Writing Security Tools and Exploits

The most commonly used open-source library for capturing packets from the network is the packet capture library ( libpcap). Originally developed at the Lawrence Berkeley Laboratory, it is currently maintained by the same loosely knit group of people who maintain tcpdump, the venerable command-line packet capture utility. Both libpcap and tcpdump are available online at www.tcpdump.org. A Windows version called WinPcap is available from http://winpcap.polito.it/.
libpcap saves captured packets to a file. The pcap file format is unique to libpcap, but because so many open-source applications use libpcap, a variety of applications use these pcap files. The routines provided in libpcap allow us to save packets that have been captured, and to read pcap files from disk to analyze the stored data.
When capturing packets, we first have to decide which network interface to capture from. If we have libpcap pick a default interface for us, it picks the first active, non-loopback interface. The pcap_lookupdev function picks the default interface.
When calling libpcap, pcap functions use the errbuf parameter, which is a character array of at least pcap_ errbuf_ size in length that is defined in the program's address space. The pcap_errbuf_size macro is defined in pcap.h, the file that provides the libpcap Application Program Interface (API). If an error occurs in the pcap function, a description of the error is put into errbuf