PCAP -- The Portable Packet Cature Library

Pcap is a portable interface to raw socket interface.

Resources:

You can see the pcap man pages here.
You can find a pcap programming tutorial here.
You can find a TCP header map at http://www.freesoft.org/CIE/Course/Section4/8.htm.
You can find an IP header map at http://www.networksorcery.com/enp/protocol/ip.htm.
You can find a ethernet header diagram at http://en.wikipedia.org/wiki/Image:Ethernet_Type_II_Frame_format.svg.
A list of ethernet type codes IN HEX can be found at http://www.cavebear.com/CaveBear/Ethernet/type.html.
You can see a sample decode at http://www.pcausa.com/resources/ndispacket_decode.htm#Ethernet%20Header.

The basics of pcap is the idea of a packet stream. You open the packet stream, read from the stream, and then close the stream. There are two ways to open a packet stream.

pcap_t *pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf)
This opens the network device named in device. On a linux box "eth0" or "all" would be common choices. The snaplen parameter describes how large the packet buffer should be, and 64K works on most systems. The promisc parameter is a 1 or 0, and describes if the device should be opened in promiscous mode. Please note the device might be in promiscous mode anyway if some other program has opened it that way. The to_ms parameter tells how long in milliseconds read calls on the stream should wait for packets. The choice of '0' means to wait forever. The last parameter is a text string describing any error that might have occured. This returns zero on failure or a valid pointer on success.
YOU MUST BE ROOT TO USE THIS CALL.
pcap_t *pcap_open_offline(const char *fname, char *errbuf)
The fname is the filename to open. The last parameter is a string describing any error that might have occured. This returns zero on failure or a valid pointer on success.

Once you have the stream open you can read packets. There are several methods to do this. The easiest and most powerful and best is

int pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header, const u_char **pkt_data)

IT IS NOT ENOUGHT TO CHECK FOR -1.

NOT

Here are some notes ...

You can print anything in hex like this....
char buf[100];
sprintf(buf, "%02x%02x", byte1, byte2);
You can get a two byte short form network order to host order like this
unsigned short s;
bcopy(pointer, s, 2);
s = ntohs(s);

Below is a sample working pcap program. IT MUST BE RUN AS ROOT.

#include <pcap.h>
#include <stdio.h>
#include <iostream>
using namespace std;

int main()
{
        pcap_t *handle;                            /* Session handle */
        char errbuf[PCAP_ERRBUF_SIZE];    /* Error string */
        struct pcap_pkthdr *header;               /* The header that pcap gives us */
        const u_char *packet;                        /* The actual packet */

        /* Open the session in promiscuous mode */
        handle = pcap_open_live("eth0", 65000, 0, 0, errbuf);
        if (handle == 0) {
                cout << "Error in pcap_open_live: " << errbuf << endl;
                exit(1);
        }

        /* Grab a packet */
        int code = pcap_next_ex(handle, &header, &packet);
        if (code < 0)
                cout << "Error in pcap_next_ex\n";

        /* Print its length */
        cout << "Jacked a packet with length of " << header->len << " bytes\n";

        /* And close the session */
        pcap_close(handle);
        return(0);
}