[Winpcap-users] How to save packets to a file?
Alex Narinsky
alex_narinsky at guardium.com
Wed May 18 14:16:34 GMT 2005
Guy,
Thank you for the help. However, the problem can be much more
complicated if we consider it in real time.
For example we catch packets and at one moment need to dump packets
instead of processing them. Then at another moment we need to process
the packets when the packets are still capturing and we cannot change
the packets order.
I see that it is much easier to deal with this scenario on UNIX. One
can open FIFO file to read and write at the same time. I do not see
this option on Windows.
Does anyone have any idea?
Thanks
-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Guy Harris
Sent: Tuesday, May 17, 2005 3:26 AM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] How to save packets to a file?
He Zhiyu wrote:
> I'm writing a sniffer for my graduation project(protocol analyzer),I
> have finished most functions of it.I captured packets and created a
> dynamic list to save all the packets in the buffer.Every node of the
> list contains a struct pcap_pkthdr *header and a u_char *pkt_data.I
have
> a problem.How to save the packets in the buffer to a file,and read
> packets from the dump file? (I'm not able to use pcap_dump to do
> this,because pcap_dump_open needs a parameter(pcap_t *p) from
> pcap_open,but I should save the packets from the buffer to the
file,not
> from the adapter to the file!)
If you're using WinPcap to capture packets into the buffer, use the
pcap_t you got from pcap_open(); that doesn't mean you have to save them
at the time you capture them.
If you're not using WinPcap to capture packets into the buffer, use
pcap_open_dead() to get a pcap_t * - the documentation says it's
deprecated, but it doesn't belong in the list of deprecated functions
because pcap_open() doesn't implement anything like it.
Then, for each packet, call pcap_dump(). Call pcap_dump_close() when
you've written all of the packets.
To read packets from the dump file, use pcap_open() or
pcap_open_offline() to open the dump file, and use pcap_loop() or
pcap_next_ex() to read the packets.
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list