0

I am writing an application that listens to a network interface, picks some frames, edits them and then saves them to disk. Very similar to tshark and tcpdump.

My code is written in C++

However, I want to save my packets in pcap format and I cannot find a C/C++ library that accepts Ethernet frames (in memory) and saves them to .pcap file.

  • Note: For the meanwhile I use hexdump and text2pcap but that's unacceptable in production

Solution Update:

#include <pcap.h>

pcap_t* p = pcap_open_dead(DLT_EN10MB, 65535);
const std::string pcap_file_name = getPcapName();
pcap_dumper_t* dumper = pcap_dump_open(p, pcap_file_name.c_str());

pcap_pkthdr h;
h.caplen = packet_len;
h.len = packet_len;

pcap_dump((u_char*)dumper, &h, packet);

pcap_dump_close(dumper);
pcap_close(p);
Ezra
  • 1,401
  • 5
  • 15
  • 33
  • 1
    I don't know what OS this is on, but if it requires you to do `#include `, it's broken; it should just allow `#include `, and newer versions of libpcap (such as 1.3.0) should also allow `#include `. –  Nov 06 '13 at 21:52
  • I just wanted to emphasize the libpcap version I'm using (1.3.0) but you are right, I'll change it as you have suggested. And anyway, thanks a lot! – Ezra Nov 07 '13 at 07:55

1 Answers1

2

Why can't you use WinPcap / libpcap directly in C++ code? Those are C libs so you should be able to link them.

Use libpcap under unix or winpcap under windoze.

Zegar
  • 1,005
  • 10
  • 18
  • what is the api for doing that from libpcap? – Ezra Nov 02 '13 at 17:42
  • 3
    `pcap_open_dead()` (to specify Ethernet - use `DLT_EN10MB` - and the "snapshot length" - use 65535), `pcap_dump_open()` (to open the output file), `pcap_dump()` (to write the packets), and `pcap_dump_close()` (when you're done). –  Nov 02 '13 at 19:51