On Nov 11, 2012, at 2:55 PM, barcaroller <barcarol...@gmail.com> wrote:
> The libpcap C API provides functions for writing (pcap_dump) and reading > (pcap_next) a PCAP file. I have two questions: > > - How do I remove a packet from a PCAP file using the libpcap C API? You can't remove a packet from an existing file - pcap files are sequential files. What you *can* do is read a file and write out all the packets, except the ones you don't want, to a new file. > - Once I close a PCAP file (pcap_close), I find I cannot re-open it later > (pcap_dump_fopen) and append to it. I get a corrupt file every time. Are > PCAP files not meant to be appended to? They could, in principle, be appended to, but that can't be done with the existing APIs - you'd need an "open for appending" call, which would, unlike the "create a new file" calls (pcap_dump_open(), pcap_dump_fopen()), *not* write a file header. _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
