Re: [Wireshark-dev] Using wiretap library in a project

Thu, 03 Jan 2013 12:01:58 -0800 

On Jan 3, 2013, at 8:25 AM, Neagaru Daniel <[email protected]> wrote:

> Yes, it would be a solution, since I didn't find anything related to pcap-ng 
> in pcap(3) documentation,

The latest version of the pcap_open_offline(3PCAP) man page says:

        DESCRIPTION
               pcap_open_offline() is called to open a ‘‘savefile’’ for reading.

               fname specifies the name of the file to open. The  file  can  
have  the
               pcap  file  format  as described in pcap‐savefile(5), which is 
the file
               format used by, among other programs, tcpdump(1)  and  
tcpslice(1),  or
               can have the pcap‐ng file format, although not all pcap‐ng files 
can be
               read.  The name "‐" in a synonym for stdin.

It *should* say "as written by, among other programs...", as those programs 
can, if using a sufficiently recent version of libpcap, *read* pcap-ng files in 
which all the interfaces have the same link-layer header type and snapshot 
length (the current libpcap/WinPcap APIs don't let you get per-interface 
link-layer header types or snapshot lengths; they assume there's only one 
link-layer header type and snapshot length per file) and all the sections have 
the same byte order (for the same reason - yes, libpcap supports pcap-ng files 
with multiple Section Header Blocks).

Note that no WinPcap version based on libpcap 1.1.0 or later has been released, 
so this only works on UN*X, not on Windows.

> I thought pcap-ng is not supported yet.

No - as Evan Huus noted, it's been supported since 1.1.0, although I'd still 
call it "limited" in the current version; some bugs are fixed in the current 
version, but it still only has the old API and thus can't handle captures with 
multiple link-layer header types, snapshot lengths, etc..

> Where can I find the recent documentation regarding pcap-ng?

Regarding pcap-ng or regarding libpcap support for it?  For pcap-ng itself, see

        http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

For libpcap support for it, see the man page on a system with a recent version 
of libpcap, or see

        http://www.tcpdump.org/manpages/pcap_open_offline.3pcap.html

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe

Reply via email to