Hi, I'm outputting wifi packets in a PCAP file and I'd like to insert a comment that would be easily seen in wireshark/tcpdump to tell me if I dropped packets while logging. I think pcap standard doesn't have anything to add a direct comment but maybe I could add a special 802.11 packet in a way that could make it easy to spot the packet drop count? Any idea? Thanks asked 19 May '15, 07:57 Francois |
2 Answers:
Well, why don't you use the PCAPng file format instead? It supports file and frame comments, and it also supports saving the packet drop count. answered 19 May '15, 08:01 Jasper ♦♦ edited 19 May '15, 08:02 |
If you don't want to depend on specific libpcap version, I'd advise you to use PcapPlusPlus which has its own implementation of reading and writing pcap-ng files, one which has no dependency on libpcap. Here is a short example of writing a packet and a comment:
answered 23 Jun ‘17, 15:09 seladb The reason why the libpcap version matters here is that only sufficiently recent (as in “1.1 and later”) versions of libpcap can read pcapng files, so if you write out a pcapng file, it can’t be read by libpcap prior to 1.1.0, regardless of what software you use to write it. PcapPlusPlus can’t write pcapng files that libpcap prior to 1.1.0 can read - nothing can. Perhaps PcapPlusPlus will make it easier for Francois to write pcapng files with comments, but if he wants the files to be readable even by, for example, tcpdump on systems with a pre-1.1.0 libpcap, it can’t do that. (23 Jun ‘17, 18:01) Guy Harris ♦♦ |
Will PCAPng work with tcpdump as well?
that depends on the tcpdump version as far as I know
I think it has more to do with the version of libpcap than the version of tcpdump, although there may be some undocumented dependencies. I don't see any mention of pcap-ng in the tcpdump changelog; however, it is mentioned in the libpcap changelog. It appears that limited support for pcap-ng was first added in libpcap 1.1.0 with further pcap-ng related changes made in 1.1.2, 1.2.1, and 1.6.2.
You could also use either Wireshark or
editcap
to simply save the pcap file as a pcapng file where you could then add packet comments using Wireshark.Yes, it's a libpcap issue. Newer versions of libpcap can read pcap-ng files, as long as all interfaces in the file have the same link-layer header type and snapshot length (that's a limitation of the current libpcap API), although there's no current WinPcap version based on any of those newer versions). With newer versions of libpcap, tcpdump can read pcap-ng files, although it doesn't see the packet comments (again, an API limitation).