下面是关于WinPcap的文档，你可以参考下：
http://www.ieee.org.cn/dispbbs.asp?boardID=65&ID=33472
http://www.ieee.org.cn/dispbbs.asp?boardID=65&ID=33471
http://www.ieee.org.cn/dispbbs.asp?boardID=65&ID=33470
http://www.ieee.org.cn/dispbbs.asp?boardID=65&ID=33469
http://www.ieee.org.cn/dispbbs.asp?boardID=65&ID=33468
http://www.ieee.org.cn/dispbbs.asp?boardID=65&ID=33467
http://www.ieee.org.cn/dispbbs.asp?boardID=65&ID=33466

不好意思啊，最近因为忙很少上论坛，现在才看到你的留言。

那几篇文章中有代码片段啊，只要编译环境配好了那些代码拷过去就可以编译运行了。

那些文章是一些学习笔记，所以可能有点零乱和不全，所以你最好阅读WinPcap的开发文档，那些笔记仅供参考。

WinPcap的开发文档写的很好，简洁明了，而且真正是由简单到复杂，WinPcap的功能他上面都讲的很清楚的，做一般的开发参考他的开发文档是绝对够了。

另外，你对你要做的嗅探器的功能描述也不清楚：
1.“截获数据包”——截获哪一层的数据包？
2.“分析数据包”——你对“分析”一词的含义是如何定义的？

http://www.winpcap.org/docs/docs_40/html/main.html

#include "pcap.h"

/* prototype of the packet handler */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);

main()
{
 pcap_if_t *alldevs;
 pcap_if_t *d;
 int inum;
 int i=0;
 pcap_t *adhandle;
 char errbuf[PCAP_ERRBUF_SIZE];
 
 /* Retrieve the device list */
 if(pcap_findalldevs(&alldevs, errbuf) == -1)
 {
  fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
  exit(1);
 }
 
 /* Print the list */
 for(d=alldevs; d; d=d->next)
 {
  printf("%d. %s", ++i, d->name);
  if (d->description)
   printf(" (%s)\n", d->description);
  else
   printf(" (No description available)\n");
 }
 
 if(i==0)
 {
  printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
  return -1;
 }
 
 printf("Enter the interface number (1-%d):",i);
 scanf("%d", &inum);
 
 if(inum < 1 || inum > i)
 {
  printf("\nInterface number out of range.\n");
  /* Free the device list */
  pcap_freealldevs(alldevs);
  return -1;
 }
 
 /* Jump to the selected adapter */
 for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
 
 /* Open the device */
 /* Open the adapter */
 if ((adhandle= pcap_open_live(d->name, // name of the device
        65536,   // portion of the packet to capture.
           // 65536 grants that the whole packet will be captured on all the MACs.
        1,    // promiscuous mode (nonzero means promiscuous)
        1000,   // read timeout
        errbuf   // error buffer
        )) == NULL)
 {
  fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);
  /* Free the device list */
  pcap_freealldevs(alldevs);
  return -1;
 }
 
 printf("\nlistening on %s...\n", d->description);
 
 /* At this point, we don't need any more the device list. Free it */
 pcap_freealldevs(alldevs);
 
 /* start the capture */
 pcap_loop(adhandle, 0, packet_handler, NULL);
 
 pcap_close(adhandle);
 return 0;
}

/* Callback function invoked by libpcap for every incoming packet */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
 struct tm *ltime;
 char timestr[16];
 time_t local_tv_sec;
 
 /* convert the timestamp to readable format */
 local_tv_sec = header->ts.tv_sec;
 ltime=localtime(&local_tv_sec);
 strftime( timestr, sizeof timestr, "%H:%M:%S", ltime);
 
 printf("%s,%.6d len:%d\n", timestr, header->ts.tv_usec, header->len);
 
}