Menu

#51 Add a function to append to an existing capture

Git head
closed
nobody
None
5
2013-11-20
2010-10-13
Mark Johnston
No

This patch adds a function that can be used to append to an existing capture file. If the file doesn't exist or is empty, the function will simply write a new header; otherwise, it reads the existing header in and verifies that the new link layer type is the same as that in the capture file.

Sponsored by Sandvine Incorporated.

Thanks,
-Mark

Discussion

  • Mark Johnston

    Mark Johnston - 2010-10-13
     
    libpcap.patch

  • Pete

    Pete - 2013-05-14

    I too am interested in this feature. It would be useful in situations like filtering out specific types of packets from a collection of pcap files and saving to the same pcap, or restarting a live capture without having to create another file.

    The discussion at http://seclists.org/tcpdump/2011/q2/148 suggests using the name pcap_dump_reopen() instead. I have no preference, as long as the functionality is the same.

    I understand mergecap and editcap could help some of these scenarios, but not without multiple output files and plenty of post-processing.

    Please continue the discussion on this feature and consider including in the next release.

     

  • Denis Ovsienko

    Denis Ovsienko - 2013-11-20
    • status: open --> closed
    • Group: --> Git head
     

  • Denis Ovsienko

    Denis Ovsienko - 2013-11-20

    Administrators of the "libpcap" SourceForge project have superseded this tracker item (formerly artifact 3086711, now patch 51) with issue 247 of the "libpcap" GitHub project.