tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCAP file questions...

From: Guy Harris <guy () alum mit edu>
Date: Sun, 11 Nov 2012 15:27:00 -0800

On Nov 11, 2012, at 2:55 PM, barcaroller <barcaroller () gmail com> wrote:


The libpcap C API provides functions for writing (pcap_dump) and reading (pcap_next) a PCAP file.  I have two 
questions:

- How do I remove a packet from a PCAP file using the libpcap C API?


You can't remove a packet from an existing file - pcap files are sequential files.

What you *can* do is read a file and write out all the packets, except the ones you don't want, to a new file.


- Once I close a PCAP file (pcap_close), I find I cannot re-open it later (pcap_dump_fopen) and append to it.  I get 
a corrupt file every time.  Are PCAP files not meant to be appended to?


They could, in principle, be appended to, but that can't be done with the existing APIs - you'd need an "open for 
appending" call, which would, unlike the "create a new file" calls (pcap_dump_open(), pcap_dump_fopen()), *not* write a 
file header.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: