Append Packet to Current PCAP file

Question

I wrote the following code to capture packets; but, it actually save the last packet.

    process_Packet(const struct pcap_pkthdr *header,
                  const u_char * packet)
    {
        FILE* pFile = NULL;
        pFile = fopen ("myfile.pcap" , "wb"); // open for writing in binary mode
        pcap_dumper_t * dumpfile = pcap_dump_fopen(pcap_handle,pFile);
        if (dumpfile == NULL)
        {
            printf("***NOOOO Dump!!!!!!!***");
        }
        else
        {
            pcap_dump((unsigned char *) dumpfile, header, packet);
            printf("***Dumped!!!!!!!***");
        }
        pcap_dump_close(dumpfile);
    }

I want to write a code that collect packets and append the new packet to previous ones. I should say that fopen("...", "ab") corrupts the file and doesn't work.

dewaffled dewaffled · Accepted Answer · 2014-10-18T23:12:02

pcap_dump_fopen writes some initialization headers, so it should be called only once on empty file. After file with headers created you actually can pass FILE* instance opened in append mode to pcap_dump directly casted to unsigned char *. But it is not safe approach - better at least write all required fields yourself (it's like 10 lines anyway) since function implementation may change in the future and file format will not. And I don't really understand why you would like to reopen file on every packet dumped. If you want to ensure all data is written you can just call fflush.

Append Packet to Current PCAP file

1 Answers