Having written a file using tshark -w option, I find when I read the file the libpcap header has key values set to null: I was expecting values as given in this spec. asked 29 Oct '13, 09:33 wiggers |
One Answer:
answered 29 Oct '13, 10:12 cmaynard ♦♦ |
If you're using your own code to read libpcap files, please consider using libpcap instead. Libpcap 1.1.0 and later supports reading pcap and pcap-ng files, as long, in the pcap-ng files, all network interfaces have the same link-layer header type and snapshot length (due to current libpcap API limitations).
Unfortunately, there isn't yet a version of WinPcap based on libpcap 1.1.0 or later, so that won't work on Windows.
If you can't use libpcap, see the page Chris Maynard cited, and use that to write your own code to read those files.