Chris Eagle wrote:
I recommend a quick review of pcap.h along with the pcap(3) man page.
Particularly the following functions:
pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname);
...although note that it takes a pcap_t * as an argument, so you need to
get one.
Normally, it's a pcap_t * that will be supplying the packets to be
written, whether it's a device opened with pcap_open_live() for a live
capture or a capture file opened with pcap_open_offline().
If the packets are coming from a file captured with some non-libpcap
mechanism, to use pcap_dump_open() and pcap_dump(), you need to get a
pcap_t * some other way. In newer versions of libpcap, you can use
pcap_open_dead(int linktype, int snaplen);
where "linktype" is a DLT_ value that indicates the type of link-layer
headers that the packets have (which doesn't necessarily correspond to
the type of interface on which they're captured - Linux loopback devices
supply fake Ethernet link-layer headers, as do PPP interfaces on Windows
and 802.11 interfces on Windows and, either always or by default, on at
least some 802.11 interfaces in Linux and various BSDs), and "snaplen"
is the "snapshot length" with which the packets were captured (with
libpcap and some libpcap-based analyzers, including tcpdump and
Ethereal/Tethereal, with some other network analyzers such as snoop on
some UN*Xes, and with at least some network analyzers on Windows, you
can specify a "snapshot length" of N, so that any packet larger than N
bytes of raw data will be cut short to a size of N, in order to reduce
the CPU time, memory, disk space, and/or system bus bandwidth necessary
when capturing).
For example, for packets with Ethernet link-layer headers, DLT_EN10MB
would be used (even if it's 100Mb, 1Gb, or 10Gb Ethernet - the "10MB" is
historical, distinguishing it from the experimental Xerox 3Gb Ethernet
which had, I think, 16-bit rather than 48-bit MAC addresses). Unless
you know that the packets were cut short to a length of N by a specified
snapshot length, a snapshot length of 65535 would be sufficient (and
would work even if they weren't cut short - there's no *requirement*
that the snapshot length be right, just as long as it's >= the amount of
raw packet data, including the link-layer header, in any packet; 65535
should be sufficient to be >= the amount of raw packet data in any packet).
The pcap_t * from "pcap_open_dead()" can be supplied as an argument to
"pcap_dump_open()"; when you're done writing the packets, you close it
with "pcap_close()".
And
void pcap_dump(u_char *user, struct pcap_pkthdr *h, u_char *sp);
Along with: struct pcap_pkthdr
Which should be about all you need.
The pcap(3) man page, or the WinPcap documentation:
http://winpcap.polito.it/docs/man/html/index.html
gives more information (although note that some WinPcap APIs aren't
present in current versions of libpcap).
