Re: PCAP file questions...

[Guy Harris <guy () alum mit edu>]

On Nov 11, 2012, at 5:44 PM, barcaroller <barcaroller () gmail com> wrote:

> On 2012-11-11 23:27:00 +0000, Guy Harris said:
>
> > They could, in principle, be appended to, but that can't be done with the existing APIs - you'd need an "open for 
> > appending" call, which would, unlike the "create a new file" calls (pcap_dump_open(), pcap_dump_fopen()), *not* 
> > write a file header.
>
> The existing API does allow for:
>
>   FILE* f = open("a");  // or open("a+")
>   pcap_dump_fopen(f);

pcap_dump_fopen(), in the current Git trunk, calls pcap_setup_dump(), which calls sf_write_header(), which writes out a 
file header, so that call will write a file header.  Some older versions have a different code path, but they'll still 
write out a file header.

A pcap file has *one* file header followed by a sequence of zero or more packets, each with a packet record header.  A 
file header is not a valid packet record header, so that wouldn't work for *any* number of packets.

As per my mail, what's needed is a routine that doesn't write the file header.

> It does work for a few hundred packets, but then evenually the file gets corrupted.

That must be because, until you've written more packets, no write is done to the underlying file because the packets 
are still buffered in the standard I/O library routine buffers.  Once an actual write() is done, your file will be 
trashed.

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers