IPMonitor Class

Properties Methods Events Config Settings Errors

The IPMonitor class allows applications to monitor network packets on multiple platforms.

Syntax

IPMonitor

Remarks

IPMonitor is a lightweight class that allows applications to monitor network activity across multiple platforms, including Windows, Linux, and macOS. It utilizes the "libpcap" library and underlying network drivers to capture and report network packets in real-time. The class provides the ability to capture individual network packets for detailed analysis, or collect aggregated packet statistics for monitoring network performance.

Setup

Linux and macOS Before using the class, a libpcap-compatible network library must be installed on the system. For detailed installation instructions, please refer to the Network Filter Library section. This setup only needs to be done once. Also, permissions may need to be adjusted as described in the System Configuration in Linux and macOS instructions page to allow the application to capture packets.

Windows The class uses the NetFilter driver (can be found in the "drivers" directory of the PCAP Filter installation) and the helper libraries included in the "pcaplibs" directory of the installation. Please refer to the Driver-specific section for details on installing the driver to the system and to the User Mode Library page for information about deploying the helper libraries.

The driver must be installed via the NetFilter class and its Install method before the driver can be used by IPMonitor. The helper libraries (packet.dll and wpcap.dll) that match your platform must be placed next to the EXE file of your application or copied to the system directory.

Retrieving Network Adapters

The first step in using the class is to identify the name of the network adapter that will be monitored. To retrieve the list of network adapters available on the system, call the ListAdapters method. Once the method is called, the adapters will be accessible via the Adapters property.

// Retrieve the list of network adapters available on the system ipmonitor.ListAdapters(); // Display the available adapters foreach (Adapter adapter in ipmonitor.Adapters) { Console.WriteLine($"Adapter Name: {adapter.Name}"); Console.WriteLine($"Description: {adapter.Description}"); }

Packet Filters

Before starting to monitor a network adapter, filters can be applied to capture only the packets that match certain criteria.

The Direction property can be used to specify whether to capture incoming packets, outgoing packets, or both. In addition to directionality, the Filter property can be set to a pcap filter expression string that allows for filtering based on IP addresses, protocol types, ports, and more. For more information on supported filter expressions, please see the pcap-filter(7) man page. // Only capture incoming packets ipmonitor.Direction = callback.PCAPFilter.Constants.PACKET_DIRECTION_INCOMING; // Only capture TCP packets from IP 192.168.1.1 on port 80 ipmonitor.Filter = "src host 192.168.1.1 and tcp port 80";

Operation Modes

In addition to packet filters, the class supports multiple operation modes that determine what kind of packet information will be reported.

Capture Mode

Setting the OperationMode property to omCapture (0) will cause the class to capture individual network packets and report them through the Packet event. // Capture individual packet information ipmonitor.OperationMode = 0;

Statistical Mode

Setting the OperationMode property to omStat (1) will instead cause the class to collect aggregated packet statistics and report them through the Statistics event. // Report aggregated packet statistics ipmonitor.OperationMode = 1;

Monitoring an Adapter

After configuring the filters and operation mode, start monitoring the network adapter by calling the Activate method and specifying the adapter name.

// Get the name of the first adapter returned by ListAdapters() ipmonitor.ListAdapters(); string adapterToMonitor = ipmonitor.Adapters[0].Name; // Start monitoring the adapter ipmonitor.Activate(adapterToMonitor);

Retrieving Packet Information

Depending on the current OperationMode, packet information is retrieved differently. In both modes, the DoEvents method must be called to prompt the class to fire events and report packet information.

Capture Mode:

In capture mode, calling DoEvents will cause the class to process any packets captured by the class and fire the Packet for each one. ipmonitor.OnPacket += (s, e) => { // Print out information about each individual packet Console.WriteLine($"Packet captured at {e.TimeStamp}"); Console.WriteLine($"Packet Size: {e.PacketSize} bytes"); };

Statistical Mode:

In statistical mode, calling DoEvents will prompt the class to collect packet statistics and report them through the Statistics event. ipmonitor.OnStatistics += (s, e) => { // Print out packet statistics Console.WriteLine($"Statistics collected at {e.TimeStamp}"); Console.WriteLine($"Packets Captured: {e.CapturedPackets}"); Console.WriteLine($"Bytes Captured: {e.CapturedBytes}"); };

