[Winpcap-users] problem between WpdPack sample exe's and MFC port

Gianluca Varenni gianluca.varenni at cacetech.com
Mon Jul 13 09:56:32 PDT 2009

Can you send a very small trace file so that we can have a look at it?

Have a nice day
  ----- Original Message ----- 
  From: timgrab at comcast.net 
  To: winpcap-users at winpcap.org 
  Sent: Thursday, July 09, 2009 8:38 AM
  Subject: [Winpcap-users] problem between WpdPack sample exe's and MFC port

  Hi folks,

  I have been writing an application using MFC in Visual Studio 2005.  The application uses WinPcap to open a pcap file and modify the protocol headers so that the packets can be streamed locally on a test network and received by other applications/devices.

  I have been borrowing heavily from the sample code in the WinPcap 4.0.2 Developer’s Pack, and successfully porting that basic functionality from C to MFC/C++.  For example, my GUI currently allows the user to open a pcap file, change the MAC addresses in the packets, and save the packets to a new file.

  I ran into a problem recently.  I have been creating pcap files by exporting proprietary files from a 3rd party application into pcap format.  However, it appears that the 3rd-party app, let’s call it “MrSniffer”, changes the caplen in the packet header to 116 bytes, no matter what it was in the original (MrSniffer-formatted) file, or what the actual length of the packet is.  I am able to use Wireshark to successfully read and display all packets in their entirety from the newly-exported pcap file.  Also, I am able to use the command-line executable “readfile” from the 4.0.2 Developer’s Pack to read and display each packet from the MrSniffer-exported pcap file in its entirety.

  It’s when I try to read the file into my MFC application that I run into a problem.  I use the same basic code in the “readfile” executable for my MFC application to open the file and read the packets, i.e. I am using pcap_open_offline() to open the file, and pcap_loop() to call a dispatcher_handler with the following parameters…

  dispatcher_handler(u_char *temp1, const struct pcap_pkthdr *header, const u_char *pkt_data)

  …which reads in each packet.  The trouble arises when the packets are read into my application, and it appears that the pcap library functions I am using are reading the packets based on the caplen of 116 bytes – so any packets larger than 116 bytes are truncated, and I lose the rest of that data!

  What is so strange about this is that I am using the same library as the Developer’s Pack sample “readfile”, and essentially the same code, but my application seems to read the caplen, while “readfile” uses the actual packet length.

  Unfortunately, I can’t change “MrSniffer” so that it does not modify the caplen; my only option appears to be to read the actual packet length from each packet when dealing with these exported pcaps.  I have not been able to find a way to do this using the exported functions – probably because I am quite new to WinPcap.

  If anyone has any suggestions, I’d greatly appreciate it!

  Thanks and Regards – 



  Winpcap-users mailing list
  Winpcap-users at winpcap.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090713/b5c080fb/attachment.htm 

More information about the Winpcap-users mailing list