Top Related Projects
Nmap Project's Windows packet capture and transmission library
Provides packet processing capabilities for Go
Scapy: the Python-based interactive packet manipulation program & library.
High-speed packet processing framework
Read-only mirror of Wireshark's Git repository at https://gitlab.com/wireshark/wireshark. ⚠️ GitHub won't let us disable pull requests. ⚠️ THEY WILL BE IGNORED HERE ⚠️ Upload them at GitLab instead.
High-level, multiplatform C++ network packet sniffing and crafting library.
Quick Overview
Libpcap is a portable C/C++ library for network traffic capture. It provides a high-level interface to capture packets from network interfaces and is widely used in network analysis tools, intrusion detection systems, and packet sniffers. Libpcap is the core library behind the popular tcpdump utility.
Pros
- Cross-platform compatibility (works on Unix-like systems, Windows, and macOS)
- High-performance packet capture with minimal overhead
- Extensive filtering capabilities using Berkeley Packet Filter (BPF) syntax
- Supports both live capture and offline packet analysis from saved files
Cons
- Limited to raw packet capture, requiring additional processing for higher-level protocol analysis
- Can require root/administrator privileges for live packet capture on some systems
- Learning curve for effective use of BPF filters
- May not capture all packets under high network load conditions
Code Examples
- Opening a network interface for capture:
#include <pcap.h>
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *handle = pcap_open_live("eth0", BUFSIZ, 1, 1000, errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device eth0: %s\n", errbuf);
return 2;
}
- Setting a BPF filter:
struct bpf_program fp;
char filter_exp[] = "port 80";
bpf_u_int32 net;
if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
return 2;
}
if (pcap_setfilter(handle, &fp) == -1) {
fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
return 2;
}
- Capturing and processing packets:
void packet_handler(u_char *user_data, const struct pcap_pkthdr *pkthdr, const u_char *packet) {
printf("Packet capture length: %d\n", pkthdr->caplen);
printf("Packet total length: %d\n", pkthdr->len);
}
pcap_loop(handle, -1, packet_handler, NULL);
Getting Started
To use libpcap in your project:
-
Install libpcap development files:
- On Ubuntu/Debian:
sudo apt-get install libpcap-dev - On macOS with Homebrew:
brew install libpcap
- On Ubuntu/Debian:
-
Include the header in your C/C++ file:
#include <pcap.h> -
Compile your program with libpcap:
gcc -o your_program your_program.c -lpcap -
Run your program with appropriate permissions (may require sudo/root).
Competitor Comparisons
Nmap Project's Windows packet capture and transmission library
Pros of Npcap
- Windows-specific, offering better performance and compatibility on Windows systems
- Includes additional features like raw 802.11 packet capture and injection
- Actively maintained with frequent updates and improvements
Cons of Npcap
- Limited to Windows platforms, lacking cross-platform support
- May require additional setup and configuration compared to libpcap
- Potential licensing restrictions for commercial use
Code Comparison
Npcap
pcap_t *handle = pcap_create("\\Device\\NPF_{GUID}", errbuf);
pcap_set_snaplen(handle, 65536);
pcap_set_promisc(handle, 1);
pcap_set_timeout(handle, 1000);
pcap_activate(handle);
libpcap
pcap_t *handle = pcap_open_live("eth0", BUFSIZ, 1, 1000, errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device: %s\n", errbuf);
return 2;
}
Both libraries use similar function calls for creating and configuring packet capture handles. However, Npcap's approach allows for more granular control over capture settings, while libpcap's pcap_open_live function combines multiple steps into a single call.
Provides packet processing capabilities for Go
Pros of gopacket
- Written in Go, offering better performance and concurrency support
- More extensive packet processing capabilities, including assembly and decoding
- Active development with frequent updates and contributions
Cons of gopacket
- Less mature and battle-tested compared to libpcap
- May have a steeper learning curve for developers new to Go
- Limited cross-platform support compared to libpcap
Code Comparison
libpcap (C):
#include <pcap.h>
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE];
handle = pcap_open_live("eth0", BUFSIZ, 1, 1000, errbuf);
gopacket (Go):
import (
"github.com/google/gopacket"
"github.com/google/gopacket/pcap"
)
handle, err := pcap.OpenLive("eth0", 1600, true, pcap.BlockForever)
Both libraries provide similar functionality for capturing network packets, but gopacket offers a more modern and feature-rich approach with its Go implementation. While libpcap is a well-established and widely-used library, gopacket provides additional capabilities for packet processing and analysis. The choice between the two depends on the specific requirements of the project, the preferred programming language, and the need for advanced packet manipulation features.
