This patch adds a function that can be used to append to an existing capture file. If the file doesn't exist or is empty, the function will simply write a new header; otherwise, it reads the existing header in and verifies that the new link layer type is the same as that in the capture file.
Sponsored by Sandvine Incorporated.
Thanks,
-Mark
I too am interested in this feature. It would be useful in situations like filtering out specific types of packets from a collection of pcap files and saving to the same pcap, or restarting a live capture without having to create another file.
The discussion at http://seclists.org/tcpdump/2011/q2/148 suggests using the name pcap_dump_reopen() instead. I have no preference, as long as the functionality is the same.
I understand mergecap and editcap could help some of these scenarios, but not without multiple output files and plenty of post-processing.
Please continue the discussion on this feature and consider including in the next release.
Administrators of the "libpcap" SourceForge project have superseded this tracker item (formerly artifact 3086711, now patch 51) with issue 247 of the "libpcap" GitHub project.