Good day! The problem is this: there is a pcap_t * variable that points to the first byte of the piece of memory where the .pcap file was placed after it was opened. I want to process this traffic and install a filter on it, everything is successful. Only then it is impossible to return to the initial traffic in the program, because a filter is installed on it and in general it is already processed by a loop (the processing function did not drop). The question is how in the function (see readDnsPacket), where the filter itself is installed, throw a copy of the traffic, not the original. This is necessary in order to continue to have the opportunity to work with the original in the program. PS: close and reopen the pcap does not offer))) sorry that I explain so dreary! here is a partial code:
pcap_t* traffic; if ((traffic = pcap_open_offline(path, nullptr)) == nullptr) { std::cout << "Error open traffic file! \n"; system("pause"); return 0; } readDnsPacket(traffic); Function readDnsPacket:
inline void readDnsPacket(pcap_t* traffic) { struct bpf_program fp; char *str = "udp and src port 53"; //filter for dns-response pcap_compile(traffic, &fp, str, 1, 0xffffff); pcap_setfilter(traffic, &fp); pcap_loop(traffic, 0, PacketHandler, nullptr); } 
struct pcap, and I have not found a description of this structure. You can, of course, copy this structure through memcpy, but there will most likely still be different pointers to other structures or arrays. We'll have to copy them all. Therefore, having no experience with pcap, I can only offer to re-read the file. - maestro