On Nov 11, 2012, at 5:44 PM, barcaroller <barcarol...@gmail.com> wrote:
> On 2012-11-11 23:27:00 +0000, Guy Harris said:
>
>> They could, in principle, be appended to, but that can't be done with the
>> existing APIs - you'd need an "open for appending" call, which would, unlike
>> the "create a new file" calls (pcap_dump_open(), pcap_dump_fopen()), *not*
>> write a file header.
>
> The existing API does allow for:
>
> FILE* f = open("a"); // or open("a+")
> pcap_dump_fopen(f);
pcap_dump_fopen(), in the current Git trunk, calls pcap_setup_dump(), which
calls sf_write_header(), which writes out a file header, so that call will
write a file header. Some older versions have a different code path, but
they'll still write out a file header.
A pcap file has *one* file header followed by a sequence of zero or more
packets, each with a packet record header. A file header is not a valid packet
record header, so that wouldn't work for *any* number of packets.
As per my mail, what's needed is a routine that doesn't write the file header.
> It does work for a few hundred packets, but then evenually the file gets
> corrupted.
That must be because, until you've written more packets, no write is done to
the underlying file because the packets are still buffered in the standard I/O
library routine buffers. Once an actual write() is done, your file will be
trashed.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
