WinPcap creating empty .pcap file

Question

Do you know how to create empty file pcap with winpcap dll? I buffer filtered packets in program memory and want to save when user click to export to .pcap file.

But when using pcap_open_offline(const char *fname, char *errbuf) can open file only if file exists. I tried fopen and other functions to create file previously (in binary mode too) but unsucessfully.

So how to get pcap_t handle pointer for pcap_dump_open(pcap_t *p, const char *fname) this way?

UPDATED: I try to use this code

fileHandle = pcap_open_offline(pcap_file_path.c_str(), errbuf);
if (errbuf == nullptr) {
    fprintf(stderr, "\nUnable to open the file %s.\n", pcap_file_path.c_str());
    return 1;
}

if (fileHandle == nullptr) {

    fprintf(stderr, "\nError to open file\n");//HERE IT FAILS
    return 1;
}

dumpfile = pcap_dump_open(fileHandle, pcap_file_path.c_str());
if (dumpfile == NULL)
{
    fprintf(stderr, "\nError opening output file\n");
    return 1;
}

SOLUTION: (Creating a pcap file)

/*create fake handle*/
fileHandle = pcap_open_dead(DLT_EN10MB, 65535);
if (fileHandle == nullptr) {
    fprintf(stderr, "\nError to open file\n");
    return 1;
}

/* Open the dump file */
dumpfile = pcap_dump_open(fileHandle, file_path.c_str());
if (dumpfile == NULL)
{
    fprintf(stderr, "\nError opening output file\n");
    return 1;
}

I do not know any pcap functionality, but maybe you have to create a file _of the needed size_ i.e. create a file using fopen/ofstream/etc and write some bytes until the file is big enough. — Thomas Lang, Apr 03 '20 at 07:10
The pcap_t handle is associated to an interface or an _existing_ savefile. So in your case, you have to use pcap_open or pcap_create/pcap_activate to associate your future dump to an interface. — omuffat, Apr 03 '20 at 09:40
omuffat: But how to use pcap_open, pcap_create when I do not have opened any device? I want to save if offline into file. When applying pcap_open_offline(const char *fname, char *errbuf) and file specified in fname does not exists, it returns NULL. — Ales100, Apr 16 '20 at 07:32

score 0 · Accepted Answer · answered Apr 07 '20 at 18:21

0

Do you know how to create empty file pcap with winpcap dll? I buffer filtered packets in program memory and want to save when user click to export to .pcap file.

...

So how to get pcap_t handle pointer for pcap_dump_open(pcap_t *p, const char *fname) this way?

pcap_dump_open() returns a pcap_dumper_t * handle for use when writing the file; a pcap_t * is used for capturing or reading, not writing.

What you need to do, if you want to write a pcap file, is use pcap_dump_open(). If you have a pcap_t * from which you're reading or capturing the filtered packets, you should use that pcap_t * in the call to pcap_dump_open().

answered Apr 07 '20 at 18:21

user13251981

96
1

Yep, but I have problem with getting pcap_t*, because I do not have it. I store captured packets in memory and eventually save it when user want it. Its offline saving into file. – Ales100 Apr 16 '20 at 07:28
"I have problem with getting pcap_t*, because I do not have it." Yes, you do; that's what you got from `pcap_open_offline()`. "I store captured packets in memory and eventually save it when user want it." Then don't close the `pcap_t *` after you've read the packets; keep it open to use when the user wants to save the packets to a file. – user13251981 Apr 18 '20 at 23:47
I have NULL from pcap_open_offline(), because file does not exists. I do not want to keep it always openned because of program logic like load .pcap and save it as another .pcap. I do not understand why is this such a problem, it is only file operation, create file if is not created, normal thing to do with streams in C or C++. – Ales100 Apr 22 '20 at 12:24
"I have NULL from pcap_open_offline(), because file does not exists." Then you can't read any packets from it to write to the other file. "I do not want to keep it always openned because of program logic like load .pcap and save it as another .pcap." Then you will have to save its link-layer type and snapshot length and create a `pcap_t` using `pcap_open_dead()`, and use that with `pcap_dump_open()`. "I do not understand why is this such a problem" It's because the pcap API for writing files isn't well-designed. – user13251981 Apr 23 '20 at 07:14
"Then you will have to save its link-layer type and snapshot length and create a pcap_t using pcap_open_dead(), and use that with pcap_dump_open()." How to specify link_type, what this function do (example)? Is it possible to create pcap file with this function? – Ales100 Apr 24 '20 at 06:56

WinPcap creating empty .pcap file

1 Answers1