[Winpcap-users] How to save packets to a file?
Guy Harris
guy at alum.mit.edu
Tue May 17 07:26:02 GMT 2005
He Zhiyu wrote:
> I'm writing a sniffer for my graduation project(protocol analyzer),I
> have finished most functions of it.I captured packets and created a
> dynamic list to save all the packets in the buffer.Every node of the
> list contains a struct pcap_pkthdr *header and a u_char *pkt_data.I have
> a problem.How to save the packets in the buffer to a file,and read
> packets from the dump file? (I'm not able to use pcap_dump to do
> this,because pcap_dump_open needs a parameter(pcap_t *p) from
> pcap_open,but I should save the packets from the buffer to the file,not
> from the adapter to the file!)
If you're using WinPcap to capture packets into the buffer, use the
pcap_t you got from pcap_open(); that doesn't mean you have to save them
at the time you capture them.
If you're not using WinPcap to capture packets into the buffer, use
pcap_open_dead() to get a pcap_t * - the documentation says it's
deprecated, but it doesn't belong in the list of deprecated functions
because pcap_open() doesn't implement anything like it.
Then, for each packet, call pcap_dump(). Call pcap_dump_close() when
you've written all of the packets.
To read packets from the dump file, use pcap_open() or
pcap_open_offline() to open the dump file, and use pcap_loop() or
pcap_next_ex() to read the packets.
More information about the Winpcap-users
mailing list