Capture Statistics

Regardless of the current OperationMode, cumulative statistics about the packets captured since monitoring began can be retrieved by calling the GetStatistics method.

long receivedPackets = 0; // The number of packets received since monitoring began
long droppedPackets = 0; // The number of packets dropped by the component since monitoring began
long adapterDroppedPackets = 0; // The number of packets dropped by the adapter since monitoring began

ipmonitor.GetStatistics(ref receivedPackets, ref droppedPackets, ref adapterDroppedPackets);

Console.WriteLine($"Packets Received: {receivedPackets}");
Console.WriteLine($"Packets Dropped: {droppedPackets}");
Console.WriteLine($"Packets Dropped by Adapter: {adapterDroppedPackets}");

Deactivating Monitoring

To stop monitoring the adapter and cease reporting packets, call the Deactivate method. ipmonitor.Deactivate();

Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.


Active	Indicates whether the class is active and monitoring network traffic.
Adapters	A collection of network adapters available for monitoring.
Direction	Specifies the direction of packets to capture.
Filter	Specifies filter criteria used to determine which network packets are captured.
OperationMode	Specifies the mode of operation.
Tag	This property stores application-defined data specific to a particular instance of the class.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.


Activate	Starts monitoring network traffic.
Config	Sets or retrieves a configuration setting.
Deactivate	Stops monitoring network traffic.
DoEvents	Processes events from the internal message queue.
GetStatistics	Retrieves the total number of packets received and dropped since monitoring began.
ListAdapters	Retrieves the network adapters available for monitoring.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.


Error	This event fires if an unhandled error occurs during an event.
Packet	Fires when a network packet is captured.
Statistics	Fires to provide aggregated packet statistics.

Config Settings

The following is a list of config settings for the class with short descriptions. Click on the links for further details.


NetFilterGUID	A GUID of the NetFilter driver installation.
BuildInfo	Information about the product's build.
LicenseInfo	Information about the current license.

Active Property (IPMonitor Class)

Indicates whether the class is active and monitoring network traffic.

Syntax

ANSI (Cross Platform)
int GetActive();

Unicode (Windows)
BOOL GetActive();

int pcapfilter_ipmonitor_getactive(void* lpObj);

bool getActive();

Default Value

FALSE

Remarks

This property reflects whether the class is actively monitoring network traffic. It is automatically set to true after a successful call to Activate, and to false when monitoring is stopped with the Deactivate method.

This property is read-only and not available at design time.

Data Type

Boolean

Adapters Property (IPMonitor Class)

A collection of network adapters available for monitoring.

Syntax

PCAPFilterList<PCAPFilterAdapter>* GetAdapters();

int pcapfilter_ipmonitor_getadaptercount(void* lpObj);

int pcapfilter_ipmonitor_getadapterbuffersize(void* lpObj, int adapterindex);
int pcapfilter_ipmonitor_setadapterbuffersize(void* lpObj, int adapterindex, int iAdapterBufferSize);

int pcapfilter_ipmonitor_getadaptercollectstatistics(void* lpObj, int adapterindex);
int pcapfilter_ipmonitor_setadaptercollectstatistics(void* lpObj, int adapterindex, int bAdapterCollectStatistics);

char* pcapfilter_ipmonitor_getadapterdescription(void* lpObj, int adapterindex);

char* pcapfilter_ipmonitor_getadapterfriendlyname(void* lpObj, int adapterindex);

int pcapfilter_ipmonitor_getadapterid(void* lpObj, int adapterindex);

int pcapfilter_ipmonitor_getadapterinterfacetype(void* lpObj, int adapterindex);

char* pcapfilter_ipmonitor_getadaptermacaddress(void* lpObj, int adapterindex);

int pcapfilter_ipmonitor_getadaptermaxpacketbytes(void* lpObj, int adapterindex);
int pcapfilter_ipmonitor_setadaptermaxpacketbytes(void* lpObj, int adapterindex, int iAdapterMaxPacketBytes);

char* pcapfilter_ipmonitor_getadaptername(void* lpObj, int adapterindex);

