Thanks Guy.
Is the best way then to parse pcapNG in code and run bpf_filter on the
packets please.
a) open the pcap file in c
b) parse the blocks
c) For every enhanced packet block
c1) Manually construct struct pcap_pkthdr *
c2) Run bpf_filter explicitly
This file can be updated as it is being parsed.
So d) refresh the file when EOF :-)
On Thu, Sep 13, 2018 at 4:59 PM Guy Harris wrote:
> On Sep 13, 2018, at 1:49 PM, Madhav Ancha
> wrote:
>
> >Is there a way to get the "options" along with the "packet data "in an
> > Enhanced Packet Block when reading the pcapNG files please?
>
> No. There are no provisions in the current pcap API to provide that
> information, as the API was designed when pcap format was the only format.
>
> Providing full support for pcapng would require a new API (which should be
> able to support pcap files as well).
>
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
