Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using wiretap library in a project

From: Daniel <neagarudan () gmail com>
Date: Fri, 04 Jan 2013 01:48:34 +0100
Thanks, that answered all my questions.

On 01/03/2013 09:00 PM, Guy Harris wrote:

On Jan 3, 2013, at 8:25 AM, Neagaru Daniel <neagarudan () gmail com> wrote:


Yes, it would be a solution, since I didn't find anything related to pcap-ng in pcap(3) documentation,

The latest version of the pcap_open_offline(3PCAP) man page says:

        DESCRIPTION
               pcap_open_offline() is called to open a ‘‘savefile’’ for reading.

               fname specifies the name of the file to open. The  file  can  have  the
               pcap  file  format  as described in pcap‐savefile(5), which is the file
               format used by, among other programs, tcpdump(1)  and  tcpslice(1),  or
               can have the pcap‐ng file format, although not all pcap‐ng files can be
               read.  The name "‐" in a synonym for stdin.

It *should* say "as written by, among other programs...", as those programs can, if using a sufficiently recent version of 
libpcap, *read* pcap-ng files in which all the interfaces have the same link-layer header type and snapshot length (the current 
libpcap/WinPcap APIs don't let you get per-interface link-layer header types or snapshot lengths; they assume there's only one 
link-layer header type and snapshot length per file) and all the sections have the same byte order (for the same reason - yes, libpcap 
supports pcap-ng files with multiple Section Header Blocks).

Note that no WinPcap version based on libpcap 1.1.0 or later has been released, so this only works on UN*X, not on 
Windows.


I thought pcap-ng is not supported yet.

No - as Evan Huus noted, it's been supported since 1.1.0, although I'd still call it "limited" in the current version; some 
bugs are fixed in the current version, but it still only has the old API and thus can't handle captures with multiple link-layer header 
types, snapshot lengths, etc..


Where can I find the recent documentation regarding pcap-ng?

Regarding pcap-ng or regarding libpcap support for it?  For pcap-ng itself, see

        http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

For libpcap support for it, see the man page on a system with a recent version of libpcap, or see

        http://www.tcpdump.org/manpages/pcap_open_offline.3pcap.html

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
              mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: