[Winpcap-users] new winpcap file format, saving also custom data ?

Gianluca Varenni gianluca.varenni at cacetech.com
Mon May 29 15:29:08 GMT 2006

----- Original Message ----- 
From: "Tecnowatt - Massimo Sala" <massimo.sala at tecnowatt.com>
To: <winpcap-users at winpcap.org>
Sent: Monday, May 29, 2006 5:55 AM
Subject: [Winpcap-users] new winpcap file format, saving also custom data ?

>I read about the new dump file format (not in the details, no time !).
> I have a little idea I think useful and also easy to code.
> Often while dumping network traffic, the application also gathers other
> information.
> To record all the session information, the application have to save the
> Winpcap file and also other files with the various custom data.

That's exactly the purpose of pcap-ng: allowing apps to save packets as well 
as other information into the file.
> The idea: add a few APIs to Winpcap, for example
> int pcap_file_add_record(pcap_t *adhandle, unsigned char *pkt_data)
> to save in the current dump file the application custom data.

Well, first of all WinPcap at the moment does not support at all the new 
pcap-ng file format, and neither us -WinPcap Team- nor the libpcap guys have 
discussed completely on how to integrate pcap-ng into libpcap-WinPcap. One 
of the problems is that pcap-ng offers a large series of features that 
cannot be exposed with the current set of pcap APIs. In particular, talking 
about you API proposal, it's certainly useful. However the data inside a 
pcap-ng are saved within codified blocks, that guarantee that
1. if an app is able to decode the block (looking at the block id) it 
processes it.
2. if the doesn't know how to decode the block, it simply skips it.

Basically the approach of pcap-ng is similar to yours, but it adds the 
concept of block and block id's, thus allowing to save several different 
pieces of information in an elegant (?) and cross-compatible way.

How will these pcap-ng features be exposed by libpcap/WinPcap? At the moment 
this is not completely clear. In any case, if you want to play with pcap-ng, 
you can certainly use NTAR, the (only?) available implementation of the 
pcap-ng specification. NTAR is available at http://www.winpcap.org/ntar

> The Winpcap library doesn't check / parse the data, only stores the packet
> in the file, adding the current timestamp (like it does with the network
> packets).
> When the application reads back the dump file, for example using
> pcap_dump_open() and pcap_next_ex(), the API read all the packets.
> It is sufficient a flag in the packet header to mark the packet as "normal 
> network packet"
> or "custom data". The application knows how to handle the custom packets.
> Analyzer / Ethereal / other protocol analyzers skip all the custom data
> packets.

Uhm, what about older applications, that do not know about this new flag? 
They will try to interpret the OOB data as a packet...

Have a nice day

> ciao, Massimo
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users 

More information about the Winpcap-users mailing list