[Winpcap-users] How to save packets to a file?

David Chang dchang at fsautomation.com
Wed May 18 15:57:52 GMT 2005 

Alex,

Are you saying that you wish to use a dump file because you don't have
enough memory to buffer all the network packets?  Otherwise, I would just
allocate enough memory to hold the packets for processing (still use 2
threads).

If you don't have enough RAM, create these two threads: (1) stores packets
into a file and if told to close it, closes it and opens a new file, (2) one
that reads from a closed file, processes the data, and from time to time
tells the first thread to close the current file.

DC

----- Original Message ----- 
From: "Alex Narinsky" <alex_narinsky at guardium.com>
To: <winpcap-users at winpcap.org>
Sent: Wednesday, May 18, 2005 7:16 AM
Subject: RE: [Winpcap-users] How to save packets to a file?


> Guy,
> Thank you for the help.  However, the problem can be much more
> complicated if we consider it in real time.
>
> For example we catch packets and at one moment need to dump packets
> instead of processing them.  Then at another moment we need to process
> the packets when the packets are still capturing and we cannot change
> the packets order.
>
> I see that it is much easier to deal with this scenario on UNIX.   One
> can open FIFO file to read and write at the same time.  I do not see
> this option on Windows.
>
> Does anyone have any idea?
>
> Thanks
>
> -----Original Message-----
> From: winpcap-users-bounces at winpcap.org
> [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Guy Harris
> Sent: Tuesday, May 17, 2005 3:26 AM
> To: winpcap-users at winpcap.org
> Subject: Re: [Winpcap-users] How to save packets to a file?
>
> He Zhiyu wrote:
>
> > I'm writing a sniffer for my graduation project(protocol analyzer),I
> > have finished most functions of it.I captured packets and created a
> > dynamic list to save all the packets in the buffer.Every node of the
> > list contains a struct pcap_pkthdr *header and a u_char *pkt_data.I
> have
> > a problem.How to save the packets in the buffer to a file,and read
> > packets from the dump file? (I'm not able to use pcap_dump to do
> > this,because pcap_dump_open needs a parameter(pcap_t *p) from
> > pcap_open,but I should save the packets from the buffer to the
> file,not
> > from the adapter to the file!)
>
> If you're using WinPcap to capture packets into the buffer, use the
> pcap_t you got from pcap_open(); that doesn't mean you have to save them
>
> at the time you capture them.
>
> If you're not using WinPcap to capture packets into the buffer, use
> pcap_open_dead() to get a pcap_t * - the documentation says it's
> deprecated, but it doesn't belong in the list of deprecated functions
> because pcap_open() doesn't implement anything like it.
>
> Then, for each packet, call pcap_dump().  Call pcap_dump_close() when
> you've written all of the packets.
>
> To read packets from the dump file, use pcap_open() or
> pcap_open_offline() to open the dump file, and use pcap_loop() or
> pcap_next_ex() to read the packets.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>

More information about the Winpcap-users mailing list