int pcapfilter_ipmonitor_getadapterpackettimeout(void* lpObj, int adapterindex);
int pcapfilter_ipmonitor_setadapterpackettimeout(void* lpObj, int adapterindex, int iAdapterPacketTimeout);

int pcapfilter_ipmonitor_getadapterpromiscuousmode(void* lpObj, int adapterindex);
int pcapfilter_ipmonitor_setadapterpromiscuousmode(void* lpObj, int adapterindex, int bAdapterPromiscuousMode);

int pcapfilter_ipmonitor_getadapterwifimonitormode(void* lpObj, int adapterindex);
int pcapfilter_ipmonitor_setadapterwifimonitormode(void* lpObj, int adapterindex, int bAdapterWiFiMonitorMode);

int pcapfilter_ipmonitor_getadapterwifimonitormodesupported(void* lpObj, int adapterindex);

int getAdapterCount();

int getAdapterBufferSize(int iAdapterIndex);
int setAdapterBufferSize(int iAdapterIndex, int iAdapterBufferSize);

bool getAdapterCollectStatistics(int iAdapterIndex);
int setAdapterCollectStatistics(int iAdapterIndex, bool bAdapterCollectStatistics);

QString getAdapterDescription(int iAdapterIndex);

QString getAdapterFriendlyName(int iAdapterIndex);

int getAdapterId(int iAdapterIndex);

int getAdapterInterfaceType(int iAdapterIndex);

QString getAdapterMACAddress(int iAdapterIndex);

int getAdapterMaxPacketBytes(int iAdapterIndex);
int setAdapterMaxPacketBytes(int iAdapterIndex, int iAdapterMaxPacketBytes);

QString getAdapterName(int iAdapterIndex);

int getAdapterPacketTimeout(int iAdapterIndex);
int setAdapterPacketTimeout(int iAdapterIndex, int iAdapterPacketTimeout);

bool getAdapterPromiscuousMode(int iAdapterIndex);
int setAdapterPromiscuousMode(int iAdapterIndex, bool bAdapterPromiscuousMode);

bool getAdapterWiFiMonitorMode(int iAdapterIndex);
int setAdapterWiFiMonitorMode(int iAdapterIndex, bool bAdapterWiFiMonitorMode);

bool getAdapterWiFiMonitorModeSupported(int iAdapterIndex);

Remarks

This collection contains the list of network adapters available for monitoring. Calling ListAdapters will populate this collection.

This property can be used to access the name of a network adapter before calling Activate to start monitoring it.

Example: // Populate the 'Adapters' collection with the list of available network adapters ipmonitor.ListAdapters(); // Start monitoring the first adapter in the collection ipmonitor.Activate(ipmonitor.Adapters[0].Name);

This property is read-only and not available at design time.

Data Type

PCAPFilterAdapter

Direction Property (IPMonitor Class)

Specifies the direction of packets to capture.

Syntax

ANSI (Cross Platform)
int GetDirection();
int SetDirection(int iDirection);

Unicode (Windows)
INT GetDirection();
INT SetDirection(INT iDirection);

int pcapfilter_ipmonitor_getdirection(void* lpObj);
int pcapfilter_ipmonitor_setdirection(void* lpObj, int iDirection);

int getDirection();
int setDirection(int iDirection);

Default Value

Remarks

The property makes it possible to capture just outgoing or just incoming packets, working as a simple filter for the network packets. The property value can be one of the following:


PACKET_DIRECTION_OUTGOING	`0x00`	Outgoing packets are processed. In the events, indicates that the packet is outgoing.
PACKET_DIRECTION_INCOMING	`0x01`	Incoming packets are processed. In the events, indicates that the packet is incoming.
PACKET_DIRECTION_ANY	`0x02`	All packets are processed.

Data Type

Integer

Filter Property (IPMonitor Class)

Specifies filter criteria used to determine which network packets are captured.

Syntax

ANSI (Cross Platform)
char* GetFilter();
int SetFilter(const char* lpszFilter);

Unicode (Windows)
LPWSTR GetFilter();
INT SetFilter(LPCWSTR lpszFilter);

char* pcapfilter_ipmonitor_getfilter(void* lpObj);
int pcapfilter_ipmonitor_setfilter(void* lpObj, const char* lpszFilter);

QString getFilter();
int setFilter(QString qsFilter);

Default Value

Remarks

This property specifies a filter expression string that determines which network packets are captured and reported. For additional filtering, the Direction property can be used to limit packet capture to incoming or outgoing traffic.

