1

I am writing a windows C++ application that is reading .pcap file and representing packet headers (and data) according to USBPcap structure.

A .pcap file is created either by USBPcap or Wireshark, containing my mouse movement data.

That goes all fine when I have normal .pcap file, but I was wondering if there is a way to open that .pcap file and read data from it, while it is still beign written to (while it is still tracking my mouse movement). I tried opening it with pcap_open_offline() but that gave me a NULL pointer.

Is there a way to do this ? Thank you for any input.

Peter
  • 57
  • 1
  • 7

1 Answers1

1

Is there a way to do this ?

Step 1 is to make sure that USBPcap opens the file with "deny none", so that other programs can open and read from it. If it doesn't do so, request that an option be added to allow it to do so.

Then bear in mind that libpcap (upon which WinPcap and Npcap are based) is not expecting to be reading from a file that's being written to, so it'll report either an end-of-file or an error when it reaches the current end of the file, without any provision for continuing to read from the file, so using libpcap/WinPcap/Npcap won't work.

This means you'd have to write your own code to read from the file. See this draft spec for the pcap file format.

(Ideally, USBPcap would provide a library, rather than just a program, to read from the capture device; that would allow libpcap to directly capture USB traffic on Windows, in which case you could just use that.)

user13951124
  • 176
  • 4
  • Yes it really looks like USBPcap is locking file when it is created. I tried opening it with `std::ifstream ifs(fullFilename.c_str(), std::fstream::binary | std::fstream::in, _SH_DENYNO);` but that failed. Is there any workaround how to do it, or is the only thing left just changing USBPcap source code ? – Peter Aug 01 '20 at 17:41
  • If one process opens a file without `FILE_SHARE_READ`, other processes that try to open the file for reading will fail, no matter *what* they try. Therefore, you will have to change USBPcap to open it with `FILE_SHARE_READ`. – user13951124 Aug 01 '20 at 18:41