Reading a list of PCAP files

Question

Any one here experience in opening a list of PCAP files in one shot and output the list of PCAP files to one output file? For example I have 1.pcap, 2.pcap and 3.pcap and I would like to do some processing on 1.pcap, 2.pcap and 3.pcap, then combine the outcome to just one output pcap file (output.pcap). Following is my code for now:

static pcap_t *input = NULL;
input = pcap_open_offline(packet_path, errbuf);
if (input == NULL){exit(0);}
pktMatch = pcap_dump_open(input, "-");
/*Do some processing, eg to find an IP*/
compareIP=true;
if (compareIP){
    pcap_dump(pktMatch, &pktHeader, pktData);
    continue;
}

The code above can work for reading a single input pcap file. Question: If I want to modify this code such that it can open a list of files (1.pcap, 2.pcap, 3.pcap) in a single pcap_open_offline() method, what do I need to change? Any expert would like to advise? Thanks

Answer 1

Here's some pseudo-code; turning it into real code is your job:

for (all files) {
    new pcap = pcap_open_offline(the file, errbuf);
    if (new pcap == NULL) {
        fprintf(stderr, "Opening \"%s\" failed: %s\n", the file, errbuf);
        exit(1);
    }
    add new pcap to the list of pcaps to read;
}
mark all files as not having a packet yet;
for (;;) {
    for (all open files) {
        if (the file doesn't have a packet yet)
            read a packet from the file and make it that file's current packet;
    }
    packet time = nothing;
    for (all files) {
        /* note: "nothing" is older than all possible times */
        if (that file's packet's time is newer than packet time) {
            make that file's packet the one to process next;
            packet time = that packet's time;
        }
    }
    /*Do some processing on the packet we selected, eg to find an IP*/
    if (compareIP)
        pcap_dump(pktMatch, &pktHeader, pktData);
    mark the file whose packet we selected as not having a packet yet;
}