0
votes

Since yesterday i'm learning how to use pcap to parse a pcap file.

And since yesterday i'm getting an error :

Here is my simple code, trying to write the fd in pcap_t structure:

#include <pcap/pcap.h>
#include <sys/types.h>
#include <pcap-bpf.h>
#include <stdio.h>

int             main() {
  char          errbuf[PCAP_ERRBUF_SIZE];
  pcap_t        *result;

  if ((result = pcap_open_offline("test.pcap", errbuf)) == NULL) {
    printf("%s\n", errbuf);
    return -1;
  }
  printf("fd=%d\n", result->fd);
  return 0;
}

and here is my error:

gcc -Wextra -Wall -Werror -I./includes   -c -o main.o main.c
main.c: In function ‘main’:
main.c:14:27: error: dereferencing pointer to incomplete type
   printf("fd=%d\n", result->fd);
                           ^
make: *** [main.o] Error 1

I saw this post: Pcap Incomplete Type

Where the guy is having almost the same problem as I have, but still, I can't find a solution, I included what pcap_open_offline needs, I also included pcap-bpf.h because I saw that pcap_t is using bpf_program.

The first answer is saying "The error is because the compiler cannot see the definition of the structure" but in my case the structure is pcap_t and is typedef in pcap.h, which i included.

I just don't get how to include correclty with pcap.

Also, I'm on Ubuntu, and i cannot find all my .h file about pcap. When I look on google, I only find .h from apple and windows, so I assume that i'm using the same as the apple one, but i'm not sure about that !

I'm reading this documentation to see structures fields : http://www.opensource.apple.com/source/libpcap/libpcap-18/libpcap/pcap.h http://www.opensource.apple.com/source/libpcap/libpcap-9/libpcap/pcap-int.h

But again, the apple.com is scaring me, i'm not sure that I should rely on that. For instance, pcap-int.h doesn't seem to exist in my system.

Thank you !

1

1 Answers

2
votes

For instance, pcap-int.h doesn't seem to exist in my system.

It's not supposed to. It's part of the pcap source code, but it's internal to libpcap, and the data structures it defines are subject to change from cap release to release, so you can't use them in a pcap program.

You rarely if ever need to the file descriptor associated with a pcap_t, but, in those rare cases where you do, you get it with the pcap_fileno() function:

printf("fd=%d\n", pcap_fileno(result));

However, when you open a capture file, using pcap_open_offline(), rather than opening a device for a live capture, there is no file descriptor associated with it, there's just a "standard I/O" FILE *. As the man page for pcap_fileno() says:

   If p refers to a ``savefile'' that was opened using functions  such  as
   pcap_open_offline()  or  pcap_fopen_offline(), a ``dead'' pcap_t opened
   using pcap_open_dead(), or a pcap_t that was created with pcap_create()
   but  that  has  not yet been activated with pcap_activate(), it returns
   -1.

so it should print "fd=-1" in your program.

The first answer is saying "The error is because the compiler cannot see the definition of the structure" but in my case the structure is pcap_t and is typedef in pcap.h, which i included.

It's typedefed as a structure in pcap.h, but that structure isn't fully defined in pcap.h. C allows a pointer to a structure that's not fully defined; this allows a library to provide a "handle" for a data structure that only the library itself can look at or modify. That's the case with the pcap_t structure; code outside libpcap should not look at it or modify it, it should make calls to libpcap routines to do that.

Also, I'm on Ubuntu, and i cannot find all my .h file about cap.

You probably need to install the "libpcap-dev" package. The "libpcap" package just installs enough libraries to allow programs already compiled with libpcap to run; the "libpcap-dev" package installs the header files to allow programs to be compiled with libpcap.

When I look on google, I only find .h from apple and windows

It doesn't find the GitHub repository for libpcap? That's surprising.

so I assume that i'm using the same as the apple one

Apple's libpcap is based on the one from the Tcpdump Group, which is the one on GitHub. The one in Ubuntu is also based on the one from the Tcpdump Group, as is WinPcap, which is the version for Windows.