[Winpcap-users] new winpcap file format, saving also custom data ?

Tecnowatt - Massimo Sala massimo.sala at tecnowatt.com
Mon May 29 12:55:31 GMT 2006

I read about the new dump file format (not in the details, no time !).

I have a little idea I think useful and also easy to code.

Often while dumping network traffic, the application also gathers other
To record all the session information, the application have to save the
Winpcap file and also other files with the various custom data.

The idea: add a few APIs to Winpcap, for example

int pcap_file_add_record(pcap_t *adhandle, unsigned char *pkt_data)

to save in the current dump file the application custom data.

The Winpcap library doesn't check / parse the data, only stores the packet
in the file, adding the current timestamp (like it does with the network

When the application reads back the dump file, for example using
pcap_dump_open() and pcap_next_ex(), the API read all the packets.

It is sufficient a flag in the packet header to mark the packet as "normal 
network packet"
or "custom data". The application knows how to handle the custom packets.
Analyzer / Ethereal / other protocol analyzers skip all the custom data

ciao, Massimo

More information about the Winpcap-users mailing list