On Sep 28, 2012, at 11:43 AM, albert <alo@xxxxxxxxxxxxxx> wrote:
> I'm assuming that the meat of the .pcapng to .pcap conversion is done in the
> pcap_handler callback for pcap_offline_read(). Is this correct ?
No.
It's done in several places.
In a libpcap/WinPcap-based application:
When reading a packet:
the internal file-read routine is called (from pcap_loop(), pcap_dispatch(), pcap_next(), or pcap_next_ex()) and, in 1.1 and later, that calls the appropriate next_packet_op routine for the file type in question (pcap or pcap-ng);
the next_packet_op routine gets the next packet (first packet, if no packet has been read yet), constructs a struct pcap_pkthdr containing the time stamp, on-the-network packet length, and captured data length for the packet, and calls the callback routine, handing it a pointer to the struct pcap_pkthdr, a pointer to the packet data, and the "user data" pointer;
the callback processes the packet, with no knowledge of whether it came from a pcap or pcap-ng file (or, possibly, other file types in the future).
When writing a packet:
pcap_dump() is called, and, using the struct pcap_pkthdr and raw packet data, writes a pcap packet.
Half of the work is done in the next_packet_op, which converts the packet data in the file, in whatever form it might be in that particular file format, to a struct pcap_pkthdr and a lump of raw packet data, and the other half of the work is done in pcap_dump(), which takes a struct pcap_pkthdr and a lump of raw packet data and writes it out in pcap format.
So:
if the callback *is* pcap_dump() (whose API was designed to allow it to act as a callback for pcap_loop() or pcap_dispatch()), only half of the format-conversion work is done in the callback;
if the callback isn't pcap_dump(), just some routine that calls pcap_dump(), none of the format-conversion work is done in the callback.