[Winpcap-users] How to save packets to a file?
Guy Harris
guy at alum.mit.edu
Wed May 18 18:42:42 GMT 2005
He Zhiyu wrote:
> 1. I printed the content of the whole packet in Hex,and I should print
> them in ASCII.I tried to use "%c" in a circle to print them,but the
> result looks very strange.Anything was wrong with the format string "%c"?
Yes - it assumes that all bytes in the packet are printable characters.
That is not necessariy the case.
Other programs that show the packet data in ASCII, such as tcpdump and
Ethereal, show non-printable characters as "." You might want to do
something such as
isprint(c) ? c : '.'
which is an expression that evaluates to "c" (the byte from the packet)
if "c" is a printable character, and "." if it's not a printable
character. (Include <ctype.h> to get "isprint()" defined.)
> 2. I printed the header->len and the header->caplen,they are always the
> same.What's the differences between them?
header->len is the length of the packet as received by the machine.
header->caplen is the number of bytes in the packet that you received
from libpcap. If, for example, you set the "snapshot length" to 128 in
a "pcap_open_live()" or "pcap_open()" call, for any packet longer than
128 bytes, you will get only the first 128 bytes of the packet, so
header->len will be the actual length of the packet, but header->caplen
will be 128. If you set the snapshot length to a value >= the maximum
packet size, header->caplen will always be equal to header->len.
More information about the Winpcap-users
mailing list