Wireshark-dev: Re: [Wireshark-dev] Using wiretap library in a project

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 3 Jan 2013 12:00:07 -0800
On Jan 3, 2013, at 8:25 AM, Neagaru Daniel <neagarudan@xxxxxxxxx> wrote:

> Yes, it would be a solution, since I didn't find anything related to pcap-ng in pcap(3) documentation,

The latest version of the pcap_open_offline(3PCAP) man page says:

	DESCRIPTION
	       pcap_open_offline() is called to open a ‘‘savefile’’ for reading.

	       fname specifies the name of the file to open. The  file  can  have  the
	       pcap  file  format  as described in pcap‐savefile(5), which is the file
	       format used by, among other programs, tcpdump(1)  and  tcpslice(1),  or
	       can have the pcap‐ng file format, although not all pcap‐ng files can be
	       read.  The name "‐" in a synonym for stdin.

It *should* say "as written by, among other programs...", as those programs can, if using a sufficiently recent version of libpcap, *read* pcap-ng files in which all the interfaces have the same link-layer header type and snapshot length (the current libpcap/WinPcap APIs don't let you get per-interface link-layer header types or snapshot lengths; they assume there's only one link-layer header type and snapshot length per file) and all the sections have the same byte order (for the same reason - yes, libpcap supports pcap-ng files with multiple Section Header Blocks).

Note that no WinPcap version based on libpcap 1.1.0 or later has been released, so this only works on UN*X, not on Windows.

> I thought pcap-ng is not supported yet.

No - as Evan Huus noted, it's been supported since 1.1.0, although I'd still call it "limited" in the current version; some bugs are fixed in the current version, but it still only has the old API and thus can't handle captures with multiple link-layer header types, snapshot lengths, etc..

> Where can I find the recent documentation regarding pcap-ng?

Regarding pcap-ng or regarding libpcap support for it?  For pcap-ng itself, see

	http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

For libpcap support for it, see the man page on a system with a recent version of libpcap, or see

	http://www.tcpdump.org/manpages/pcap_open_offline.3pcap.html