Thanks, that answered all my questions.
On 01/03/2013 09:00 PM, Guy Harris wrote:
On Jan 3, 2013, at 8:25 AM, Neagaru Daniel <[email protected]> wrote:
Yes, it would be a solution, since I didn't find anything related to pcap-ng in
pcap(3) documentation,
The latest version of the pcap_open_offline(3PCAP) man page says:
DESCRIPTION
pcap_open_offline() is called to open a ‘‘savefile’’ for reading.
fname specifies the name of the file to open. The file can
have the
pcap file format as described in pcap‐savefile(5), which is
the file
format used by, among other programs, tcpdump(1) and
tcpslice(1), or
can have the pcap‐ng file format, although not all pcap‐ng files
can be
read. The name "‐" in a synonym for stdin.
It *should* say "as written by, among other programs...", as those programs
can, if using a sufficiently recent version of libpcap, *read* pcap-ng files in which all
the interfaces have the same link-layer header type and snapshot length (the current
libpcap/WinPcap APIs don't let you get per-interface link-layer header types or snapshot
lengths; they assume there's only one link-layer header type and snapshot length per
file) and all the sections have the same byte order (for the same reason - yes, libpcap
supports pcap-ng files with multiple Section Header Blocks).
Note that no WinPcap version based on libpcap 1.1.0 or later has been released,
so this only works on UN*X, not on Windows.
I thought pcap-ng is not supported yet.
No - as Evan Huus noted, it's been supported since 1.1.0, although I'd still call it
"limited" in the current version; some bugs are fixed in the current version,
but it still only has the old API and thus can't handle captures with multiple link-layer
header types, snapshot lengths, etc..
Where can I find the recent documentation regarding pcap-ng?
Regarding pcap-ng or regarding libpcap support for it? For pcap-ng itself, see
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
For libpcap support for it, see the man page on a system with a recent version
of libpcap, or see
http://www.tcpdump.org/manpages/pcap_open_offline.3pcap.html
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
