I'm actually looking to create a new packet and then send it out through an NIC for further processing. That was why I'm questioning what contents the packet should contain, other than the L2-L7 data. I now understand that the newly created packet should only contain the L2-L7 data, and not include the 16-byte per-packet record header.
It looks like all I need to do is allocate a block of memory to hold the L2-L7 packet content.
Thank you.
Regards,
Rayne
--- On Thu, 10/22/09, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> From: Guy Harris <guy@xxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Pcap files
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Date: Thursday, October 22, 2009, 1:16 AM
>
> On Oct 21, 2009, at 5:57 PM, Rayne wrote:
>
> > So am I right to say that if I were to capture a
> packet, that packet
> > should only consist of the 16-byte packet header and
> the L2-L7
> > content.
>
> If you were to capture a packet, that packet would consist
> of whatever
> data the packet capture mechanism supplied to you,
> including any
> pseudo-headers such as a header giving radio information
> for 802.11
> packets. For example, if it's an 802.11 packet, the
> "packet header"
> would include the variable-length 802.11 header, and would
> have a
> radio header before it if that happened to be what the
> driver and
> capture mechanism supplied, and if it's an Ethernet packet,
> it would
> consist of the *12*-byte packet header, possibly followed
> by an 802.2
> header, possibly followed by a SNAP header if there's an
> 802.2 header,
> followed by the payload.
>
> > But if I were to write that packet to a file of the
> libpcap format,
> > then the 24-byte "header" will be prepended to the
> file?
>
> If you were to write one or more packets to a pcap file,
> the first 24
> bytes of the file will be the pcap file header, followed by
> the
> records for the packets; each record would consist of a
> 16-byte per-
> packet header, followed by the packet data.
>
> The 16-byte record header is *NOT* part of the
> packet. If you were to
> capture a packet with libpcap/WinPcap, using
> pcap_dispatch() or
> pcap_loop(), a pointer to the 16-byte per-packet header for
> the packet
> will be supplied to you as a separate item from the pointer
> to the raw
> packet data; you will not get passed a pointer to a single
> chunk of
> data starting with the 16-byte per-packet header with the
> packet data
> immediately following it.
>
> That's also true if you were to read an existing capture
> file with
> libpcap/WinPcap, using pcap_dispatch() or pcap_loop().
>
> What is it you are trying to do here?
>
> Read a pcap-format file? If so, you should probably
> consider using
> libpcap/WinPcap to read the file.
>
> Write a pcap-format file? If so, you should probably
> still consider
> using libpcap/WinPcap (pcap_dump_open(), pcap_dump(),
>
> pcap_dump_close()).
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
