pcap_dump 写 *.pcap文件数据
int main(void)
{ pcap_t *dev = NULL; char errMsg[256] = { 0 }; char *com = "tcp port 80"; struct bpf_program bpg; memset(&bpg, 0x00, sizeof(struct bpf_program)); signal(SIGINT, sighdl); dev = pcap_open_live("eth1", 65535, 1, 0, errMsg); if(dev == NULL) { be_printf("pcap_open_live is failed = %s\n", errMsg); return -1; } pcap_compile(dev, &bpg, com, 0, 0); pcap_setfilter(dev, &bpg); struct pcap_pkthdr *pkt; const u_char *data; pcap_dumper_t *t = pcap_dump_open(dev, "./test.pcap"); int ret = 0; while( ret = pcap_next_ex(dev, &pkt, &data) ) { if(flg == 0) break; if(ret > 0 && pkt->caplen > 0){
// 第一个参数是 pcap_dump_open() 打开的pcap_dumper_t* 类型数据, 需要手动转换为char *
pcap_dump((char *)t, pkt, data); } } pcap_dump_close(t); be_printf("pcap_dump_close is OK\n"); return 0; }