Libpcap offers the option to write live capture sessions to a file termed a "savefile" (this method is how tcpdump writes sessions to disk). The following functionality manipulates savefiles.
pcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname);
pcap_dump_open() opens a libpcap savefile for writing. The p argument references a valid libpcap descriptor (returned from a successful call to pcap_open_*() functions). fname is a pointer to the filename to open (if the file exists, it will overwrite it). Upon success, the function returns a libpcap dumper descriptor. Upon failure, the function returns a NULL pointer, and you can use one of the pcap_*err() functions to find out the reason.
| Note |
You can use the "-" string as a filename as a synonym for STDOUT (standard output). |
void pcap_dump(u_char *user, struct pcap_pkthdr *h, u_char *sp);
pcap_dump() writes a packet to an already initialized pcap savefile.
| Note |
pcap_dump() could silently fail to successfully write data to the savefile because it does not check for errors after writing (buyer beware). |
int pcap_is_swapped(pcap_t *p);
pcap_is_swapped() returns 1 if the byte-ordering in the savefile that p references is different from the byte-ordering of the current system.
int pcap_major_version(pcap_t *p);
pcap_major_version() returns the major version of libpcap that wrote the savefile that p referenced.
int pcap_minor_version(pcap_t *p);
pcap_minor_version() returns the minor version of libpcap that wrote the savefile that p referenced.
FILE *pcap_file(pcap_t *p);
pcap_file() returns a stream file pointer to the savefile that p referenced or NULL if p does not refer to a savefile.
void pcap_dump_close(pcap_dumper_t *p);
pcap_dump_close() closes a pcap savefile that p referenced.