This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

dumpcap - how to download the sources and build it on Windows

0

Hi,

currently i develop a program running on Windows that uses the library WinPcap to sniff some data traffic and write down the captured traffic into files with PCAP format. My program needs to write down the traffic in the newer PcapNG format. As far as i could see, the WinPcap library doesn't support the PcapNG format.

The Wireshark component dumpcap also uses the Winpcap library (on Windows) to capture traffic, and it writes down the capture in PcapNG format, so the sources from dumpcap is what i need to understand and work on (part of it: the pcapio.c file contains the code that writes down the captured packets in PcapNG).

On the wireshark.org front page the menu item "Develop->Browse the code" directs me to a list of files, among which dumpcap.vcproj. Downloading and opening it with Visual Studio, i see it requires a number of source files, some of them are in the same list, some not (e.g. capture_loop.c).

Has anyone lately tried to open, build and run this Visual Studio project? It would be great to run it in debug mode and see it working step by step. Otherwise, how can i gather the sources and build on Windows dumpcap.exe (and only this component)?

asked 17 Sep '13, 03:49

ime-braun's gravatar image

ime-braun
1445
accept rate: 0%

2 Answers:

1

The Visual Studio project files are defunct and should be removed from the repository. Currently the only supported build mechanism on Windows is via command line using nmake.

You must follow all the steps in the Windows part of the Developers Guide exactly as written, until you get to step 2.2.10 where you can specify dumpcap.exe instead of all as the build target.

Once you have built dumpcap.exe, then you can debug it using Visual Studio following this guide. You may have to point Visual Studio to the source files the first time.

Also note that dumpcap (and the rest of the Wireshark suite) is licensed GPL2 or later, please respect that license.

answered 17 Sep '13, 03:57

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 17 Sep '13, 06:37

What do you mean with "dumpcap... uses libwiretap to actually handle the reading and writing of capture files"?, i can see among the sources of dumpcap the code that does the writing of capture files, it's wholly in pcapio.c (functions libpcap_write_session_header_block and the like)

(17 Sep '13, 05:38) ime-braun

My mistake, although that code is derived from libwiretap. I've updated my answer.

(17 Sep '13, 06:37) grahamb ♦

0

If you want to understand the pcap-ng file format, you should reference the PCAP Next Generation Dump File Format specification, rather than trying to reverse-engineer the format from dumpcap.

By the way, unless you plan to GPL your program, you should avoid using any code from dumpcap.

answered 17 Sep '13, 08:38

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%