This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Library for creating pcapng file

Hi,

I have a IRIG106 http://irig106.org/ file that I want to convert to pcapng.

The IRIG106 file has a number of channels similar to the multiple interfaces that pcapng supports.

Is there a library that I can use to help populate a pcapng file?

Looking at https://wiki.wireshark.org/Development/PcapNg it appears that the wiretap API may do what I am looking but I have no idea how to use wiretap outside of Wireshark.

Worst case I will just follow the spec (http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.htm).

Any thoughts or ideas?

Thanks

pcapng

asked 06 Jun '16, 14:23

Rob B
36●8●8●13
accept rate: 0%

3 Answers:

First of all you should definitely hop over to non-obsolete documentation.

Second, this format is still being formed, as is the software surrounding it. Therefore things may be documented for the file format, while the code in Wireshark / wiretap is trailing and in flux. It may not be easy to use these parts outside of Wireshark at all. There's no effort being made in having these libraries useful on their own.

But the good news is that the file format is not that complicated. It shouldn't be too difficult to whip something together that writes the blocks you need.

answered 06 Jun '16, 23:07

Jaap ♦
11.7k●16●101
accept rate: 14%

Understood. Thanks

(07 Jun '16, 06:38) Rob B

If you're running on a newer version of OS X, it has functions in libpcap to write pcapng files; that version of libpcap is open-source, so you can use that code. It's not documented in the standard man pages that come with OS X, but the source includes a pcap_ng.3 man page that documents them (but that's not shipped with the OS).

(The OS X libpcap code in question is licensed under the APSL, so if it were incorporated into the standard libpcap, it would put libpcap under the APSL, which has patent clauses that some OSes that ship libpcap might find objectionable, so that code won't be incorporated into libpcap unless Apple relicenses it.)

answered 07 Jun '16, 13:03

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

By the way, if the goal is to have Wireshark or TShark read those files, an alternative would be to modify the libwiretap code to be able to read them. That wouldn't help with standard binaries, but if those changes are submitted to the Wireshark project and incorporated into the source code, they'll appear in a future version of Wireshark.

answered 07 Jun '16, 14:21

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

The only problem with this solution is that these files can be very large 200+GB. So I was planning on splitting the file while filling the pcapng format.

(07 Jun '16, 14:25) Rob B