[Winpcap-users] Packet random access using file seek

Clemens Gruber clemens.gruber at pqgruber.com
Tue Apr 23 07:02:33 PDT 2013

>> On Tue, Apr 23, 2013 at 12:10 AM, Gisle Vanem <gvanem at broadpark.no> wrote:
>>> I forgot to ask how you compile and link with the WinPcap and Packet APIs.
>>> And what compiler; MSVC or MingW or something else.
>> Hi, thanks for having a look at my problem, it's very appreciated.  I am
>> currently using the 32 bit compiler on Visual Studio Express 2008 on
>> Windows 7 x64, and later I will try the 64 bit compiler on Visual Studio
>> 2008 Pro.  My project is configured using CMake and built in Release mode.
>> It links to wpcap.lib.
>> My project does not have LIBPCAP_EXPORTS, so this means it is using:
>>  #define pcap_fopen_offline(f,b) \
>>    pcap_hopen_offline(_get_osfhandle(_fileno(f)), b)
>> I took a look at the implementation of pcap_hopen_offline().  I see that it
>> takes the input FILE* and creates a new FILE* using a series of function
>> calls:
>> _fileno()
>> _get_osfhandle()
>> _open_osfhandle()
>> _fdopen()
>> So, if I understand correctly, it is creating a new FILE* that is relative
>> to its own CRT.  I think that means I can no longer use any information I
>> query about the original input FILE*, because winpcap has created its own
>> FILE* stream to read from.
>> So that leads me to think that my plan to use ftell() to record file
>> positions of packets, and fseek() to jump to the begining of packets, is
>> not going to work on Windows.  What do you think?  Is there a different way
>> to use winpcap to seek to packets in a save file without reading each
>> packet in sequential order starting at the beginning?
>> Pat
> Hi,
> I had to do something similar on Windows, about a year ago. 
> What confused me in the beginning, was the non-availability of pcap_dump_fopen.
> So, in the end, I wrote my own index file and used the pcap file seek routines according to Wireshark's implementation. Besides dumping the pcap packet in the pcap file with the Winpcap functions, I wrote an index struct to the seperate index file.
> In that index file, I could jump to the packet number * my index structure's size and look up the offset for the pcap file, after that, I would call fseek and read the data from the pcap file.
> Oh, in case you are also using Wireshark for inspiration, the wiretap subdirectory was helpful to me: http://anonsvn.wireshark.org/wireshark/trunk/wiretap/
> There was also an interesting article: http://www.csg.ethz.ch/people/dimitroc/papers/pcapIndex.pdf
> (But my home made indexing solution was not as impressive and professional as it is proposed in this paper ;-)
> Bitmap indexing would be useful, because otherwise,  in some cases the index files tend to become bigger than the pcap files..
> What are you using for your index file?
> Best regards,
> Clemens

I forgot to say: If I remember correctly, I used pcap_dump_ftell to get the offset.

More information about the Winpcap-users mailing list