This property can be set before or after calling Activate to start monitoring. In some platforms, changing the value of this property while monitoring is active may result in some packets being dropped or reported even if they do not match the new filter rules. For more details on platform-specific behavior, please see the pcap-filter(7) man page.

Filter Expression Syntax

The filter expression follows the syntax used by libpcap. A filter takes the form of a series of conditions that specify the criteria packets must meet to be captured. Expressions can be combined using conjunctions and, or, and optionally preceded by not.

[not] condition [and|or [not] condition ... ]

For more comprehensive information on filter expressions, please refer to the pcap-filter(7) documentation. Below is a simplified overview of common filter expressions:


`src\|dst host <host>`	Captures packets to or from the specified IP address or name.
`src host <host>`	Captures packets where the source is the specified host.
`dst host <host>`	Captures packets where the destination is the specified host.
`net <network>`	Captures packets to or from the specified network.
`src net <network>`	Captures packets where the source is in the specified network.
`dst net <network>`	Captures packets where the destination is in the specified network.
`port <port>`	Captures packets to or from the specified port.
`src port <port>`	Captures packets where the source port is the specified port.
`dst port <port>`	Captures packets where the destination port is the specified port.
`ether broadcast`	Captures all Ethernet broadcast packets.
`ether multicast`	Captures all Ethernet multicast packets.
`greater <length>`	Captures packets with a length greater than or equal to the specified length (in bytes).
`less <length>`	Captures packets with a length lesser than or equal to the specified length (in bytes).
`broadcast`	Captures all broadcast packets (Ethernet and IP).
`broadcast`	Captures all multicast packets (Ethernet and IP).
`<protocol>`	Captures all packets using the specified protocol.

Example (Simple): // Only capture packets to and from IP 192.168.1.1 ipmonitor.Filter = "host 192.168.1.1";

Example (Advanced): // Only capture TCP packets from IP 192.168.1.1 on port 80 ipmonitor.Filter = "src host 192.168.1.1 and tcp port 80";

Data Type

String

OperationMode Property (IPMonitor Class)

Specifies the mode of operation.

Syntax

ANSI (Cross Platform)
int GetOperationMode();
int SetOperationMode(int iOperationMode);

Unicode (Windows)
INT GetOperationMode();
INT SetOperationMode(INT iOperationMode);

Possible Values

OM_CAPTURE(0), 
OM_STAT(1)

int pcapfilter_ipmonitor_getoperationmode(void* lpObj);
int pcapfilter_ipmonitor_setoperationmode(void* lpObj, int iOperationMode);

int getOperationMode();
int setOperationMode(int iOperationMode);

Default Value

Remarks

This property determines the type of packet information to report when DoEvents is called. The property value can be one of the following:


`omCapture (0)` (default)	Regular cached reading and writing are performed. Individual packets are reported through the Packet event. Only those packets that match the filter criteria specified in the Filter and Direction properties will trigger the event.
`omStat (1)`	The class does not report individual packets. Instead, it will collect packet statistics and provide aggregated packet data via the Statistics event.

Data Type

Integer

Tag Property (IPMonitor Class)

This property stores application-defined data specific to a particular instance of the class.

Syntax

ANSI (Cross Platform)
int64 GetTag();
int SetTag(int64 lTag);

Unicode (Windows)
LONG64 GetTag();
INT SetTag(LONG64 lTag);

int64 pcapfilter_ipmonitor_gettag(void* lpObj);
int pcapfilter_ipmonitor_settag(void* lpObj, int64 lTag);

qint64 getTag();
int setTag(qint64 lTag);

Default Value

Remarks

This property can be used to store data specific to a particular instance of the class.

Data Type

Long64

Activate Method (IPMonitor Class)

Starts monitoring network traffic.

Syntax

ANSI (Cross Platform)
int Activate(const char* lpszAdapter);

Unicode (Windows)
INT Activate(LPCWSTR lpszAdapter);

int pcapfilter_ipmonitor_activate(void* lpObj, const char* lpszAdapter);

int activate(const QString& qsAdapter);

Remarks

This method enables monitoring network packets on a specified network adapter. To disable monitoring, call Deactivate instead.

