Re: tcpdump and pcapng with comments

[Guy Harris <gharris () sonic net>]

On Apr 4, 2025, at 10:22 AM, Mahesh V <maheshvenkateshwaran () gmail com> wrote:

> I would like to know if
> 1) tcpdump can write pcapng format (instead of just pcap)

Currently, no.  tcpdump uses libpcap to read and write capture files, and libpcap doesn't yet support writing pcapng.

> 2) Accept per packet comments from the kernel and write them along with the
> packet into the pcapng file (if so, how do we pack the comments from kernel
> coming from the raw socket to tcpdump in user space)

tcpdump uses libpcap to capture packets, and libpcap doesn't yet support an API mechanism to provide pcapng-style 
comments when capturing.

Furthermore, none of the kernel capture mechanisms libpcap uses *provide* comments, so, even with such an API 
mechanism, if you've modified some OS kernel mechanism, you'd have to modify libpcap to support that.

> 3) read it later on. (I believe this functionality is available today or
> alternatively even wireshark would be ok to do this for me)

libpcap does support reading pcapng files, but does not yet support providing comments to the program that reads them.
_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s