C Pcap vs. Pcap-ng Test Function

Submitted by admin on

Well, I recently needed a quick sniffer test for pcap-ngs because it was producing unwanted work arounds for older packet captures needing conversions - here it is:

#define BLOCK_TYPE_SECTION_HEADER 0x0a0d0d0a
static int is_pcap_or_pcapng(const char *input) {
       
        FILE *pcap = NULL;
        if ((pcap = fopen(input,"r"))==NULL) {
                return (-1);
        }
        uint32_t buffer = 0 ;
        if(fread(&buffer,sizeof(uint32_t),1,pcap) < 0) {
                fclose(pcap);
                return (-1);
        }
       
        if (buffer != BLOCK_TYPE_SECTION_HEADER) {
                printf( "Original PCAP\n");
        } else {
                fclose(pcap);
                return (-1);
        }
        fclose(pcap);

        return (0);
}

Blog tags: 

Add new comment

More information about text formats

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <python> <c>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.