>> On Tue, Apr 23, 2013 at 12:10 AM, Gisle Vanem <[email protected]> wrote: >> >>> >>> I forgot to ask how you compile and link with the WinPcap and Packet APIs. >>> And what compiler; MSVC or MingW or something else. >> >> >> Hi, thanks for having a look at my problem, it's very appreciated. I am >> currently using the 32 bit compiler on Visual Studio Express 2008 on >> Windows 7 x64, and later I will try the 64 bit compiler on Visual Studio >> 2008 Pro. My project is configured using CMake and built in Release mode. >> It links to wpcap.lib. >> >> My project does not have LIBPCAP_EXPORTS, so this means it is using: >> >> #define pcap_fopen_offline(f,b) \ >> pcap_hopen_offline(_get_osfhandle(_fileno(f)), b) >> >> I took a look at the implementation of pcap_hopen_offline(). I see that it >> takes the input FILE* and creates a new FILE* using a series of function >> calls: >> >> _fileno() >> _get_osfhandle() >> _open_osfhandle() >> _fdopen() >> >> So, if I understand correctly, it is creating a new FILE* that is relative >> to its own CRT. I think that means I can no longer use any information I >> query about the original input FILE*, because winpcap has created its own >> FILE* stream to read from. >> >> So that leads me to think that my plan to use ftell() to record file >> positions of packets, and fseek() to jump to the begining of packets, is >> not going to work on Windows. What do you think? Is there a different way >> to use winpcap to seek to packets in a save file without reading each >> packet in sequential order starting at the beginning? >> >> Pat > > Hi, > > I had to do something similar on Windows, about a year ago. > What confused me in the beginning, was the non-availability of > pcap_dump_fopen. > So, in the end, I wrote my own index file and used the pcap file seek > routines according to Wireshark's implementation. Besides dumping the pcap > packet in the pcap file with the Winpcap functions, I wrote an index struct > to the seperate index file. > In that index file, I could jump to the packet number * my index structure's > size and look up the offset for the pcap file, after that, I would call fseek > and read the data from the pcap file. > > Oh, in case you are also using Wireshark for inspiration, the wiretap > subdirectory was helpful to me: > http://anonsvn.wireshark.org/wireshark/trunk/wiretap/ > > There was also an interesting article: > http://www.csg.ethz.ch/people/dimitroc/papers/pcapIndex.pdf > (But my home made indexing solution was not as impressive and professional as > it is proposed in this paper ;-) > > Bitmap indexing would be useful, because otherwise, in some cases the index > files tend to become bigger than the pcap files.. > > What are you using for your index file? > > Best regards, > Clemens >
I forgot to say: If I remember correctly, I used pcap_dump_ftell to get the offset. _______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
