tcpdump mailing list archives

Re: libpcap usage while reading pcapNG files

From: Madhav Ancha <mancha () tower-research com>
Date: Thu, 13 Sep 2018 17:10:05 -0400

Thanks Guy.
Is the best way then to parse pcapNG in code and run bpf_filter on the
packets please.

a) open the pcap file in c
b) parse the blocks
c) For every enhanced packet block
    c1) Manually construct struct pcap_pkthdr *
    c2) Run bpf_filter explicitly

This file can be updated as it is being parsed.
So d) refresh the file when EOF :-)


On Thu, Sep 13, 2018 at 4:59 PM Guy Harris <guy () alum mit edu> wrote:

On Sep 13, 2018, at 1:49 PM, Madhav Ancha <mancha () tower-research com>
wrote:

   Is there a way to get the "options" along with the "packet data "in an
Enhanced Packet Block when reading the pcapNG files please?


No.  There are no provisions in the current pcap API to provide that
information, as the API was designed when pcap format was the only format.

Providing full support for pcapng would require a new API (which should be
able to support pcap files as well).

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

libpcap usage while reading pcapNG files Madhav Ancha (Sep 13)
- Re: libpcap usage while reading pcapNG files Guy Harris (Sep 13)
- Message not available
  - Re: libpcap usage while reading pcapNG files Madhav Ancha (Sep 13)