[Winpcap-users] Packet random access using file seek

Clemens Gruber clemens.gruber at pqgruber.com
Tue Apr 23 06:57:08 PDT 2013

> On Tue, Apr 23, 2013 at 12:10 AM, Gisle Vanem <gvanem at broadpark.no> wrote:
>> I forgot to ask how you compile and link with the WinPcap and Packet APIs.
>> And what compiler; MSVC or MingW or something else.
> Hi, thanks for having a look at my problem, it's very appreciated.  I am
> currently using the 32 bit compiler on Visual Studio Express 2008 on
> Windows 7 x64, and later I will try the 64 bit compiler on Visual Studio
> 2008 Pro.  My project is configured using CMake and built in Release mode.
> It links to wpcap.lib.
> My project does not have LIBPCAP_EXPORTS, so this means it is using:
>   #define pcap_fopen_offline(f,b) \
>     pcap_hopen_offline(_get_osfhandle(_fileno(f)), b)
> I took a look at the implementation of pcap_hopen_offline().  I see that it
> takes the input FILE* and creates a new FILE* using a series of function
> calls:
> _fileno()
> _get_osfhandle()
> _open_osfhandle()
> _fdopen()
> So, if I understand correctly, it is creating a new FILE* that is relative
> to its own CRT.  I think that means I can no longer use any information I
> query about the original input FILE*, because winpcap has created its own
> FILE* stream to read from.
> So that leads me to think that my plan to use ftell() to record file
> positions of packets, and fseek() to jump to the begining of packets, is
> not going to work on Windows.  What do you think?  Is there a different way
> to use winpcap to seek to packets in a save file without reading each
> packet in sequential order starting at the beginning?
> Pat


I had to do something similar on Windows, about a year ago. 
What confused me in the beginning, was the non-availability of pcap_dump_fopen.
So, in the end, I wrote my own index file and used the pcap file seek routines according to Wireshark's implementation. Besides dumping the pcap packet in the pcap file with the Winpcap functions, I wrote an index struct to the seperate index file.
In that index file, I could jump to the packet number * my index structure's size and look up the offset for the pcap file, after that, I would call fseek and read the data from the pcap file.

Oh, in case you are also using Wireshark for inspiration, the wiretap subdirectory was helpful to me: http://anonsvn.wireshark.org/wireshark/trunk/wiretap/

There was also an interesting article: http://www.csg.ethz.ch/people/dimitroc/papers/pcapIndex.pdf
(But my home made indexing solution was not as impressive and professional as it is proposed in this paper ;-)

Bitmap indexing would be useful, because otherwise,  in some cases the index files tend to become bigger than the pcap files..

What are you using for your index file?

Best regards,

More information about the Winpcap-users mailing list