Hi again,
Starting this again.
It seems that dumpcap can and does use pcapng to communicate with
Wireshark ... but that dumpcap does not currently want to do that.
That is, dumpcap reads the file header and then generates a set of:
libpcap_write_session_header_block,
libpcap_write_interface_description_block,
one or more calls to libpcap_write_enhanced_packet_block ...
libpcap_write_interface_statistics_block.
So, the simplest way to have dumpcap do the correct thing with a
pcapng file is to send through the raw blocks as they are read out of
the pipe. Once we have read the header we know if we have pcap file or
a pcapng file and we can perform the correct actions. In particular,
set a flag that says we are writing raw data and have routines like
do_file_switch_or_stop not write any thing if the input format is a
pcapng file ...
This will require a small amount of change to dumpcap but much less
coding than I have already done. It will also require a function in
pcapio.[hc] called something like libpcap_write_raw ...
Does that sound reasonable?
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
