<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Arial; font-size: 12pt; color: #000000'><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5Ctgrab%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
</w:LatentStyles>
</xml><![endif]--><style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:"Times New Roman";}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
-->
</style><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
        {mso-style-name:"Table Normal";
        mso-tstyle-rowband-size:0;
        mso-tstyle-colband-size:0;
        mso-style-noshow:yes;
        mso-style-parent:"";
        mso-padding-alt:0in 5.4pt 0in 5.4pt;
        mso-para-margin:0in;
        mso-para-margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:"Times New Roman";
        mso-ansi-language:#0400;
        mso-fareast-language:#0400;
        mso-bidi-language:#0400;}
</style>
<![endif]-->
<p class="MsoNormal">Hi folks,</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have been writing an application using MFC in Visual
Studio 2005.<span style=""> </span>The application uses
WinPcap to open a pcap file and modify the protocol headers so that the packets
can be streamed locally on a test network and received by other
applications/devices.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have been borrowing heavily from the sample code in the
WinPcap 4.0.2 Developer’s Pack, and successfully porting that basic
functionality from C to MFC/C++.<span style=""> </span>For
example, my GUI currently allows the user to open a pcap file, change the MAC
addresses in the packets, and save the packets to a new file.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I ran into a problem recently.<span style=""> </span>I have been creating pcap files by exporting
proprietary files from a 3<sup>rd</sup> party application into pcap
format.<span style=""> </span>However, it appears that the 3<sup>rd</sup>-party
app, let’s call it “MrSniffer”, changes the caplen in the packet header to 116
bytes, no matter what it was in the original (MrSniffer-formatted) file, or
what the actual length of the packet is.<span style="">
</span>I am able to use Wireshark to successfully read and display all packets
in their entirety from the newly-exported pcap file.<span style=""> </span>Also, I am able to use the command-line
executable “readfile” from the 4.0.2 Developer’s Pack to read and display each
packet from the MrSniffer-exported pcap file in its entirety.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It’s when I try to read the file into my MFC application
that I run into a problem.<span style=""> </span>I use the
same basic code in the “readfile” executable for my MFC application to open the
file and read the packets, i.e. I am using pcap_open_offline() to open the
file, and pcap_loop() to call a dispatcher_handler with the following parameters…</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">dispatcher_handler(u_char *temp1, const struct pcap_pkthdr
*header, const u_char *pkt_data)</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">…which reads in each packet.<span style="">
</span>The trouble arises when the packets are read into my application, and it
appears that the pcap library functions I am using are reading the packets
based on the caplen of 116 bytes – so any packets larger than 116 bytes are
truncated, and I lose the rest of that data!</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What is so strange about this is that I am using the same
library as the Developer’s Pack sample “readfile”, and essentially the same
code, but my application seems to read the caplen, while “readfile” uses the actual
packet length.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Unfortunately, I can’t change “MrSniffer” so that it does
not modify the caplen; my only option appears to be to read the actual packet
length from each packet when dealing with these exported pcaps. <span style=""> </span>I have not been able to find a way to do this
using the exported functions – probably because I am quite new to WinPcap.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If anyone has any suggestions, I’d greatly appreciate it!</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks and Regards – </p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">TimG</p>
</div></body></html>