Scapy: the Python-based interactive packet manipulation program & library.
Pros of Scapy
- High-level Python library for packet manipulation and network scanning
- Extensive protocol support and easy packet crafting
- Interactive and scriptable, suitable for rapid prototyping
Cons of Scapy
- Slower performance compared to libpcap for large-scale packet capture
- Limited low-level control over network interfaces
- Requires Python runtime, which may not be suitable for all environments
Code Comparison
Scapy (Python):
from scapy.all import *
packet = IP(dst="8.8.8.8")/ICMP()
send(packet)
libpcap (C):
#include <pcap.h>
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *handle = pcap_open_live("eth0", BUFSIZ, 1, 1000, errbuf);
pcap_sendpacket(handle, packet, sizeof(packet));
Summary
Scapy is a high-level Python library ideal for rapid prototyping and complex packet manipulation, while libpcap is a low-level C library offering better performance for large-scale packet capture and processing. Scapy provides easier packet crafting and protocol support, but libpcap offers more fine-grained control over network interfaces and better performance for intensive packet capture tasks.
High-speed packet processing framework
Pros of PF_RING
- Higher performance packet capture and processing
- Zero-copy packet handling for reduced CPU usage
- Supports kernel-level packet filtering for improved efficiency
Cons of PF_RING
- Less portable than libpcap, primarily focused on Linux systems
- Steeper learning curve and more complex implementation
- Requires kernel module installation, which may not be suitable for all environments
Code Comparison
PF_RING example:
pfring *ring;
ring = pfring_open("eth0", 1500, PF_RING_PROMISC);
pfring_enable_ring(ring);
pfring_recv(ring, &buffer_p, 0, &hdr, 0);
libpcap example:
pcap_t *handle;
handle = pcap_open_live("eth0", BUFSIZ, 1, 1000, errbuf);
pcap_loop(handle, 0, packet_handler, NULL);
PF_RING offers more direct control over packet capture, while libpcap provides a simpler, more abstracted interface. PF_RING's approach can lead to better performance but requires more detailed configuration. libpcap's interface is more straightforward and portable across different operating systems.
Read-only mirror of Wireshark's Git repository at https://gitlab.com/wireshark/wireshark. ⚠️ GitHub won't let us disable pull requests. ⚠️ THEY WILL BE IGNORED HERE ⚠️ Upload them at GitLab instead.
Pros of Wireshark
- Comprehensive GUI for packet analysis and visualization
- Extensive protocol support and decoding capabilities
- Active community and frequent updates
Cons of Wireshark
- Larger codebase and more complex to contribute to
- Higher resource consumption due to GUI and extensive features
- Steeper learning curve for new users
Code Comparison
libpcap (basic packet capture):
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE];
handle = pcap_open_live("eth0", BUFSIZ, 1, 1000, errbuf);
pcap_loop(handle, -1, packet_handler, NULL);
pcap_close(handle);
Wireshark (using libpcap for capture, with additional processing):
capture_session_init(&cap_session, &cfile);
capture_opts_init(&capture_opts);
capture_opts.ifaces = g_array_new(FALSE, FALSE, sizeof(interface_options));
capture_opts_add_iface(&capture_opts, "eth0");
capture_start(&cap_session);
Both projects utilize libpcap for packet capture, but Wireshark builds upon it with additional processing, decoding, and visualization capabilities. Wireshark offers a more user-friendly interface and extensive features, while libpcap provides a lightweight, focused library for packet capture that can be easily integrated into other projects.
High-level, multiplatform C++ network packet sniffing and crafting library.
