I'm looking at using pcap to get information about available network interfaces. Looking at the documentation for pcap_findalldevices shows a list of flags that describe each interface. The two I'm interested in aren't adequately explained, though:
PCAP_IF_UP: set if the device is up
PCAP_IF_RUNNING: set if the device is running
What's the difference between the two? When would PCAP_IF_UP be set without PCAP_IF_RUNNING, or vice versa?
The meaning of those is mostly defined by the operating system. The notion of "up" and "running" originally showed up in UN*X in the BSD networking stack; the 4.2BSD Networking Implementation Notes document says that
where by "the interface" they're referring to the device driver, not the hardware. They don't say much about
IFF_UPother than that it means that the "interface device is up", for some unspecified meaning of "up". "Up" vs. "down" is mainly a configuration setting; an interface can be configured "up" or "down".Most other UN*X networking stacks also have those flags.
On Windows, an attempt is made in libpcap to match that notion.
PCAP_IF_UPwould be set withoutPCAP_IF_RUNNINGif the interface has been configured "up" but hasn't yet been fully initialized to function.PCAP_IF_RUNNINGwon't be set if the interface isn't up.Those flags are mainly used inside libpcap to decide which interfaces to put at the beginning of the list of interfaces - "up and running" is ahead of just "up" is ahead of "not up", because capturing on an interface that's not "running" yet may either fail because it can't be opened or won't give you any packets until it's running, and capturing on an interface that's not "up" is even more likely to fail because it can't be opened and won't give you any packets.
I'll see if the documentation can be improved.