Wireshark · Ethereal-users: Re: [Ethereal-users] libPCAP file Format

[LEGO <luis.ontanon@xxxxxxxxx>]

On 7/5/05, Guy Harris <gharris@xxxxxxxxx> wrote:
> LEGO wrote:
> > If you need to capture use Net::Pcap.
> 
> Even if he *doesn't* need to capture he should consider using Net::Pcap,
> because...
> 
> > the file has a header like
> 
> ...that might not remain true forever:
> 
>         http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
> 
> and (at least for pcap-NG files with only one link-layer type), libpcap
> will be updated to support reading those files with the existing APIs.
> (New APIs will be needed to fully support pcap-NG; those APIs will also
> support existing libpcap format.)
> 

ACK
but there are three (small) issues with Net::Pcap:
- you cannot set the DLT of the file you want to write (I crashed
against this once).
- you have to be able to make it in the target system (Once I was
unable to do it)
- you need either to start capturing or to open a file for reading
  in order to be able to open a file for writing.

> Also, using Net::Pcap might be easier than writing your own code to read
> libpcap files.

I understand I'm a case apart... but at least for me turned out to be
the other way arround, in more than one case.

Luis

-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan