Re: save PCAP packets into a file

[Guy Harris <guy () alum mit edu>]

On Jun 22, 2011, at 10:48 AM, Alokat wrote:

> I have to save some pcap packets into a file for later analyzing.
>
> But I have some problems with creating the pcap file for it.
> Do I have to call first functions like fopen() to create a dump file?

No.

> Cause pcap_open_offline crashes if there is no file available under:
> const char* fname

What do you mean by "crashes" and "no file available"?

If you pass a null fname pointer to pcap_open_offline(), it'll probably crash - but so will fopen()!

If you pass the name of a file that doesn't exist to pcap_open_offline(), it won't *crash*, in the sense of making the 
program calling it crash, but it'll fail and return a null pointer, which is exactly what it's supposed to do - it 
opens a file for *reading*, not *writing*, so it *should* fail if there's no file to read.

To *write* a pcap file, you create it with pcap_dump_open().

You have to pass a pcap_t * to pcap_dump_open().

If your packets are coming from a live capture with libpcap/WinPcap, you already have a pcap_t * that you got from 
pcap_open_live() or pcap_create()/pcap_activate().  Use that.

If your packets are coming from a pcap file that you're reading with libpcap/WinPcap, you already have a pcap_t * that 
you got from pcap_open_offline().  Use that.

If your packets are coming from somewhere else, you will have to use pcap_open_dead() to generate a "fake" pcap_t * to 
pass to pcap_dump_open() in order to tell it what link-layer header type and snapshot length shoudl be used in the pcap 
file.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.