2007-05-10
AltSci Concepts

Computer Journal

Computer Journal
back

Packet Capture Dump with libpcap


by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
May 1-7, 2005

pcapdump 0.1 [sig]

DESCRIPTION

TCP Dump and libpcap
Wireshark

Libpcap is a very simple library to get the data from packet capture files. TCP Dump is a program that captures data from interfaces. It can also print the data it captures in realtime or later. Wireshark is a GUI program that reads cap files (and can also capture data) and displays the information very well.

Wireshark has plenty of bugs and fails to do certain operations on large files. For example, a 1MB download over HTTP can be saved in Wireshark. But trying to save a 100 MB download over HTTP can cause Wireshark to crash. Instead of fixing this bug, I decided to write an HTTP dumper which uses far less memory than Wireshark to simply output the HTTP file. It currently is not working 100% because any broken packets or packets out of order will be accepted and outputted. The DNS dumper does work, dumping a list of dns requests from a cap file.

REQUIREMENTS

The pcapdump requires libpcap.

METHODS

More detailed information coming soon.
Until then, look at the source code.

#include <pcap.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netdb.h>
#include <netinet/udp.h>

char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *capture = pcap_open_offline(filename, errbuf);
if(capture == 0)
{
	printf("Couldn't open file %s.\n", filename);
	perror("pcap_open_offline");
}
struct pcap_pkthdr header;
const u_char *packet;
do
{
	packet = pcap_next(capture, &header);
	if(packet == 0) break;
	// Your code here.

} while(packet != 0);



USAGE
pcapdump_http1 file.cap [filter blah yak yak yak]
pcapdump_dns1  file.cap [filter blah yak yak yak]

More detailed information coming soon.

Mod level: -1 0 1 2 3 4 5

Comments:

Post a comment
Your Name: Login

Subject:

Comment:

RSS Feed
Home | Login | Others