Anders Broman
2014-07-04 10:37:42 UTC
Are there specific things in a new API that would make wireshark happier?
feel free to start a new thread ;-)
Having a packet header that could be written to file directly might be a good ideafeel free to start a new thread ;-)
/* pcap-ng Enhanced Packet Block without actual packet, options, and trailing
* Block Total Length
* ENHANCED_PACKET_BLOCK_TYPE 0x00000006
* http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
*/
struct pcap_pkthdr_epb {
bpf_u_int32 block_type; /* Pcap-ng block type ENHANCED_PACKET_BLOCK_TYPE */
bpf_u_int32 block_total_length; /* Block Total Length: total size of this block, in bytes */
bpf_u_int32 interface_id; /* Specifies the interface this packet comes from */
bpf_u_int32 timestamp_high;
bpf_u_int32 timestamp_low; /* High and low 32-bits of a 64-bit quantity representing the timestamp.
* The timestamp is a single 64-bit unsigned integer representing the number of units since 1/1/1970.
* if_tsresol further specifies this field.
*/
bpf_u_int32 captured_len; /* Captured Len: number of bytes captured from the packet (i.e. the length of the Packet Data field) */
bpf_u_int32 packet_len; /* Packet Len: actual length of the packet when it was transmitted on the network.
* It can be different from Captured Len if the user wants only a snapshot of the packet.
*/
};
(http://permalink.gmane.org/gmane.network.tcpdump.devel/6520 )
Regards
Anders