Re: Pcap files

[Rayne <hjazz6 () ymail com>]

I'm actually looking to create a new packet and then send it out through an NIC for further processing. That was why 
I'm questioning what contents the packet should contain, other than the L2-L7 data. I now understand that the newly 
created packet should only contain the L2-L7 data, and not include the 16-byte per-packet record header.

It looks like all I need to do is allocate a block of memory to hold the L2-L7 packet content.

Thank you.

Regards,
Rayne

--- On Thu, 10/22/09, Guy Harris <guy () alum mit edu> wrote:

> From: Guy Harris <guy () alum mit edu>
> Subject: Re: [Wireshark-users] Pcap files
> To: "Community support list for Wireshark" <wireshark-users () wireshark org>
> Date: Thursday, October 22, 2009, 1:16 AM
>
> On Oct 21, 2009, at 5:57 PM, Rayne wrote:
>
> > So am I right to say that if I were to capture a
> packet, that packet  
> > should only consist of the 16-byte packet header and
> the L2-L7  
> > content.
>
> If you were to capture a packet, that packet would consist
> of whatever  
> data the packet capture mechanism supplied to you,
> including any  
> pseudo-headers such as a header giving radio information
> for 802.11  
> packets.  For example, if it's an 802.11 packet, the
> "packet header"  
> would include the variable-length 802.11 header, and would
> have a  
> radio header before it if that happened to be what the
> driver and  
> capture mechanism supplied, and if it's an Ethernet packet,
> it would  
> consist of the *12*-byte packet header, possibly followed
> by an 802.2  
> header, possibly followed by a SNAP header if there's an
> 802.2 header,  
> followed by the payload.
>
> > But if I were to write that packet to a file of the
> libpcap format,  
> > then the 24-byte "header" will be prepended to the
> file?
>
> If you were to write one or more packets to a pcap file,
> the first 24  
> bytes of the file will be the pcap file header, followed by
> the  
> records for the packets; each record would consist of a
> 16-byte per- 
> packet header, followed by the packet data.
>
> The 16-byte record header is *NOT* part of the
> packet.  If you were to  
> capture a packet with libpcap/WinPcap, using
> pcap_dispatch() or  
> pcap_loop(), a pointer to the 16-byte per-packet header for
> the packet  
> will be supplied to you as a separate item from the pointer
> to the raw  
> packet data; you will not get passed a pointer to a single
> chunk of  
> data starting with the 16-byte per-packet header with the
> packet data  
> immediately following it.
>
> That's also true if you were to read an existing capture
> file with  
> libpcap/WinPcap, using pcap_dispatch() or pcap_loop().
>
> What is it you are trying to do here?
>
> Read a pcap-format file?  If so, you should probably
> consider using  
> libpcap/WinPcap to read the file.
>
> Write a pcap-format file?  If so, you should probably
> still consider  
> using libpcap/WinPcap (pcap_dump_open(), pcap_dump(), 
>
> pcap_dump_close()).
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>          
>    mailto:wireshark-users-request () wireshark org?subject=unsubscribe


      
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe