On Sep 28, 2012, at 10:39 AM, Albert Lo <ALo@xxxxxxxxxxxxxx> wrote:
> I would like to know where I can find the source files for editcap.
> What libpcap API's are being called to convert .pcapng to .pcap with the following cmd?
>
> >editcap -F libpcap -T ether file.pcapng file.pcap
As Jakub noted, we don't use libpcap to read or write capture files.
However, if you convert pcap-ng to pcap with the command
tcpdump -r file.pcapng -w file.pcap
on a system with libpcap 1.1.0 or later, the APIs used are
pcap_open_offline(), to open the input file;
pcap_loop(), to read the packets;
pcap_close(), to close the input file;
pcap_dump_open(), to open the output file;
pcap_dump(), to write to the output file;
pcap_dump_close(), to close the output file.
That will, of course, only work if the file can actually be converted to pcap without damaging it, i.e. if all the interfaces in the pcap-ng file have the same link-layer type. If they don't, the file cannot be represented in a pcap file in any form that will actually give the write answer if you try to read it (so "-T ether" isn't going to fix that problem with editcap).