wireshark-dev October 2010 archive
Main Archive Page > Month Archives  > wireshark-dev archives
wireshark-dev: Re: [Wireshark-dev] saving data in pcap file form

Re: [Wireshark-dev] saving data in pcap file format

From: Guy Harris <guy_at_nospam>
Date: Mon Oct 11 2010 - 16:47:48 GMT
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>

On Oct 11, 2010, at 6:21 AM, Lange Jan-Erik wrote:

> Ok, in the documentation of winpcap I found the function pcap_dump_open().
> It opens a file for another function

Yes.

You'll also find pcap_dump(), which writes to a file the packet you pass to it, and pcap_close(), which closes the file opened with pcap_dump_open().

> ...loop() with captures packet

None of those functions loop, or call pcap_loop(), and none of them require that you call pcap_loop(). pcap_dump() is designed so that it *can* be used in a call to pcap_loop(), but it can be directly called as well. To quote the libpcap 1.0.0 man page for pcap_dump():

       pcap_dump() outputs a packet to the ``savefile'' opened with
       pcap_dump_open(). Note that its calling arguments are suitable for use
       with pcap_dispatch() or pcap_loop(). *If called directly, the user
       parameter is of type pcap_dumper_t as returned by pcap_dump_open().*

(emphasis mine), so you call it as

        pcap_dump({pointer to the raw packet data}, {pointer to a pcap_pkthdr with the time stamp, length, and captured length},
            {pcap_dumper_t you got back from your call to pcap_dump_open()};

> But I have to open the file and have to write my data in this file.. not captureing it with this loop() function. It is possible to insert my data into a struct and then save this structure into a .pcap file?

Yes.

Neither pcap_dump_open() nor pcap_dump() have the most convenient APIs for using them if you're not doing a capture with libpcap, but you could:

        call pcap_open_dead(), with DLT_USB_LINUX or DLT_USB_LINUX_MMAPED as the linktype and 65535 as the snaplen;

        call pcap_dump_open() with the result of that pcap_open_dead() call;

        for each packet you read, call pcap_dump();

        call pcap_dump_close() when you're done.

That does, of course, require that the "raw packet data" be in the right format for DLT_USB_LINUX or DLT_USB_LINUX_MMAPPED. I'll discuss that issue in another message.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe