I already know how to read a pcap file and get the packets it have.B ut how can I write the packets into a new pcap file? I need this to merge two pcap files into one.

I am trying to capture http traffic using pcap4j from an android emulator / ios simulator to a server which is hosted on the same machine. The machine can run either linux / windows or osx. I tried capturing packets from wireshark first for testing, but it didn't catch any....

First the structs: /* Ethernet addresses are 6 bytes */ #define ETHER_ADDR_LEN 6 /* Ethernet header */ struct sniff_ethernet { u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */ u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */ u_short ether_type; /* IP? ARP? RARP? etc */ }; #define ETHERTYPE_IP 0x0800 /* IP */ /*...

I am making a basic packet sniffer using pcap.h. While I was unit testing the function that called pcap_dispatch, I gave it non-activated interfaces and invalid interfaces. pcap_dispatch return -3, and as far as the man pages for pcap_dispatch goes, it should only return -2, -1, or more, but never...

Using libpcap has proven really easy, but, speed is always an issue with giant (in an arbitrary sense) .pcap dumps. Are there any common practices for just sampling a dump? Perhaps something that effectively says "Read every fifth frame" as the pcap filter, Or should I simply just do nothing...

I have a pcap file captured by wireshark, now I need to read each packet of it and write them to a vector of structure. I got some promblem with writing packets into the structure. the structure: struct pktStruct { struct pcap_pkthdr * pkt_header; // header object const u_char *...

How do I tell libpcap v1.6.2 to store nanosecond values in struct pcap_pkthdr::ts.tv_usec (instead of microsecond values) when capturing live packets? (Note: This question is similar to How to enable nanosecond resolution when capturing live packets in libpcap? but that question is vague enough that I decided to ask a...

Are Berkeley Packet Filter opcode values implementation defined? I always thought of tcpdump/libpcap as authoritative in the BPF arena. I noticed that the linux kernel and tcpdump read BPF filters differently. The BPF mnemonics and behavior is the same, but the actual opcode values themselves seem different. I went looking...

I have few devices connected to wifi router, but pcap_dispatch() always returns 0 for wifi interface while live capturing on Mac OS X. The same code captures response in case of wired interface. Please clarify if I have missed any flag here.