[Winpcap-users] new winpcap file format, saving also custom data ?
Tecnowatt - Massimo Sala
massimo.sala at tecnowatt.com
Mon May 29 12:55:31 GMT 2006
I read about the new dump file format (not in the details, no time !).
I have a little idea I think useful and also easy to code.
Often while dumping network traffic, the application also gathers other
To record all the session information, the application have to save the
Winpcap file and also other files with the various custom data.
The idea: add a few APIs to Winpcap, for example
int pcap_file_add_record(pcap_t *adhandle, unsigned char *pkt_data)
to save in the current dump file the application custom data.
The Winpcap library doesn't check / parse the data, only stores the packet
in the file, adding the current timestamp (like it does with the network
When the application reads back the dump file, for example using
pcap_dump_open() and pcap_next_ex(), the API read all the packets.
It is sufficient a flag in the packet header to mark the packet as "normal
or "custom data". The application knows how to handle the custom packets.
Analyzer / Ethereal / other protocol analyzers skip all the custom data
More information about the Winpcap-users