When this method is called, the class will begin monitoring the specified adapter for network activity. Packets will be captured and reported differently depending on the value of the OperationMode property. Once monitoring is active, the Active property will be automatically set to true.

Adapter specifies the name of the network adapter to monitor. The list of available adapters can be obtained via the ListAdapters method.

Packet Reporting

When Active is set to true, the class will report packet information based on the value of the OperationMode property.

Error Handling (C++)

This method returns a result code; 0 indicates success, while a non-zero error code indicates that this method encountered an error during its execution. If an error occurs, the GetLastError() method can be called to retrieve the associated error message. (Note: This method's result code can also be obtained by calling the GetLastErrorCode() method after it returns.)

Config Method (IPMonitor Class)

Sets or retrieves a configuration setting.

Syntax

ANSI (Cross Platform)
char* Config(const char* lpszConfigurationString);

Unicode (Windows)
LPWSTR Config(LPCWSTR lpszConfigurationString);

char* pcapfilter_ipmonitor_config(void* lpObj, const char* lpszConfigurationString);

QString config(const QString& qsConfigurationString);

Remarks

Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

Error Handling (C++)

This method returns a String value; after it returns, call the GetLastErrorCode() method to obtain its result code; 0 indicates success, while a non-zero error code indicates that this method encountered an error during its execution. If an error occurs, the GetLastError() method can be called to retrieve the associated error message.

Deactivate Method (IPMonitor Class)

Stops monitoring network traffic.

Syntax

ANSI (Cross Platform)
int Deactivate();

Unicode (Windows)
INT Deactivate();

int pcapfilter_ipmonitor_deactivate(void* lpObj);

int deactivate();

Remarks

This method stops monitoring network traffic. Once called, the class will cease capturing packets and the Active property will be automatically set to false.

Error Handling (C++)

DoEvents Method (IPMonitor Class)

Processes events from the internal message queue.

Syntax

ANSI (Cross Platform)
int DoEvents();

Unicode (Windows)
INT DoEvents();

int pcapfilter_ipmonitor_doevents(void* lpObj);

int doEvents();

Remarks

This method processes events from the internal message queue and fires the corresponding events based on the current OperationMode. It should be called periodically to prompt the class to fire events and report packet information.

Capture Modes

This method behaves differently depending on the value of the OperationMode property.

When OperationMode is set to omCapture (0), calling this method while monitoring is active will prompt the class to process any packets captured since the last call and fire the Packet event for each one. If there are no new packets to report, the method will wait for a duration specified by the PacketTimeout field of the Adapter that is being monitored before returning.

If OperationMode is set to omStat (1), calling this method will instead tell the class to collect packet statistics since the last call and fire the Statistics event with the aggregated data.

Error Handling (C++)

GetStatistics Method (IPMonitor Class)

Retrieves the total number of packets received and dropped since monitoring began.

Syntax

ANSI (Cross Platform)
int GetStatistics(int64* lReceived, int64* lDropped, int64* lAdapterDropped);

Unicode (Windows)
INT GetStatistics(LONG64*  lReceived, LONG64*  lDropped, LONG64*  lAdapterDropped);

int pcapfilter_ipmonitor_getstatistics(void* lpObj, int64* lReceived, int64* lDropped, int64* lAdapterDropped);

int getStatistics(qint64* lReceived, qint64* lDropped, qint64* lAdapterDropped);

Remarks

This method provides capture statistics about the packets monitored by the class and the underlying driver since Activate was called to start monitoring.

The Received parameter provides the number of packets received since monitoring began.

The Dropped parameter provides the number of packets that were dropped since monitoring began. Packets may be dropped if the value of the BufferSize field of the Adapter that is being monitored is too small to keep all of the data, or because DoEvents was called too infrequently.

The AdapterDropped parameter provides the full number of packets that were dropped by the network adapter since monitoring began.

Platform Differences

This method is platform-dependent. It uses the underlying pcap_stats() function from the libpcap library to retrieve packet statistics, which may cause the values provided in the Received, Dropped, and AdapterDropped parameters to differ depending on the platform.

