Reading .pcap file while it is still being written to

Question

I am writing a windows C++ application that is reading .pcap file and representing packet headers (and data) according to USBPcap structure.

A .pcap file is created either by USBPcap or Wireshark, containing my mouse movement data.

That goes all fine when I have normal .pcap file, but I was wondering if there is a way to open that .pcap file and read data from it, while it is still beign written to (while it is still tracking my mouse movement). I tried opening it with pcap_open_offline() but that gave me a NULL pointer.

Is there a way to do this ? Thank you for any input.

Answer 1

Is there a way to do this ?

Step 1 is to make sure that USBPcap opens the file with "deny none", so that other programs can open and read from it. If it doesn't do so, request that an option be added to allow it to do so.

Then bear in mind that libpcap (upon which WinPcap and Npcap are based) is not expecting to be reading from a file that's being written to, so it'll report either an end-of-file or an error when it reaches the current end of the file, without any provision for continuing to read from the file, so using libpcap/WinPcap/Npcap won't work.

This means you'd have to write your own code to read from the file. See this draft spec for the pcap file format.

(Ideally, USBPcap would provide a library, rather than just a program, to read from the capture device; that would allow libpcap to directly capture USB traffic on Windows, in which case you could just use that.)