This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Add comment in a PCAP file

0

Hi,

I'm outputting wifi packets in a PCAP file and I'd like to insert a comment that would be easily seen in wireshark/tcpdump to tell me if I dropped packets while logging.

I think pcap standard doesn't have anything to add a direct comment but maybe I could add a special 802.11 packet in a way that could make it easy to spot the packet drop count?

Any idea? Thanks

asked 19 May '15, 07:57

Francois's gravatar image

Francois
11113
accept rate: 0%

2 Answers:

0

Well, why don't you use the PCAPng file format instead? It supports file and frame comments, and it also supports saving the packet drop count.

answered 19 May '15, 08:01

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 19 May '15, 08:02

Will PCAPng work with tcpdump as well?

(19 May '15, 08:06) Francois

that depends on the tcpdump version as far as I know

(19 May '15, 08:08) Jasper ♦♦

I think it has more to do with the version of libpcap than the version of tcpdump, although there may be some undocumented dependencies. I don't see any mention of pcap-ng in the tcpdump changelog; however, it is mentioned in the libpcap changelog. It appears that limited support for pcap-ng was first added in libpcap 1.1.0 with further pcap-ng related changes made in 1.1.2, 1.2.1, and 1.6.2.

You could also use either Wireshark or editcap to simply save the pcap file as a pcapng file where you could then add packet comments using Wireshark.

(19 May '15, 09:37) cmaynard ♦♦

Yes, it's a libpcap issue. Newer versions of libpcap can read pcap-ng files, as long as all interfaces in the file have the same link-layer header type and snapshot length (that's a limitation of the current libpcap API), although there's no current WinPcap version based on any of those newer versions). With newer versions of libpcap, tcpdump can read pcap-ng files, although it doesn't see the packet comments (again, an API limitation).

(19 May '15, 11:37) Guy Harris ♦♦

0

If you don't want to depend on specific libpcap version, I'd advise you to use PcapPlusPlus which has its own implementation of reading and writing pcap-ng files, one which has no dependency on libpcap. Here is a short example of writing a packet and a comment:

uint8_t* myPacket = ....;
size_t myPacketLen = ....;
timeval timestamp = ....;
char* myComment = ....;

RawPacket rawPacket(myPacket, myPacketLen, timestamp, false);


PcapNgFileWriterDevice pcapngWriter("my/pcapng/file/path");
pcapngWriter.open();
pcapngWriter.writePacket(rawPacket, myComment);
pcapngWriter.close();

answered 23 Jun ‘17, 15:09

seladb's gravatar image

seladb
11
accept rate: 0%

The reason why the libpcap version matters here is that only sufficiently recent (as in “1.1 and later”) versions of libpcap can read pcapng files, so if you write out a pcapng file, it can’t be read by libpcap prior to 1.1.0, regardless of what software you use to write it. PcapPlusPlus can’t write pcapng files that libpcap prior to 1.1.0 can read - nothing can.

Perhaps PcapPlusPlus will make it easier for Francois to write pcapng files with comments, but if he wants the files to be readable even by, for example, tcpdump on systems with a pre-1.1.0 libpcap, it can’t do that.

(23 Jun ‘17, 18:01) Guy Harris ♦♦