tcpdump mailing list archives
Re: Problem with generation of Pcap traces for
From: Johan Mazel <johan.mazel () gmail com>
Date: Thu, 14 May 2009 00:46:43 +0200
Hi First of all, thanks for the answer.
Umm, why are you calling pcap_create twice()? pcap_dump_open() creates the dump file for you; it does require a pcap_t as an argument, but that doesn't mean "just randomly open a pcap_t", it means "the packets you're writing are presumably coming from a live capture or another savefile, so you should supply the pcap_t for the live capture or savefile".
My reason of doing this is that I want to be able to aggregate different source of packets (eg.: I have eth0, eth1 eth2 and eth3 and I want to capture on eth0 and eth1 only and build a trace from these interfaces only). My goal is to aggregate the capture from these interfaces by just supplying the different data structures (pcap_pkthdr and const char *) of the captured packets to the libpcap functions and generate a tracefile (or savefile) from them.
I.e., don't call pcap_create() twice; just pass the pcap_t for eth0, after you've activated it, to pcap_dump_open().
Ok, I think I understand. If I want to do what I explained in the previous paragraph, I'll have to use pcap_create with a device name like ethx in parameter, pcap_activate with the pcap_t * previously created in parameter and then pcap_dump_open with with the pcap_t * previously created and the name of my tracefile in parameters. Actually, I just tried it and it works perfectly. I'll fix pcap_dump_open() to fail if it's handed a non-activated pcap_t, as
the reason why it needs a pcap_t is to get a link type value and snapshot length, and, until a live-capture pcap_t is activated, it doesn't have a link type value or snapshot length, so the link type for the dump file will be bogus.
Ok, I now understand the point of using a pcap_t in this case. It is actually really helping me since I do not want to log the whole packet. And with my 2 pcap_t, I will be able to capture the full packet and only log a part of it. Anyway, thanks a lot for all the help. Regards. Johan Mazel - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Problem with generation of Pcap traces for Wireshark through Libpcap Johan Mazel (May 13)
- Re: Problem with generation of Pcap traces for Wireshark through Libpcap Guy Harris (May 13)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 13)
- Re: Problem with generation of Pcap traces for Guy Harris (May 15)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 16)
- Re: Problem with generation of Pcap traces for Guy Harris (May 16)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 16)
- Re: Problem with generation of Pcap traces for Guy Harris (May 16)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 17)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 13)
- Re: Problem with generation of Pcap traces for Aaron Turner (May 16)
- Re: Problem with generation of Pcap traces for Wireshark through Libpcap Guy Harris (May 13)