pcap_dump_open(3PCAP) man page
Return to Main Contents
#include <pcap/pcap.h> pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname); pcap_dumper_t *pcap_dump_open_append(pcap_t *p, const char *fname); pcap_dumper_t *pcap_dump_fopen(pcap_t *p, FILE *fp);
pcap_dump_fopen() is called to write data to an existing open stream fp; this stream will be closed by a subsequent call to pcap_dump_close(3PCAP). The stream is assumed to be at the beginning of a file that has been newly created or truncated, so that writes will start at the beginning of the file. Note that on Windows, that stream should be opened in binary mode.
p is a capture or ``savefile'' handle returned by an earlier call to pcap_create(3PCAP) and activated by an earlier call to pcap_activate(3PCAP), or returned by an earlier call to pcap_open_offline(3PCAP), pcap_open_live(3PCAP), or pcap_open_dead(3PCAP). The time stamp precision, link-layer type, and snapshot length from p are used as the link-layer type and snapshot length of the output file.
pcap_dump_open_append() is like pcap_dump_open() but, if the file already exists, and is a pcap file with the same byte order as the host opening the file, and has the same time stamp precision, link-layer header type, and snapshot length as p, it will write new packets at the end of the file.
The pcap_dump_open_append() function became available in libpcap release 1.7.2. In previous releases, there is no support for appending packets to an existing savefile.