4
votes

Up to now I have been using WinPcap to open pcap files in C#:

[DllImport("wpcap.dll", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Ansi)]
private extern static IntPtr pcap_open_offline(string fname, byte[] errbuf);

Now I want to do something similar to open pcap-ng files so I get nano-second resolution (I got a new sniffer :-) )

Unfortunately WinPcap fails with this error: "bad dump file format"

Anyone knows how to work with pcap-ng in Windows?

Cheers, Pedro

3
Can you show more of you work for me? I need to read a .pcap file and read all the information.Nicke Manarin

3 Answers

6
votes

Libpcap 1.1.x and later support reading some pcap-ng files (ones where all the interfaces have the same link-layer header type and snapshot length); however, there is no WinPcap release that's based on libpcap 1.1.x or 1.2.x, so there is no WinPcap release that can read pcap-ng files. Thus, no CLR-language wrapper around WinPcap will be able to read pcap-ng files until such a WinPcap release comes out.

In addition, the libpcap/WinPcap API currently doesn't return time stamps with nanosecond resolution, so even if you did read a file with nanosecond-resolutions time stamp with libpcap, you wouldn't see nanosecond-resolution time stamps.

For now, you'd have to write your own code, or write a wrapper around Wireshark's Wiretap library. (Note that Wiretap's API is subject to significant and incompatible changes from one Wireshark major release to another.)

3
votes

I've ported WinPcap to libpcap 1.7.3 and now it can open pcap-ng files and supports nanoseconds timestamp resolution.

0
votes

Did you try using sharpPcap? not sure if it supports it (can't try it right now), but it does support opening capture files as well iirc: http://sourceforge.net/apps/mediawiki/sharppcap/index.php?title=Main_Page