Don’t get lost in the bpf filter syntax. Start with "arp" or "icmp" . Ping your own machine. Watch the reply appear in your callback. That’s the moment you stop trusting the network and start seeing it.
Compile with -lpcap (Linux/Mingw) or link wpcap.lib (MSVC). Run as admin.
pcap_t *handle = pcap_open_live("\\Device\\NPF_{GUID}", 65536, 1, 1000, errbuf); pcap_compile(handle, &fp, "tcp", 0, PCAP_NETMASK_UNKNOWN); pcap_setfilter(handle, &fp); pcap_loop(handle, 10, packet_handler, NULL); Your packet_handler will see raw Ethernet, IP, and TCP headers.
You don’t need a degree in network engineering to peek under the hood of your Ethernet adapter. You need WinPcap — the legendary library that lets user-mode apps capture and transmit raw network packets, bypassing the OS protocol stack.
Now go capture something.