Received: On some platforms, this count may include all packets, regardless of whether they matched the filter criteria set using Filter.
Dropped: This value may not be available on all platforms.
AdapterDropped: This count might not be implemented on some platforms. If its value is 0, it could indicate either no drops or that the statistic is unavailable.

For more information regarding platform differences, please see the pcap_stats() documentation.

Error Handling (C++)

ListAdapters Method (IPMonitor Class)

Retrieves the network adapters available for monitoring.

Syntax

ANSI (Cross Platform)
int ListAdapters();

Unicode (Windows)
INT ListAdapters();

int pcapfilter_ipmonitor_listadapters(void* lpObj);

int listAdapters();

Remarks

This method populates the Adapters collection with a list of network adapters available for monitoring. Each adapter in the collection includes a name and description provided by the network driver.

This method can be used to obtain the name of a network adapter before calling Activate to start monitoring it.

Error Handling (C++)

Error Event (IPMonitor Class)

This event fires if an unhandled error occurs during an event.

Syntax

ANSI (Cross Platform)
virtual int FireError(IPMonitorErrorEventParams *e);

typedef struct {
  int ErrorCode;
  const char *Description;
  int reserved;
} IPMonitorErrorEventParams;


Unicode (Windows)
virtual INT FireError(IPMonitorErrorEventParams *e);

typedef struct {
  INT ErrorCode;
  LPCWSTR Description;
  INT reserved;
} IPMonitorErrorEventParams;

#define EID_IPMONITOR_ERROR 1

virtual INT PCAPFILTER_CALL FireError(INT &iErrorCode, LPSTR &lpszDescription);

class IPMonitorErrorEventParams {
public:
  int errorCode();

  const QString &description();

  int eventRetVal();
  void setEventRetVal(int iRetVal);
};

// To handle, subclass IPMonitor and override this emitter function.
virtual int fireError(IPMonitorErrorEventParams *e) {...}

Remarks

This event fires if an unhandled error occurs during another event. Developers can use this information to track down unhandled errors in an application's event handlers.

Packet Event (IPMonitor Class)

Fires when a network packet is captured.

Syntax

ANSI (Cross Platform)
virtual int FirePacket(IPMonitorPacketEventParams *e);

typedef struct {
  int64 TimeStamp;
  int PacketSize;
  const void *Data;
  int DataSize;
  int reserved;
} IPMonitorPacketEventParams;


Unicode (Windows)
virtual INT FirePacket(IPMonitorPacketEventParams *e);

typedef struct {
  LONG64 TimeStamp;
  INT PacketSize;
  LPCVOID Data;
  INT DataSize;
  INT reserved;
} IPMonitorPacketEventParams;

#define EID_IPMONITOR_PACKET 2

virtual INT PCAPFILTER_CALL FirePacket(LONG64 &lTimeStamp, INT &iPacketSize, LPVOID &lpData, INT &iDataSize);

class IPMonitorPacketEventParams {
public:
  const QDateTime &timeStamp();

  int packetSize();

  const void *data();

  int dataSize();

  int eventRetVal();
  void setEventRetVal(int iRetVal);
};

// To handle, subclass IPMonitor and override this emitter function.
virtual int firePacket(IPMonitorPacketEventParams *e) {...}

Remarks

This event fires for each packet received from the monitored network adapter. The event will only fire if OperationMode is set to omCapture (0) and the captured packet matches the filter criteria specified in Filter and Direction. Packets are reported in the order they are received from the network adapter.

The Timestamp parameter contains the time when the packet was received by the network adapter.

The PacketSize parameter contains the total size of the packet as received by the network adapter. This represents the full byte size of the packet, which may be larger than the amount of data captured in the Data parameter.

The Data parameter contains the packet data that was captured. The amount of data captured is controlled by the MaxPacketBytes field of the Adapter that is being monitored.

The DataSize parameter provides the size of the data contained in the Data parameter. This value represents how much of the packet data was actually captured and made available.

Packet Reporting

When Active is set to true, the class will report packet information based on the value of the OperationMode property.

Statistics Event (IPMonitor Class)

Fires to provide aggregated packet statistics.

