Re: tcpdump and pcapng with comments

[Guy Harris <gharris () sonic net>]

On Apr 4, 2025, at 11:29 AM, Michael Richardson <mcr () sandelman ca> wrote:

> I can't recall if we can read pcapng.

libpcap - and thus programs, such as tcpdump, that use libpcap to read capture files - can read some pcapng files, as 
long as the current libpcap API can handle them.  That's been the case since libpcap 1.1.

However, "as long as the current libpcap API can handle them" means that:

        1) all of the sections of the pcapng file must have the same byte order, as the current API reports a single 
byte order for the entire file;

        2) all interfaces in all sections of the pcapng file must have the same link-layer header type and snapshot 
length, as the current API reports a single link-layer header type and snapshot length for the entire file;

        3) block types other than packet blocks can't be reported to the caller;

        4) options such as comments can't be reported to the caller.
_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s