pcap_dump 写 *.pcap文件数据

pcap_dump 写 *.pcap文件数据 


int main(void)

{
pcap_t *dev = NULL;
char errMsg[256] = { 0 };


char *com = "tcp port 80";
struct bpf_program bpg;
memset(&bpg, 0x00, sizeof(struct bpf_program));


signal(SIGINT, sighdl);


dev = pcap_open_live("eth1", 65535, 1, 0, errMsg);
if(dev == NULL)
{
be_printf("pcap_open_live is failed = %s\n", errMsg);
return -1;
}


pcap_compile(dev, &bpg, com, 0, 0);


pcap_setfilter(dev, &bpg);


struct pcap_pkthdr *pkt;
const u_char *data;


pcap_dumper_t *t = pcap_dump_open(dev, "./test.pcap");
int ret = 0;
while( ret = pcap_next_ex(dev, &pkt, &data) )
{
if(flg == 0)
break;
if(ret > 0 && pkt->caplen > 0)

{

//  第一个参数是 pcap_dump_open() 打开的pcap_dumper_t* 类型数据, 需要手动转换为char *

pcap_dump((char *)t, pkt, data);


}
}


pcap_dump_close(t);
be_printf("pcap_dump_close is OK\n");
return 0;
}

你可能感兴趣的:(Linux,libpcap)