0

Do you know how to create empty file pcap with winpcap dll? I buffer filtered packets in program memory and want to save when user click to export to .pcap file.

But when using pcap_open_offline(const char *fname, char *errbuf) can open file only if file exists. I tried fopen and other functions to create file previously (in binary mode too) but unsucessfully.

So how to get pcap_t handle pointer for pcap_dump_open(pcap_t *p, const char *fname) this way?

UPDATED: I try to use this code

fileHandle = pcap_open_offline(pcap_file_path.c_str(), errbuf); if (errbuf == nullptr) { fprintf(stderr, "\nUnable to open the file %s.\n", pcap_file_path.c_str()); return 1; } if (fileHandle == nullptr) { fprintf(stderr, "\nError to open file\n");//HERE IT FAILS return 1; } dumpfile = pcap_dump_open(fileHandle, pcap_file_path.c_str()); if (dumpfile == NULL) { fprintf(stderr, "\nError opening output file\n"); return 1; }

SOLUTION: (Creating a pcap file)

/*create fake handle*/ fileHandle = pcap_open_dead(DLT_EN10MB, 65535); if (fileHandle == nullptr) { fprintf(stderr, "\nError to open file\n"); return 1; } /* Open the dump file */ dumpfile = pcap_dump_open(fileHandle, file_path.c_str()); if (dumpfile == NULL) { fprintf(stderr, "\nError opening output file\n"); return 1; }
Improve this question
3
  • I do not know any pcap functionality, but maybe you have to create a file of the needed size i.e. create a file using fopen/ofstream/etc and write some bytes until the file is big enough. Commented Apr 3, 2020 at 7:10
  • The pcap_t handle is associated to an interface or an existing savefile. So in your case, you have to use pcap_open or pcap_create/pcap_activate to associate your future dump to an interface. Commented Apr 3, 2020 at 9:40
  • omuffat: But how to use pcap_open, pcap_create when I do not have opened any device? I want to save if offline into file. When applying pcap_open_offline(const char *fname, char *errbuf) and file specified in fname does not exists, it returns NULL. Commented Apr 16, 2020 at 7:32

1 Answer 1

Reset to default
0

Do you know how to create empty file pcap with winpcap dll? I buffer filtered packets in program memory and want to save when user click to export to .pcap file.

...

So how to get pcap_t handle pointer for pcap_dump_open(pcap_t *p, const char *fname) this way?

pcap_dump_open() returns a pcap_dumper_t * handle for use when writing the file; a pcap_t * is used for capturing or reading, not writing.

What you need to do, if you want to write a pcap file, is use pcap_dump_open(). If you have a pcap_t * from which you're reading or capturing the filtered packets, you should use that pcap_t * in the call to pcap_dump_open().

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Yep, but I have problem with getting pcap_t*, because I do not have it. I store captured packets in memory and eventually save it when user want it. Its offline saving into file.
"I have problem with getting pcap_t*, because I do not have it." Yes, you do; that's what you got from pcap_open_offline(). "I store captured packets in memory and eventually save it when user want it." Then don't close the pcap_t * after you've read the packets; keep it open to use when the user wants to save the packets to a file.
I have NULL from pcap_open_offline(), because file does not exists. I do not want to keep it always openned because of program logic like load .pcap and save it as another .pcap. I do not understand why is this such a problem, it is only file operation, create file if is not created, normal thing to do with streams in C or C++.
"I have NULL from pcap_open_offline(), because file does not exists." Then you can't read any packets from it to write to the other file. "I do not want to keep it always openned because of program logic like load .pcap and save it as another .pcap." Then you will have to save its link-layer type and snapshot length and create a pcap_t using pcap_open_dead(), and use that with pcap_dump_open(). "I do not understand why is this such a problem" It's because the pcap API for writing files isn't well-designed.
"Then you will have to save its link-layer type and snapshot length and create a pcap_t using pcap_open_dead(), and use that with pcap_dump_open()." How to specify link_type, what this function do (example)? Is it possible to create pcap file with this function?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.