NAME¶pcap_dump_open, pcap_dump_fopen - open a file to which to write packets
pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname); pcap_dumper_t *pcap_dump_open_append(pcap_t *p, const char *fname); pcap_dumper_t *pcap_dump_fopen(pcap_t *p, FILE *fp);
DESCRIPTION¶pcap_dump_open() is called to open a ``savefile'' for writing. fname specifies the name of the file to open. The file will have the same format as those used by tcpdump(1) and tcpslice(1). The name "-" is a synonym for stdout.
pcap_dump_fopen() is called to write data to an existing open stream fp; this stream will be closed by a subsequent call to pcap_dump_close(3PCAP). Note that on Windows, that stream should be opened in binary mode.
p is a capture or ``savefile'' handle returned by an earlier call to pcap_create(3PCAP) and activated by an earlier call to pcap_activate(3PCAP), or returned by an earlier call to pcap_open_offline(3PCAP), pcap_open_live(3PCAP), or pcap_open_dead(3PCAP). The time stamp precision, link-layer type, and snapshot length from p are used as the link-layer type and snapshot length of the output file.
pcap_dump_open_append() is like pcap_dump_open() but does not create the file if it does not exist and, if it does already exist, and is a pcap file with the same byte order as the host opening the file, and has the same time stamp precision, link-layer header type, and snapshot length as p, it will write new packets at the end of the file.
RETURN VALUES¶A pointer to a pcap_dumper_t structure to use in subsequent pcap_dump(3PCAP) and pcap_dump_close(3PCAP) calls is returned on success. NULL is returned on failure. If NULL is returned, pcap_geterr(3PCAP) can be used to get the error text.
BACKWARD COMPATIBILITY¶The pcap_dump_open_append() function became available in libpcap release 1.7.2. In previous releases, there is no support for appending packets to an existing savefile.
SEE ALSO¶pcap(3PCAP), pcap-savefile(5)
|22 August 2018|