packet on success, and NULL on error.
pcap_next_ex() is passed two pointer arguments, one of
    which points to a structpcap_pkthdr* and one of which points
    to a const u_char*. It sets the first pointer to point to a struct
    pcap_pkthdr structure with the time stamp and length values for the
    packet, and sets the second pointer to point to the first caplen
    bytes of the packet.
To force the loop in pcap_dispatch() or pcap_loop()
    to terminate, call pcap_breakloop().
By default, when reading packets from an interface opened for a
    live capture, pcap_dispatch(), pcap_next(), and
    pcap_next_ex() will, if no packets are currently available to be
    read, block waiting for packets to become available. On some, but not
    all, platforms, if a packet buffer timeout was specified, the wait will
    terminate after the packet buffer timeout expires; applications should be
    prepared for this, as it happens on some platforms, but should not rely on
    it, as it does not happen on other platforms. Note that the wait might, or
    might not, terminate even if no packets are available; applications should
    be prepared for this to happen, but must not rely on it happening.
A handle can be put into ``non-blocking mode'', so that those
    routines will, rather than blocking, return an indication that no packets
    are available to read. Call pcap_setnonblock() to put a handle into
    non-blocking mode or to take it out of non-blocking mode; call
    pcap_getnonblock() to determine whether a handle is in non-blocking
    mode. Note that non-blocking mode does not work correctly in Mac OS X
  10.6.
Non-blocking mode is often combined with routines such as
    select(2) or poll(2) or other routines a platform offers to
    wait for any of a set of descriptors to be ready to read. To obtain, for a
    handle, a descriptor that can be used in those routines, call
    pcap_get_selectable_fd(). Not all handles have such a descriptor
    available; pcap_get_selectable_fd() will return -1 if no such
    descriptor exists. In addition, for various reasons, one or more of those
    routines will not work properly with the descriptor; the documentation for
    pcap_get_selectable_fd() gives details. Note that, just as an attempt
    to read packets from a pcap_t may not return any packets if the
    packet buffer timeout expires, a select(), poll(), or other
    such call may, if the packet buffer timeout expires, indicate that a
    descriptor is ready to read even if there are no packets available to
  read.
  - Routines
  - pcap_dispatch(3)
- read a bufferful of packets from a pcap_t open for a live capture
      or the full set of packets from a pcap_t open for a
    ``savefile''
- pcap_loop(3)
- read packets from a pcap_t until an interrupt or error occurs
- pcap_next(3)
- read the next packet from a pcap_t without an indication whether an
      error occurred
- pcap_next_ex(3)
- read the next packet from a pcap_t with an error indication on an
      error
- pcap_breakloop(3)
- prematurely terminate the loop in pcap_dispatch() or
      pcap_loop()
- pcap_setnonblock(3)
- set or clear non-blocking mode on a pcap_t
- pcap_getnonblock(3)
- get the state of non-blocking mode for a pcap_t
- pcap_get_selectable_fd(3)
- attempt to get a descriptor for a pcap_t that can be used in calls
      such as select(2) and poll(2)