<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<STYLE type=text/css>P {
MARGIN: 0px
}
</STYLE>
<META content="MSHTML 6.00.2900.5726" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face="Courier New" size=2>Can you send a very small trace file so
that we can have a look at it?</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>Have a nice day</FONT></DIV>
<DIV><FONT face="Courier New" size=2>GV</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=timgrab@comcast.net
href="mailto:timgrab@comcast.net">timgrab@comcast.net</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, July 09, 2009 8:38
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] problem between
WpdPack sample exe's and MFC port</DIV>
<DIV><BR></DIV>
<DIV style="FONT-SIZE: 12pt; COLOR: #000000; FONT-FAMILY: Arial">
<META content=Word.Document name=ProgId>
<META content="Microsoft Word 11" name=Generator>
<META content="Microsoft Word 11" name=Originator><LINK
href="file:///C:%5CDOCUME%7E1%5Ctgrab%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"
rel=File-List><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
</w:LatentStyles>
</xml><![endif]-->
<STYLE>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</STYLE>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
</style>
<![endif]-->
<P class=MsoNormal>Hi folks,</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>I have been writing an application using MFC in Visual
Studio 2005.<SPAN> </SPAN>The application uses WinPcap to open a pcap
file and modify the protocol headers so that the packets can be streamed
locally on a test network and received by other applications/devices.</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>I have been borrowing heavily from the sample code in the
WinPcap 4.0.2 Developer’s Pack, and successfully porting that basic
functionality from C to MFC/C++.<SPAN> </SPAN>For example, my GUI
currently allows the user to open a pcap file, change the MAC addresses in the
packets, and save the packets to a new file.</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>I ran into a problem recently.<SPAN> </SPAN>I have
been creating pcap files by exporting proprietary files from a 3<SUP>rd</SUP>
party application into pcap format.<SPAN> </SPAN>However, it appears
that the 3<SUP>rd</SUP>-party app, let’s call it “MrSniffer”, changes the
caplen in the packet header to 116 bytes, no matter what it was in the
original (MrSniffer-formatted) file, or what the actual length of the packet
is.<SPAN> </SPAN>I am able to use Wireshark to successfully read and
display all packets in their entirety from the newly-exported pcap
file.<SPAN> </SPAN>Also, I am able to use the command-line executable
“readfile” from the 4.0.2 Developer’s Pack to read and display each packet
from the MrSniffer-exported pcap file in its entirety.</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>It’s when I try to read the file into my MFC application
that I run into a problem.<SPAN> </SPAN>I use the same basic code in the
“readfile” executable for my MFC application to open the file and read the
packets, i.e. I am using pcap_open_offline() to open the file, and pcap_loop()
to call a dispatcher_handler with the following parameters…</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>dispatcher_handler(u_char *temp1, const struct pcap_pkthdr
*header, const u_char *pkt_data)</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>…which reads in each packet.<SPAN> </SPAN>The trouble
arises when the packets are read into my application, and it appears that the
pcap library functions I am using are reading the packets based on the caplen
of 116 bytes – so any packets larger than 116 bytes are truncated, and I lose
the rest of that data!</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>What is so strange about this is that I am using the same
library as the Developer’s Pack sample “readfile”, and essentially the same
code, but my application seems to read the caplen, while “readfile” uses the
actual packet length.</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>Unfortunately, I can’t change “MrSniffer” so that it does
not modify the caplen; my only option appears to be to read the actual packet
length from each packet when dealing with these exported pcaps.
<SPAN> </SPAN>I have not been able to find a way to do this using the
exported functions – probably because I am quite new to WinPcap.</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>If anyone has any suggestions, I’d greatly appreciate
it!</P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>Thanks and Regards – </P>
<P class=MsoNormal><O:P></O:P></P>
<P class=MsoNormal>TimG</P></DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>