On Oct 11, 2010, at 6:21 AM, Lange Jan-Erik wrote:
> Ok, in the documentation of winpcap I found the function pcap_dump_open().
> It opens a file for another function
Yes.
You'll also find pcap_dump(), which writes to a file the packet you pass to it, and pcap_close(), which closes the file opened with pcap_dump_open().
> ...loop() with captures packet
None of those functions loop, or call pcap_loop(), and none of them require that you call pcap_loop(). pcap_dump() is designed so that it *can* be used in a call to pcap_loop(), but it can be directly called as well. To quote the libpcap 1.0.0 man page for pcap_dump():
pcap_dump() outputs a packet to the ``savefile'' opened with
pcap_dump_open(). Note that its calling arguments are suitable for use
with pcap_dispatch() or pcap_loop(). *If called directly, the user
parameter is of type pcap_dumper_t as returned by pcap_dump_open().*
(emphasis mine), so you call it as
pcap_dump({pointer to the raw packet data}, {pointer to a pcap_pkthdr with the time stamp, length, and captured length},
{pcap_dumper_t you got back from your call to pcap_dump_open()};
> But I have to open the file and have to write my data in this file.. not captureing it with this loop() function. It is possible to insert my data into a struct and then save this structure into a .pcap file?
Yes.
Neither pcap_dump_open() nor pcap_dump() have the most convenient APIs for using them if you're not doing a capture with libpcap, but you could:
call pcap_open_dead(), with DLT_USB_LINUX or DLT_USB_LINUX_MMAPED as the linktype and 65535 as the snaplen;
call pcap_dump_open() with the result of that pcap_open_dead() call;
for each packet you read, call pcap_dump();
call pcap_dump_close() when you're done.
That does, of course, require that the "raw packet data" be in the right format for DLT_USB_LINUX or DLT_USB_LINUX_MMAPPED. I'll discuss that issue in another message.