Pros of libtins
- Higher-level abstraction for packet crafting and analysis
- More user-friendly API with C++11 features
- Built-in support for various protocols and packet types
Cons of libtins
- Less mature and widely adopted compared to libpcap
- May have a steeper learning curve for those familiar with libpcap
- Potentially slower performance due to higher-level abstractions
Code Comparison
libpcap:
pcap_t *handle;
struct pcap_pkthdr header;
const u_char *packet;
handle = pcap_open_live("eth0", BUFSIZ, 1, 1000, errbuf);
packet = pcap_next(handle, &header);
libtins:
#include <tins/tins.h>
Tins::SnifferConfiguration config;
config.set_promisc_mode(true);
Tins::Sniffer sniffer("eth0", config);
Tins::PDU *pdu = sniffer.next_packet();
Both libraries provide packet capture capabilities, but libtins offers a more modern C++ interface with built-in protocol support. libpcap is more low-level and widely used, while libtins provides higher-level abstractions at the cost of potential performance overhead.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
LIBPCAP 1.x.y by The Tcpdump Group
To report a security issue please send an e-mail to security@tcpdump.org.
To report bugs and other problems, contribute patches, request a feature, provide generic feedback etc please see the guidelines for contributing.
The documentation directory has README files about specific operating systems and options.
Anonymous Git is available via:
https://github.com/the-tcpdump-group/libpcap.git
This directory contains source code for libpcap, a system-independent interface for user-level packet capture. libpcap provides a portable framework for low-level network monitoring. Applications include network statistics collection, security monitoring, network debugging, etc. Since almost every system vendor provides a different interface for packet capture, and since we've developed several tools that require this functionality, we've created this system-independent API to ease in porting and to alleviate the need for several system-dependent packet capture modules in each application.
formerly from Lawrence Berkeley National Laboratory
Network Research Group <libpcap@ee.lbl.gov>
ftp://ftp.ee.lbl.gov/old/libpcap-0.4a7.tar.Z
Support for particular platforms and BPF
For some platforms there are README.{system} files that discuss issues
with the OS's interface for packet capture on those platforms, such as
how to enable support for that interface in the OS, if it's not built in
by default.
The libpcap interface supports a filtering mechanism based on the architecture in the BSD packet filter. BPF is described in the 1993 Winter Usenix paper ``The BSD Packet Filter: A New Architecture for User-level Packet Capture'' (compressed PostScript, gzipped PostScript, PDF).
Although most packet capture interfaces support in-kernel filtering, libpcap utilizes in-kernel filtering only for the BPF interface. On systems that don't have BPF, all packets are read into user-space and the BPF filters are evaluated in the libpcap library, incurring added overhead (especially, for selective filters). Ideally, libpcap would translate BPF filters into a filter program that is compatible with the underlying kernel subsystem, but this is not yet implemented.
BPF is standard in NetBSD, FreeBSD, OpenBSD, DragonFly BSD, macOS, and Solaris 11; an older, modified and undocumented version is standard in AIX.
Linux has a number of BPF based systems, and libpcap does not support any of the eBPF mechanisms as yet, although it supports many of the memory mapped receive mechanisms. See the Linux-specific README for more information.
Note to Linux distributions and *BSD systems that include libpcap:
There's now a rule to make a shared library, which should work on Linux and *BSD, among other platforms.
It sets the soname of the library to libpcap.so.1; this is what it
should be, NOT libpcap.so.1.x or libpcap.so.1.x.y or something such as
that.
We've been maintaining binary compatibility between libpcap releases for quite a while; there's no reason to tie a binary linked with libpcap to a particular release of libpcap.
Top Related Projects
Nmap Project's Windows packet capture and transmission library
Provides packet processing capabilities for Go
Scapy: the Python-based interactive packet manipulation program & library.
High-speed packet processing framework
Read-only mirror of Wireshark's Git repository at https://gitlab.com/wireshark/wireshark. ⚠️ GitHub won't let us disable pull requests. ⚠️ THEY WILL BE IGNORED HERE ⚠️ Upload them at GitLab instead.
High-level, multiplatform C++ network packet sniffing and crafting library.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot