[Winpcap-users] Help with the WinPCap error handling

Guy Harris guy at alum.mit.edu
Tue Jul 23 00:53:00 PDT 2013

On Jul 23, 2013, at 12:14 AM, "Sebastian Klein" <Klein_Sebastian at gmx.de> wrote:

> I'm currently adding a new device to WinPCap which is called netANALYZER.

netANALYZER as in



Where are you adding the device?  Are you adding it to pcap_create() in pcap-win32.c, so that a device with a name that looks like a netANALYZER device causes a create routine for netANALYZER devices to be called, setting the function pointers in the pcap_t to routines for that device?  That's more or less the standard way to add devices to newer versions of {libpcap,WinPcap}.

> It has a status callback where it receives errors such as internal buffer is full. I would like to write these errors into the error buffer of WinPCap (errbuff).
> In this way the error massages would pop up in e.g. Wireshark if something happens. For me it seems like it isn't possible. Currently I can only show these errors in the debug mode. Are there any other ways to create an error massage which could be read by the application which uses WinPCap?

When capturing, errors are returned by the "read" routine for the device.  Have the "read" routine

	1) if "p" is the pcap_t pointer for the device, do

		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "error message format string", arguments to the format string);

	   to set errbuf;

	2) return PCAP_ERROR.

> You wrote: "If the buffer is full when a new packet arrives, the packet is discarded and hence it's lost."
> (http://www.winpcap.org/docs/docs_40_2/html/group__NPF.html - Packet Capture)
> Do you create an error massage if packets are discarded?

No.  That's not treated as an "error" in the sense of a malfunction; if the application can't keep up with packet capture, it just won't get all the packets.

However, for most devices on most OSes, the application can call pcap_stats(), and the ps_drop member of the structure it fills in is a count of packets dropped because the buffer filled up.  You would have to arrange that your device's "stats" routine do that.

More information about the Winpcap-users mailing list