How can I open a pcap-ng file in C#

Question

Up to now I have been using WinPcap to open pcap files in C#:

[DllImport("wpcap.dll", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Ansi)]
private extern static IntPtr pcap_open_offline(string fname, byte[] errbuf);

Now I want to do something similar to open pcap-ng files so I get nano-second resolution (I got a new sniffer :-) )

Unfortunately WinPcap fails with this error: "bad dump file format"

Anyone knows how to work with pcap-ng in Windows?

Cheers, Pedro

Answer 1

Libpcap 1.1.x and later support reading some pcap-ng files (ones where all the interfaces have the same link-layer header type and snapshot length); however, there is no WinPcap release that's based on libpcap 1.1.x or 1.2.x, so there is no WinPcap release that can read pcap-ng files. Thus, no CLR-language wrapper around WinPcap will be able to read pcap-ng files until such a WinPcap release comes out.

In addition, the libpcap/WinPcap API currently doesn't return time stamps with nanosecond resolution, so even if you did read a file with nanosecond-resolutions time stamp with libpcap, you wouldn't see nanosecond-resolution time stamps.

For now, you'd have to write your own code, or write a wrapper around Wireshark's Wiretap library. (Note that Wiretap's API is subject to significant and incompatible changes from one Wireshark major release to another.)

Answer 2

我已经将WinPcap移植到libpcap 1.7.3 ，现在它可以打开pcap-ng文件并支持纳秒时间戳分辨率。

Answer 3

Did you try using sharpPcap? not sure if it supports it (can't try it right now), but it does support opening capture files as well iirc: http://sourceforge.net/apps/mediawiki/sharppcap/index.php?title=Main_Page