README
Capturing packets live into file using nodejs and libpcap
pcap-scribe
Installation
You will need libpcap
installed. Most OSX machines seem to have it. All major Linux distributions have it available
either by default or with a package like libpcap-dev
.
The easiest way to get pcap-scribe
and its tools is with npm
:
npm install pcap-scribe
If you want to hack on the source code, you can get it from github. Clone the repo like this:
git clone https://github.com/harrydevnull/pcap-scribe
To compile the native code bindings, do this:
cd pcap-scribe
npm install
Assuming it built without errors, you should be able to run the examples and then write your own packet capture programs.
Starting a capture session
To start a capture session, call pcap.PcapDumpSession
with an interface name and a pcap filter string:
var pcap = require("pcap-scribe");
pcap_dump = new pcap.PcapDumpSession(interface, filter,bufferSize,pcap file name ,false,Number of packets to be captured);
pcap_dump.on('pcap_write_complete_async',function(message){
console.log("done.....",message);
});
pcap_dump.on('pcap_write_error',function(message){
console.log("pcap_write_error.....",message);
});
pcap_dump.startAsyncCapture();
//eg: pcap_dump = new pcap.PcapDumpSession('en0', "ip proto \\tcp",10*1024*1024,"tmp95.pcap",false,5);
interface
is the name of the interface on which to capture packets. If passed an empty string, libpcap
will try to pick a "default" interface, which is often just the first one in some list and not what you want.
filter
is a pcap filter expression, see pcap-filter(7)
for more information. An empty string will capture
all packets visible on the interface.
Note that pcap-scribe
always opens the interface in promiscuous mode, which generally requires running as root.
PcapDumpSession
is an EventEmitter
that emits a packet
event. The only argument to the callback will be a
Buffer
object with the raw bytes returned by libpcap
.
It emits two more events pcap_write_complete_async
when the write to file is complete
and pcap_write_error
in case there is an error.