Up to now I have been using WinPcap to open pcap files in C#:
[DllImport("wpcap.dll", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Ansi)]
private extern static IntPtr pcap_open_offline(string fname, byte[] errbuf);
Now I want to do something similar to open pcap-ng files so I get nano-second resolution (I got a new sniffer :-) )
Unfortunately WinPcap fails with this error: "bad dump file format"
Anyone knows how to work with pcap-ng in Windows?
Cheers, Pedro
Libpcap 1.1.x and later support reading some pcap-ng files (ones where all the interfaces have the same link-layer header type and snapshot length); however, there is no WinPcap release that's based on libpcap 1.1.x or 1.2.x, so there is no WinPcap release that can read pcap-ng files. Thus, no CLR-language wrapper around WinPcap will be able to read pcap-ng files until such a WinPcap release comes out.
In addition, the libpcap/WinPcap API currently doesn't return time stamps with nanosecond resolution, so even if you did read a file with nanosecond-resolutions time stamp with libpcap, you wouldn't see nanosecond-resolution time stamps.
For now, you'd have to write your own code, or write a wrapper around Wireshark's Wiretap library. (Note that Wiretap's API is subject to significant and incompatible changes from one Wireshark major release to another.)