This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What function(s) is used in wiretap to read/write packet files?

0
1

Hi all,

I am currently researching on how Wiretap in Wireshark reads the files (eg. pcap). I have gone through the README and README.developer but both of them yields no result. The Wireshark and Ethereal Network Protocol Analyzer Toolkit ebook does not explicitly show which function is called.

I have also gone through wtap.c, wtap.h and wtap.def but i still can't find my answer.

Any help and guidance is appreciated

Thanks

Regards,

Eddie Choo

asked 26 Jul '11, 01:58

eddie%20choo's gravatar image

eddie choo
6691715
accept rate: 66%

edited 26 Jul '11, 01:58

One Answer:

2

wtap_open_offline opens a file; wtap_read reads the next sequential packet from the file; wtap_seek_read, if you've opened the file for both sequential and random access, will seek to the packet at the specified offset (where the offset is a value supplied by wtap_read for the packet in question) and read its data. wtap_sequential_close closes the sequential side of a file opened for both sequential and random access; wtap_close closes the sequential side if it hasn't already been closed, and also closes the random-access side if the file was opened for both sequential and random access, and frees up the data structure returned by wtap_open_offline.

Do not assume that any of these routines will remain unchanged in future Wireshark releases; if you write code that depends on them, it might have to be rewritten for a future release.

answered 26 Jul '11, 19:20

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi Mr Guy Harris, thanks for replying to my questions I have came across one of your mails, you have stated that winpcap/libpcap could also be used to read pcap files. May i know can i pass a file read by winpcap/libpcap directly into wireshark? or it needs to go through wiretap ? Thanks for your time

(26 Jul '11, 20:35) eddie choo
1

If a file can be read by libpcap/WinPcap, it's a pcap file - or, in newer versions of libpcap/WinPcap, a pcap file or a pcap-ng file - and thus can also be read by Wiretap. Wiretap is the library that Wireshark uses to read capture files, so any file that is "read ... into Wireshark" goes through Wiretap.

(27 Jul '11, 00:41) Guy Harris ♦♦

May i know what is your advice if i wanted to use functions to read pcap files? Would you recommend using the libpcap library or the wiretap library? The wiretap library might be more suitable since i will be working on telecommunication protocols but i couldn't find any tutorials out there. libpcap is relatively easier to find its tutorials but i remember you stated somewhere that libpcap is more suitable for TCP/IP. Thanks for your help

(27 Jul '11, 03:11) eddie choo
1

If you're only going to read pcap files - or, with newer versions of libpcap, pcap-ng files that have only one link-layer type - libpcap will work just fine. If you need to read other file types, you'll need wiretap.

That has nothing to do with telecommunication protocols vs. TCP/IP, except that some telecommunications protocols are not supported by pcap and pcap-ng - but some are, e.g. MTP2.

(27 Jul '11, 10:17) Guy Harris ♦♦

Thanks eddie choo & Guy Harris for your posts i got much information about wiretap and Actually i am trying to find the file that wiretap is using to read(which libpcap format packet finally dumped for wiretap) but didnt find it,can you guys help me to get me out.

(27 May '15, 05:24) karun256