[Winpcap-users] solaris snoop file
Guy Harris
guy at alum.mit.edu
Fri Aug 30 00:59:33 PDT 2013
On Aug 30, 2013, at 12:18 AM, Chintan Bhatt <cbhatt at thebeastapps.com> wrote:
> I have wrote my program using winpcap lib.
> if((fp = pcap_open_offline(csSourceFile.GetBuffer(), /* name of the device */ errbuf /* error buffer */
> )) == NULL)
> {
> fprintf(stderr,
> "\nUnable to open the file %s.\n"
> , csSourceFile.GetBuffer());
...
> and to my surprise it is not giving errors and i can see ip/udp data headers.
Are you certain that the file is, in fact, a snoop file? For example, if you copy it to a UN*X system that has a version of the "file" command capable of recognizing pcap and snoop files (or if you have such a version of the "file" command on your Windows system, courtesy of Cygwin), what is printed if you run the "file" command on the file?
Or, if you dump out the first four bytes of the file in hex, are they:
a1 b2 c3 d4
or
d4 c3 b2 a1
or
73 6e 6f 6f
If they're a1 b2 c3 d4 or d4 c3 b2 a1, rather than 73 6e 6f 6f, it's a pcap file (which libpcap/WinPcap can read), not a snoop file (which no current release of libpcap/WinPcap can handle)?
> and FYI, wireshark can read snoop generated capture file.
Yes, that's what I said in my reply; as a core Wireshark developer (and the original author of the code in Wireshark that reads snoop files), I'm quite aware of that.
More information about the Winpcap-users
mailing list