This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Question about opening netmon capture file with libpcap

0

When open a netmon pcap file (file magic GMBU) with the following code snippet, got error message

failed in function pcap_open_offline(): unknown file format

My code snippet:

    libpcapHandler = pcap_open_offline(pcapFile, errbuf);
    if(libpcapHandler == NULL) {
        printf("failed in function pcap_open_offline(): %s\n", errbuf);
        exit(1);
    }

the libpcap library I used is libpcap.so.0.8. It's strange because wireshark 1.10.6 can open this pcap file even though it uses the libpcap too (according to "ldd" command). The OS here is ubuntu 14.04.

asked 04 Jan '17, 21:06

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

edited 05 Jan '17, 11:06

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

One Answer:

3

You assume that libpcap is linked to Wireshark to open these capture files, but it's not. Wireshark uses another library, part of the Wireshark distribution, called wiretap to read all capture file formats. Originally the intend was to make it a super-libpcap, but only it's capture file reading capabilities were developed.

answered 05 Jan '17, 00:12

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks Jaap!

(05 Jan '17, 18:22) pktUser1001