Wireshark-dev: Re: [Wireshark-dev] converting pcapng to pcap

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 28 Sep 2012 12:13:45 -0700
On Sep 28, 2012, at 11:43 AM, albert <alo@xxxxxxxxxxxxxx> wrote:

> I'm assuming that the meat of the .pcapng to .pcap conversion is done in the 
> pcap_handler callback  for pcap_offline_read().  Is this correct ?

No.

It's done in several places.

In a libpcap/WinPcap-based application:

    When reading a packet:

	the internal file-read routine is called (from pcap_loop(), pcap_dispatch(), pcap_next(), or pcap_next_ex()) and, in 1.1 and later, that calls the appropriate next_packet_op routine for the file type in question (pcap or pcap-ng);

	the next_packet_op routine gets the next packet (first packet, if no packet has been read yet), constructs a struct pcap_pkthdr containing the time stamp, on-the-network packet length, and captured data length for the packet, and calls the callback routine, handing it a pointer to the struct pcap_pkthdr, a pointer to the packet data, and the "user data" pointer;

	the callback processes the packet, with no knowledge of whether it came from a pcap or pcap-ng file (or, possibly, other file types in the future).

    When writing a packet:

	pcap_dump() is called, and, using the struct pcap_pkthdr and raw packet data, writes a pcap packet.

Half of the work is done in the next_packet_op, which converts the packet data in the file, in whatever form it might be in that particular file format, to a struct pcap_pkthdr and a lump of raw packet data, and the other half of the work is done in pcap_dump(), which takes a struct pcap_pkthdr and a lump of raw packet data and writes it out in pcap format.

So:

	if the callback *is* pcap_dump() (whose API was designed to allow it to act as a callback for pcap_loop() or pcap_dispatch()), only half of the format-conversion work is done in the callback;

	if the callback isn't pcap_dump(), just some routine that calls pcap_dump(), none of the format-conversion work is done in the callback.