Wireshark mailing list archives
Re: saving data in pcap file format
From: Guy Harris <guy () alum mit edu>
Date: Mon, 11 Oct 2010 09:47:48 -0700
On Oct 11, 2010, at 6:21 AM, Lange Jan-Erik wrote:
Ok, in the documentation of winpcap I found the function pcap_dump_open(). It opens a file for another function
Yes. You'll also find pcap_dump(), which writes to a file the packet you pass to it, and pcap_close(), which closes the file opened with pcap_dump_open().
...loop() with captures packet
None of those functions loop, or call pcap_loop(), and none of them require that you call pcap_loop(). pcap_dump() is
designed so that it *can* be used in a call to pcap_loop(), but it can be directly called as well. To quote the
libpcap 1.0.0 man page for pcap_dump():
pcap_dump() outputs a packet to the ``savefile'' opened with
pcap_dump_open(). Note that its calling arguments are suitable for use
with pcap_dispatch() or pcap_loop(). *If called directly, the user
parameter is of type pcap_dumper_t as returned by pcap_dump_open().*
(emphasis mine), so you call it as
pcap_dump({pointer to the raw packet data}, {pointer to a pcap_pkthdr with the time stamp, length, and captured
length},
{pcap_dumper_t you got back from your call to pcap_dump_open()};
But I have to open the file and have to write my data in this file.. not captureing it with this loop() function. It is possible to insert my data into a struct and then save this structure into a .pcap file?
Yes.
Neither pcap_dump_open() nor pcap_dump() have the most convenient APIs for using them if you're not doing a capture
with libpcap, but you could:
call pcap_open_dead(), with DLT_USB_LINUX or DLT_USB_LINUX_MMAPED as the linktype and 65535 as the snaplen;
call pcap_dump_open() with the result of that pcap_open_dead() call;
for each packet you read, call pcap_dump();
call pcap_dump_close() when you're done.
That does, of course, require that the "raw packet data" be in the right format for DLT_USB_LINUX or
DLT_USB_LINUX_MMAPPED. I'll discuss that issue in another message.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- saving data in pcap file format Lange Jan-Erik (Oct 11)
- Re: saving data in pcap file format Gregory Seidman (Oct 11)
- Re: saving data in pcap file format Lange Jan-Erik (Oct 11)
- Re: saving data in pcap file format Andy Lawman (Oct 11)
- Re: saving data in pcap file format Guy Harris (Oct 11)
- Re: saving data in pcap file format Guy Harris (Oct 11)
- Re: saving data in pcap file format Lange Jan-Erik (Oct 11)
- Re: saving data in pcap file format Gregory Seidman (Oct 11)
- Re: saving data in pcap file format Jeff Morriss (Oct 11)
- Re: saving data in pcap file format Chris Maynard (Oct 11)
- Re: saving data in pcap file format Lange Jan-Erik (Oct 11)
- Re: saving data in pcap file format Lange Jan-Erik (Oct 11)
- Re: saving data in pcap file format Chris Maynard (Oct 11)
- Re: saving data in pcap file format Lange Jan-Erik (Oct 11)