Does pcap_t *pcap_open_offline(const char *fname, char *errbuf) from libpcap read the whole pcap file into memory?

Does

pcap_t *pcap_open_offline(const char *fname, char *errbuf) 

from libpcap read the who开发者_开发百科le pcap file into memory? If not so, I have to use tcpslice or similar tools to split pcap file up?

Thanks.

A strange way of wording your question, but I'll try and answer what I can.

pcap_open_offline() takes a .dump file (or similarly named output from tcpdump, tcpslice, or libpcap's pcap_dump_open() + pcap_dump() functions) as an input.

This file is exactly the same in format and function as a live trace of a network device, IE, you can use this pcap_t object in pcap_next, pcap_loop, etc.

Altering a dump file in any way (IE, stripping information or parsing out only what you want with tcpslice or wireshark) will render it unreadable by pcap_open_offline(), as it will not be formatted in the manner of a live packet trace.

However, it does not load the entire file at any one time into memory. It streams the file, as you would stream packets from a live trace.

To summarize: pcap_open_live() opens an unaltered tcpdump/tcpslice dump and reads it like a live stream. It does not load the entire file into its memory, as dumps can get quite large! Instead it just goes through the file only loading one packet's worth of the file at a time.