On Apr 4, 2025, at 10:22 AM, Mahesh V <maheshvenkateshwa...@gmail.com> wrote:
> I would like to know if > 1) tcpdump can write pcapng format (instead of just pcap) Currently, no. tcpdump uses libpcap to read and write capture files, and libpcap doesn't yet support writing pcapng. > 2) Accept per packet comments from the kernel and write them along with the > packet into the pcapng file (if so, how do we pack the comments from kernel > coming from the raw socket to tcpdump in user space) tcpdump uses libpcap to capture packets, and libpcap doesn't yet support an API mechanism to provide pcapng-style comments when capturing. Furthermore, none of the kernel capture mechanisms libpcap uses *provide* comments, so, even with such an API mechanism, if you've modified some OS kernel mechanism, you'd have to modify libpcap to support that. > 3) read it later on. (I believe this functionality is available today or > alternatively even wireshark would be ok to do this for me) libpcap does support reading pcapng files, but does not yet support providing comments to the program that reads them. _______________________________________________ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
