On Fri, Aug 06, 2004 at 11:22:47AM -0700, Talbert, Britt USA wrote (in a
fashion that makes it hard to distinguish his text from the text to
which he's replying; can you please configure your mail reader to, when
it includes text from the original message in the reply, mark it
specially somehow, e.g. by preceding each line with "> "?):
> > From: Guy Harris [mailto:gharris@xxxxxxxxx]
> > Sent: Tuesday, August 03, 2004 5:16 PM
> > To: Talbert, Britt USA
> >
> > Does the device on which you're capturing have a "/dev" entry? If so,
> > you might just look for names that correspond to its "/dev" entry, and
> > use the name.
>
> No, I didn't see a /dev entry.
So what code are you using to open the device?
> > My program seems to successfully strip the frame delimiters and
> > "destuff" the bits, however I tried to put it in libpcap format with
> > editcap and it choked on the file.
Editcap uses the exact same library to read capture files that Ethereal
and Tethereal do, so it can't read any files that can't be read by
Ethereal and Tethereal.
What you need to do is have your program *itself* write the file out in
libpcap format, using the libpcap routines "pcap_open_dead()" (to create
a fake pcap_t to use to open the dump file for output - yes, the libpcap
APIs for writing a capture file aren't as good as they should be; the
fact that they assume you're doing a live capture from libpcap or
reading a capture file from libpcap is only one of the problems),
"pcap_dump_open()", "pcap_dump()", and "pcap_close()".
> Right now, I am only interested in
> piping the captured file into Tethereal so that I can write out the HDLC
> capture. The next step would be to do it directly from the device. Is
> editcap the correct method?
No. See above.