can anyone point me to wireshark documentation that will tell me how to write a standalone program that reads a .cap file (created by NA Sniffer version 2.0) and give me a pcap_pkthdr offset? Thanks. Mark Young asked 27 Apr '11, 09:43 markfyoung |
2 Answers:
The Libpcap file format is pretty straightforward. You can implement a reader program in whatever your favorite language is. answered 27 Apr '11, 10:33 multipleinte... |
Uh oh, depending on what you want to do you're in for quite an amount of trouble. I have written a standalone program that reads NAI v2.00 cap files, and it has some strange features that makes reading it quite a challenge (talking about ring buffered captures; quite funny - not to say "annoying" - how they implemented them). What you can do is read the source code of the according Wireshark module, which would be in /wiretap/netxray.c. Yes, quite confusing, but I guess it's called Netxray because that was the Windows program the DOS-Sniffer was merged with back in... the last century as far as I know. Keep in mind that the Wireshark code does not always know what each bit and byte is good for. I have reverse engineered a few of the unknown bytes myself, but I haven't checked if the Wireshark wiretap code knows about their functionality in the meantime. I always wanted to give feedback on those but didn't have the time yet. If you can give more details of what you want to do I may be able to give some additional tips. answered 27 Apr '11, 10:38 Jasper ♦♦ edited 27 Apr '11, 10:41 |
he's not talking about libpcap, he wants to read NAI Sniffer .cap files (do not let the extension fool you into thinking that it is enough to detect the file format or Jaap will hunt you down :-D)