On Mar 18, 2010, at 8:20 AM, Eloy Paris wrote: > "pcap_create() and pcap_activate() were not available in versions of > libpcap prior to 1.0; if you are writing an application that must work on > versions of libpcap prior to 1.0, either use pcap_open_live() to get a handle > for a live capture or, if you want to be able to use the additional > capabilities offered by using pcap_create() and pcap_activate(), use an > autoconf(1) script or some other configuration script to check whether the > libpcap 1.0 APIs are available and use them only if they are."
That pretty much sums it up. If you want to be able to control open-time-only properties *not* supported by pcap_open_live(), such as monitor mode and capture buffer size (for *some* packet capture mechanism the buffer size could be set after the device is opened, but BPF is not such a mechanism, so we needed something that could set it before the open finishes), you would have to use pcap_create() and pcap_activate(). > Guess that's what happens when you read the documentation once and never go > back to it after new library versions are released. Note that the man pages were reorganized for libpcap 1.0.0 - instead of a single big pcap(3) man page that documents everything, there's a pcap(3PCAP) man page that discusses libpcap as a whole, and individual man pages for particular routines. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.