Comment by GGFPC for You would have to structure the InputStream data so that it could be divided into packets. For example, if you're writing raw packet data to the stream, before each packet you would write a number giving the size of the packet, in bytes.Then, when reading the stream and writing a pcap file, you would read the number first, and then read that number of bytes of packet data. You would also have to ensure, in each iteration of the loop, the buffer would have to have exactly that number of bytes, so that dumper.dumpRaw knows how many bytes are in the packet.This probably means that you should allocate the packet buffer separately, for every packet, and allocate it so that it's exactly the size of the packet data.Without doing that, your code will NOT work.

Hi, thanks for the answer. I'm trying to write a transparent proxy for any protocol to record the data sent to a specific port. This is so I don't have to sniff all traffic with libpcap as I'm trying to write a monitoring tool and I want to reduce the overhead. This means I cant change what is being sent. I changed my code to write to the file only the amount of data that has been read from the stream in that iteration, which I feel would be okay since only one packet is sent at a time. Right now wireshark opens the capture without errors but everything appears as an ethernet frame. How does wireshark or libpcap decode the packet protocol when sniffing directly from the interface?