Syntax

ANSI (Cross Platform)
virtual int FireStatistics(IPMonitorStatisticsEventParams *e);

typedef struct {
  int64 TimeStamp;
  int64 CapturedPackets;
  int64 CapturedBytes;
  int reserved;
} IPMonitorStatisticsEventParams;


Unicode (Windows)
virtual INT FireStatistics(IPMonitorStatisticsEventParams *e);

typedef struct {
  LONG64 TimeStamp;
  LONG64 CapturedPackets;
  LONG64 CapturedBytes;
  INT reserved;
} IPMonitorStatisticsEventParams;

#define EID_IPMONITOR_STATISTICS 3

virtual INT PCAPFILTER_CALL FireStatistics(LONG64 &lTimeStamp, LONG64 &lCapturedPackets, LONG64 &lCapturedBytes);

class IPMonitorStatisticsEventParams {
public:
  const QDateTime &timeStamp();

  qint64 capturedPackets();

  qint64 capturedBytes();

  int eventRetVal();
  void setEventRetVal(int iRetVal);
};

// To handle, subclass IPMonitor and override this emitter function.
virtual int fireStatistics(IPMonitorStatisticsEventParams *e) {...}

Remarks

This event fires to provide aggregated packet statistics collected from the network adapter. The event will only fire if OperationMode is set to omStat (1). Calling DoEvents while monitoring is active will prompt the class to report packet statistics and fire this event.

The TimeStamp parameter contains the time when the packet statistics were collected.

The CapturedPackets parameter contains the number of packets captured since the last time the event was fired.

The CapturedBytes parameter contains the total byte size of the packets captured since the last time the event was fired.

Packet Reporting

When Active is set to true, the class will report packet information based on the value of the OperationMode property.

Adapter Type

Represents a network adapter in the system.

Syntax

PCAPFilterAdapter (declared in pcapfilter.h)

Remarks

Each item of this type represents a network adapter available in the system that can be used for monitoring.

The following fields are available:

BufferSize
CollectStatistics
Description
FriendlyName
Id
InterfaceType
MACAddress
MaxPacketBytes
Name
PacketTimeout
PromiscuousMode
WiFiMonitorMode
WiFiMonitorModeSupported

Fields

BufferSize
int
Default Value: 1024

Specifies the size of the kernel-level buffer associated with a capture, expressed in KB (kilobytes).

This field is used only by the IPMonitor class when it is using a third-party capture driver and is ignored by NetFilter driver, which manages memory dynamically.

The default value of 0 tells libpcap to use the default value hard-coded in it. In Windows, this is 1 000 000 bytes (approx.1 megabyte); in Linux, this is 2MB.

The field corresponds to the pcap_set_buffer_size() function.

This value can be changed only when the class is not activated (the Active property is false).

CollectStatistics
int
Default Value: TRUE

Specifies whether the class should report statistics for this adapter when the class is operating in the omStat OperationMode.

Description
char* (read-only)
Default Value: ""

The description of the network adapter.

FriendlyName
char* (read-only)
Default Value: ""

The human-readable name of the adapter, which may be modified by a user using Windows functionality.

Id
int (read-only)
Default Value: 0

Contains the Id of the adapter.

Each network adapter in the system has an Id that is used in all operations of NetFilter where an adapter is referenced by the class or must be specified by an application.

InterfaceType
int (read-only)
Default Value: 0

Contains the type of the adapter interface.

This field specifies the type of the network with which the adapter works. The available values are defined by IANA.

MACAddress
char* (read-only)
Default Value: ""

The MAC address of the adapter.

This field contains the MAC address of the adapter, if such an address exists (only some adapter types have MAC addresses).

The value may be absent or contains a MAC address in HEX-encoded form where bytes are ordered in the transmission order with each byte's HEX characters separated by a hyphen ("-").

MaxPacketBytes
int
Default Value: 262144

Defines the maximum number of bytes of a packet to pass in events.

The default value of 0 tells libpcap to set the maximum length to 262 144 bytes.

The field corresponds to the pcap_set_snaplen() function.

This value can be changed only when the class is not activated (the Active property is false).

Name
char* (read-only)
Default Value: ""

The name of the adapter. This value can be passed into the Activate method to start monitoring the adapter in IPMonitor or as a parameter to the AddFilterRule method when adding filtration rules in NetFilter.

