Wireshark mailing list archives

Re: converting pcapng to pcap

From: Guy Harris <guy () alum mit edu>
Date: Fri, 28 Sep 2012 12:13:45 -0700


On Sep 28, 2012, at 11:43 AM, albert <alo () advancedio com> wrote:

I'm assuming that the meat of the .pcapng to .pcap conversion is done in the 
pcap_handler callback  for pcap_offline_read().  Is this correct ?


No.

It's done in several places.

In a libpcap/WinPcap-based application:

    When reading a packet:

        the internal file-read routine is called (from pcap_loop(), pcap_dispatch(), pcap_next(), or pcap_next_ex()) 
and, in 1.1 and later, that calls the appropriate next_packet_op routine for the file type in question (pcap or 
pcap-ng);

        the next_packet_op routine gets the next packet (first packet, if no packet has been read yet), constructs a 
struct pcap_pkthdr containing the time stamp, on-the-network packet length, and captured data length for the packet, 
and calls the callback routine, handing it a pointer to the struct pcap_pkthdr, a pointer to the packet data, and the 
"user data" pointer;

        the callback processes the packet, with no knowledge of whether it came from a pcap or pcap-ng file (or, 
possibly, other file types in the future).

    When writing a packet:

        pcap_dump() is called, and, using the struct pcap_pkthdr and raw packet data, writes a pcap packet.

Half of the work is done in the next_packet_op, which converts the packet data in the file, in whatever form it might 
be in that particular file format, to a struct pcap_pkthdr and a lump of raw packet data, and the other half of the 
work is done in pcap_dump(), which takes a struct pcap_pkthdr and a lump of raw packet data and writes it out in pcap 
format.

So:

        if the callback *is* pcap_dump() (whose API was designed to allow it to act as a callback for pcap_loop() or 
pcap_dispatch()), only half of the format-conversion work is done in the callback;

        if the callback isn't pcap_dump(), just some routine that calls pcap_dump(), none of the format-conversion work 
is done in the callback.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

converting pcapng to pcap Albert Lo (Sep 28)
- Re: converting pcapng to pcap Jakub Zawadzki (Sep 28)
- Re: converting pcapng to pcap Guy Harris (Sep 28)
  - Re: converting pcapng to pcap albert (Sep 28)
    - Re: converting pcapng to pcap Guy Harris (Sep 28)
    - Re: converting pcapng to pcap albert (Sep 28)
    - Re: converting pcapng to pcap Guy Harris (Sep 28)