It is so tiring to read a long post without code example... Can you send a small example.
Good luck On Fri, Jul 10, 2009 at 1:38 AM, <[email protected]> wrote: > Hi folks, > > > > I have been writing an application using MFC in Visual Studio 2005. The > application uses WinPcap to open a pcap file and modify the protocol headers > so that the packets can be streamed locally on a test network and received > by other applications/devices. > > > > I have been borrowing heavily from the sample code in the WinPcap 4.0.2 > Developer’s Pack, and successfully porting that basic functionality from C > to MFC/C++. For example, my GUI currently allows the user to open a pcap > file, change the MAC addresses in the packets, and save the packets to a new > file. > > > > I ran into a problem recently. I have been creating pcap files by exporting > proprietary files from a 3rd party application into pcap format. However, > it appears that the 3rd-party app, let’s call it “MrSniffer”, changes the > caplen in the packet header to 116 bytes, no matter what it was in the > original (MrSniffer-formatted) file, or what the actual length of the packet > is. I am able to use Wireshark to successfully read and display all packets > in their entirety from the newly-exported pcap file. Also, I am able to use > the command-line executable “readfile” from the 4.0.2 Developer’s Pack to > read and display each packet from the MrSniffer-exported pcap file in its > entirety. > > > > It’s when I try to read the file into my MFC application that I run into a > problem. I use the same basic code in the “readfile” executable for my MFC > application to open the file and read the packets, i.e. I am using > pcap_open_offline() to open the file, and pcap_loop() to call a > dispatcher_handler with the following parameters… > > > > dispatcher_handler(u_char *temp1, const struct pcap_pkthdr *header, const > u_char *pkt_data) > > > > …which reads in each packet. The trouble arises when the packets are read > into my application, and it appears that the pcap library functions I am > using are reading the packets based on the caplen of 116 bytes – so any > packets larger than 116 bytes are truncated, and I lose the rest of that > data! > > > > What is so strange about this is that I am using the same library as the > Developer’s Pack sample “readfile”, and essentially the same code, but my > application seems to read the caplen, while “readfile” uses the actual > packet length. > > > > Unfortunately, I can’t change “MrSniffer” so that it does not modify the > caplen; my only option appears to be to read the actual packet length from > each packet when dealing with these exported pcaps. I have not been able to > find a way to do this using the exported functions – probably because I am > quite new to WinPcap. > > > > If anyone has any suggestions, I’d greatly appreciate it! > > > > Thanks and Regards – > > > > TimG > > _______________________________________________ > Winpcap-users mailing list > [email protected] > https://www.winpcap.org/mailman/listinfo/winpcap-users > > _______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