PacketTimeout
int
Default Value: 1000

Specifies the packet buffer timeout, expressed in milliseconds, which tell the driver how long it may wait before replying with no packets, when packets are not available.

This field is used only by the IPMonitor class when it is using a third-party capture driver and is ignored by NetFilter driver, which works in the so-called "immediate mode" in libpcap terms.

The value must be specified in milliseconds. The behavior if a zero or a negative value is set is not defined by libpcap, thus, it is recommended to always set the value to a positive number. The default value is 1000 ms (one second).

For the detailed description of a packet buffer timeout, please refer to libpcap documentation.

This value can be changed only when the class is not activated (the Active property is false).

PromiscuousMode
int
Default Value: FALSE

Enables or disables the promiscuous mode on the adapter, telling the adapter to capture or skippackets that pass by, i.e., which do not originate in the given adapter and do not have it as a destination.

For the detailed description of the promiscuous mode, please refer to libpcap documentation.

In the IPMonitor class, the field corresponds to the pcap_set_promisc() function.

This value can be changed only when the class is not activated (the Active property is false).

WiFiMonitorMode
int
Default Value: FALSE

Enables or disables the WiFi monitoring mode on the adapter.

This functionality is provided by adapters, not by the driver itself, and not all WiFi adapters support this mode. Check the WiFiMonitorModeSupported field before enabling the WiFi monitoring mode.

For the detailed description of the WiFi monitoring mode, please refer to libpcap documentation, where it is described under the "monitor mode" title.

In the IPMonitor class, the field corresponds to the pcap_set_rfmon() function.

This value can be changed only when the class is not activated (the Active property is false).

WiFiMonitorModeSupported
int (read-only)
Default Value: FALSE

Indicates whether the WiFi monitoring mode is supported by the adapter. Check this value before trying to enable the WiFi monitor mode.

This functionality is provided by adapters, not by the driver itself, and not all WiFi adapters support this mode.

For the detailed description of the WiFi monitoring mode, please refer to libpcap documentation, where it is described under the "monitor mode" title.

PCAPFilterList Type

Syntax

PCAPFilterList<T> (declared in pcapfilter.h)

Remarks

PCAPFilterList is a generic class that is used to hold a collection of objects of type T, where T is one of the custom types supported by the IPMonitor class.

Methods

GetCount	This method returns the current size of the collection. int GetCount() {}
SetCount	This method sets the size of the collection. This method returns `0` if setting the size was successful; or `-1` if the collection is `ReadOnly`. When adding additional objects to a collection call this method to specify the new size. Increasing the size of the collection preserves existing objects in the collection. int SetCount(int count) {}
Get	This method gets the item at the specified position. The `index` parameter specifies the index of the item in the collection. This method returns `NULL` if an invalid `index` is specified. T* Get(int index) {}
Set	This method sets the item at the specified position. The `index` parameter specifies the index of the item in the collection that is being set. This method returns `-1` if an invalid `index` is specified. Note: Objects created using the `new` operator must be freed using the `delete` operator; they will not be automatically freed by the class. T* Set(int index, T* value) {}

Config Settings (IPMonitor Class)

The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

IPMonitor Config Settings

NetFilterGUID: A GUID of the NetFilter driver installation.

When the class uses the NetFilter driver for Windows that comes with PCAP Filter, the application must set this Windows-only configuration setting to the same GUID that was used during the installation of the driver.

Before the driver can be used, it must be installed to the system using the Install method.

On platforms other than Windows, this setting is not used.

Base Config Settings

BuildInfo: Information about the product's build.

When queried, this setting will return a string containing information about the product's build.

LicenseInfo: Information about the current license.

When queried, this setting will return a string containing information about the license this instance of a class is using. It will return the following information:

Product: The product the license is for.
Product Key: The key the license was generated from.
License Source: Where the license was found (e.g., RuntimeLicense, License File).
License Type: The type of license installed (e.g., Royalty Free, Single Server).

Trappable Errors (IPMonitor Class)

Error Handling (C++)

Call the GetLastErrorCode() method to obtain the last called method's result code; 0 indicates success, while a non-zero error code indicates that this method encountered an error during its execution. Known error codes are listed below. If an error occurs, the GetLastError() method can be called to retrieve the associated error message.