[tcpdump-workers] Re: tcpdump and pcapng with comments
Mahesh V wrote: > I would like to know if > 1) tcpdump can write pcapng format (instead of just pcap) Not yet. > 3) read it later on. (I believe this functionality is available today or > alternatively even wireshark would be ok to do this for me) > Is this functionality available today or do we need to build it? I can't recall if we can read pcapng. ___ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[tcpdump-workers] Re: tcpdump and pcapng with comments
Hello Folks, This is my first post. I would like to know if 1) tcpdump can write pcapng format (instead of just pcap) 2) Accept per packet comments from the kernel and write them along with the packet into the pcapng file (if so, how do we pack the comments from kernel coming from the raw socket to tcpdump in user space) 3) read it later on. (I believe this functionality is available today or alternatively even wireshark would be ok to do this for me) Is this functionality available today or do we need to build it? thanks in advance On Fri, Apr 4, 2025 at 10:41 PM Mahesh V wrote: > Hello Folks, > This is my first post. > I would like to know if > 1) tcpdump can write pcapng format (instead of just pcap) > 2) Accept per packet comments from the kernel and write them along with > the packet > into the pcapng file (if so, how do we pack the comments from kernel > coming from the raw socket to tcpdump in user space) > 3) read it later on. (I believe this functionality is available today or > alternatively even wireshark would be ok to do this for me) > Is this functionality available today or do we need to build it? > > thanks in advance > ___ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[tcpdump-workers] Re: tcpdump and pcapng with comments
On Apr 4, 2025, at 10:22 AM, Mahesh V wrote: > I would like to know if > 1) tcpdump can write pcapng format (instead of just pcap) Currently, no. tcpdump uses libpcap to read and write capture files, and libpcap doesn't yet support writing pcapng. > 2) Accept per packet comments from the kernel and write them along with the > packet into the pcapng file (if so, how do we pack the comments from kernel > coming from the raw socket to tcpdump in user space) tcpdump uses libpcap to capture packets, and libpcap doesn't yet support an API mechanism to provide pcapng-style comments when capturing. Furthermore, none of the kernel capture mechanisms libpcap uses *provide* comments, so, even with such an API mechanism, if you've modified some OS kernel mechanism, you'd have to modify libpcap to support that. > 3) read it later on. (I believe this functionality is available today or > alternatively even wireshark would be ok to do this for me) libpcap does support reading pcapng files, but does not yet support providing comments to the program that reads them. ___ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[tcpdump-workers] Re: tcpdump and pcapng with comments
On Apr 4, 2025, at 11:29 AM, Michael Richardson wrote: > I can't recall if we can read pcapng. libpcap - and thus programs, such as tcpdump, that use libpcap to read capture files - can read some pcapng files, as long as the current libpcap API can handle them. That's been the case since libpcap 1.1. However, "as long as the current libpcap API can handle them" means that: 1) all of the sections of the pcapng file must have the same byte order, as the current API reports a single byte order for the entire file; 2) all interfaces in all sections of the pcapng file must have the same link-layer header type and snapshot length, as the current API reports a single link-layer header type and snapshot length for the entire file; 3) block types other than packet blocks can't be reported to the caller; 4) options such as comments can't be reported to the caller. ___ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
