can anyone point me to wireshark documentation that will tell me how to write a standalone program that reads a .cap file (created by NA Sniffer version 2.0) and give me a pcap_pkthdr offset?
Thanks. Mark Young
asked 27 Apr '11, 09:43
Uh oh, depending on what you want to do you're in for quite an amount of trouble. I have written a standalone program that reads NAI v2.00 cap files, and it has some strange features that makes reading it quite a challenge (talking about ring buffered captures; quite funny - not to say "annoying" - how they implemented them).
What you can do is read the source code of the according Wireshark module, which would be in /wiretap/netxray.c. Yes, quite confusing, but I guess it's called Netxray because that was the Windows program the DOS-Sniffer was merged with back in... the last century as far as I know.
Keep in mind that the Wireshark code does not always know what each bit and byte is good for. I have reverse engineered a few of the unknown bytes myself, but I haven't checked if the Wireshark wiretap code knows about their functionality in the meantime. I always wanted to give feedback on those but didn't have the time yet.
If you can give more details of what you want to do I may be able to give some additional tips.