libpcap | LIBpcap interface to various kernel packet capture mechanism | Learning library

From TCPDUMP:

... libpcap, a portable C/C++ library for network traffic capture.

libpcap is a library, not a program.

There is a problem in scapy. It is described in the issue #3191:

Basic sniff capture using multiple interfaces.

When passing a list (or dict) of interfaces, Scapy raises an exception (see below).

[...]

Thanks for reporting the issue. That is indeed a regression!

They identified the commit and it seems specific of the version 2.4.5.

Try with the version 2.4.4. If you use pip you can try with:

Ok, after 3 days I think I managed to get things working and I'll summ up what I did.

In the end the gccgo path was a dead end, so instead of installing gccgo-mips-linux-gnu I installed gcc-mips-linux-gnu.

Next I set the CC environment variable to point to this:

libpcap does not keep track of the ordinal numbers of packets, so you'll have to maintain a packet count in your code.

The problem is with my version of libpcap. This package appears to be broken on libpcap 1.10 and 1.9.1. After installing libpcap 1.8 the package built fine.

This seems to be an issue in versions before 1.10.0. As of 1.10.0, issuing pcap_breakloop() will force the poll() call to end and cause pcap_dispatch to return with PCAP_ERROR_BREAK.

If using an older version, a quick solution is to call pcap_setnonblock() after pcap_activate() and then sleep between pcap_dispatch() calls for a set amount of milliseconds/seconds. This helps to not overload the looping of pcap_dispatch(). You can call pcap_dispatch() with "0" or however many packets desired in this case and they should be available the next time the dispatch is made. You can then either cancel the looping with pcap_breakloop() or your own mechanism.

Is it possible to use text2pcap in kernel module?

Not without putting it and the code it uses to write a pcap file (which isn't from libpcap, it's from a small library that's part of Wireshark, also used by dumpcap to write pcap and pcapng files) into the kernel.

How can I save an output as pcap file while being in kernel module?

You could write your own code to open a file and write to it in the kernel module; "Writing to a file from the Kernel" talks about that.

It also says

A "preferred" technique would be to pass the parameters in via IOCTLs and implement a read() function in your module. Then reading the dump from the module and writing into the file from userspace.

so you might want to consider that; the userspace code could just use libpcap to write the file.

libpcap will sometimes, depending upon the interface chosen, replace the layer 2 header (ethernet, in this case) with a Linux cooked header which does not have the same length as an ethernet header. You can check the datalink type of your pcap_t with the pcap_datalink function.

The idea is to convert the .mk to an appropriate code that qmake understands, for example in my case the .mk is: