[Winpcap-users] problem between WpdPack sample exe's and MFC port
timgrab at comcast.net
timgrab at comcast.net
Thu Jul 9 08:38:58 PDT 2009
Hi folks,
I have been writing an application using MFC in Visual Studio 2005. The application uses WinPcap to open a pcap file and modify the protocol headers so that the packets can be streamed locally on a test network and received by other applications/devices.
I have been borrowing heavily from the sample code in the WinPcap 4.0.2 Developer’s Pack, and successfully porting that basic functionality from C to MFC/C++. For example, my GUI currently allows the user to open a pcap file, change the MAC addresses in the packets, and save the packets to a new file.
I ran into a problem recently. I have been creating pcap files by exporting proprietary files from a 3 rd party application into pcap format. However, it appears that the 3 rd -party app, let’s call it “MrSniffer”, changes the caplen in the packet header to 116 bytes, no matter what it was in the original (MrSniffer-formatted) file, or what the actual length of the packet is. I am able to use Wireshark to successfully read and display all packets in their entirety from the newly-exported pcap file. Also, I am able to use the command-line executable “readfile” from the 4.0.2 Developer’s Pack to read and display each packet from the MrSniffer-exported pcap file in its entirety.
It’s when I try to read the file into my MFC application that I run into a problem. I use the same basic code in the “readfile” executable for my MFC application to open the file and read the packets, i.e. I am using pcap_open_offline() to open the file, and pcap_loop() to call a dispatcher_handler with the following parameters…
dispatcher_handler(u_char *temp1, const struct pcap_pkthdr *header, const u_char *pkt_data)
…which reads in each packet. The trouble arises when the packets are read into my application, and it appears that the pcap library functions I am using are reading the packets based on the caplen of 116 bytes – so any packets larger than 116 bytes are truncated, and I lose the rest of that data!
What is so strange about this is that I am using the same library as the Developer’s Pack sample “readfile”, and essentially the same code, but my application seems to read the caplen, while “readfile” uses the actual packet length.
Unfortunately, I can’t change “MrSniffer” so that it does not modify the caplen; my only option appears to be to read the actual packet length from each packet when dealing with these exported pcaps. I have not been able to find a way to do this using the exported functions – probably because I am quite new to WinPcap.
If anyone has any suggestions, I’d greatly appreciate it!
Thanks and Regards –
TimG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090709/e92cc8bd/attachment.htm
More information about the Winpcap-users
mailing list