Mailing List Archive

On Jun 6, 2006, at 4:25 PM, Raghavendra .K.M wrote:

> I need to implement a parser which parser a pcap file extracts IP
> packets out of it and dumps it into a txt file on windows platform

IP packets are binary, so you can't just dump them into a text file.
Do you mean you want to dump the raw data in hex/text format, similar
to the bottommost pane of the Ethereal window? Or do you want to
dump out an analysis of the data in the packet, similar to the middle
packet of the Ethereal window?

> Is there any source code available

Yes - they're called "tcpdump" (or "WinDump") and "Ethereal". :-)

> or should I have to understand the PCAP file format and write the
> parser from scratch.

Tcpdump/WinDump don't understand the pcap file format; they use
libpcap/WinPcap to read it.

The only part of Ethereal that understands the pcap file format is
the low-level file reading code, which exists because it has to
support random access to the file, handle compressed files, and
handle a lot of other file formats, none of which libpcap does.

However, the hard part isn't understanding the file format, the hard
part is understanding the *packet* format. tcpdump is a relatively
simple program to parse packets, and the current top of tree version
is 72453 lines of C code. Ethereal has even more lines than that.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev

> > Is there any source code available
>
> Yes - they're called "tcpdump" (or "WinDump") and "Ethereal". :-)

There is also Perl's module Net::pcap (do a search on
http://search.cpan.org/)

Olivier.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev

Hi all,

thanks for the inputs,

the requirement is to develop a tool something like a pseudo -server.

So given a pcap file , I want to just get the IP packets of it .

Pcap will have time stamps information about the packet received.

From IP packets and timestamp info my tool would simulate a server and interact with a remote client .

I got a executable built using wincap which just parses all the captured packets in a pcap file and displays it as a hex dump along with time stamps.

Starting from here I want to strip out all the link layer headers and get just the IP Packets , and use them .

How do I do this, will windump solve this problem

Appreciate you help,
Raghu


Guy Harris <guy@alum.mit.edu> wrote:
On Jun 6, 2006, at 4:25 PM, Raghavendra .K.M wrote:

> I need to implement a parser which parser a pcap file extracts IP
> packets out of it and dumps it into a txt file on windows platform

IP packets are binary, so you can't just dump them into a text file.
Do you mean you want to dump the raw data in hex/text format, similar
to the bottommost pane of the Ethereal window? Or do you want to
dump out an analysis of the data in the packet, similar to the middle
packet of the Ethereal window?

> Is there any source code available

Yes - they're called "tcpdump" (or "WinDump") and "Ethereal". :-)

> or should I have to understand the PCAP file format and write the
> parser from scratch.

Tcpdump/WinDump don't understand the pcap file format; they use
libpcap/WinPcap to read it.

The only part of Ethereal that understands the pcap file format is
the low-level file reading code, which exists because it has to
support random access to the file, handle compressed files, and
handle a lot of other file formats, none of which libpcap does.

However, the hard part isn't understanding the file format, the hard
part is understanding the *packet* format. tcpdump is a relatively
simple program to parse packets, and the current top of tree version
is 72453 lines of C code. Ethereal has even more lines than that.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

On Jun 7, 2006, at 4:31 PM, Raghavendra .K.M wrote:

> I got a executable built using wincap which just parses all the
> captured packets in a pcap file and displays it as a hex dump
> along with time stamps.
>
> Starting from here I want to strip out all the link layer headers
> and get just the IP Packets , and use them .
>
> How do I do this,

1) Modify your executable to compile a filter string of "ip" (with
pcap_compile()) and set that filter string on the open file (with
pcap_setfilter()).

2) Find the link-layer header type of the packets in the file (with
pcap_datalink()) and use that (and, for some protocols, the contents
of the link-layer header) to determine the size of the link-layer
header, and then skip past that to get to the beginning of the IP
header.

> will windump solve this problem

It might be worth looking at to see how to do 1) and 2), although you
wouldn't be able to just cut and paste the code.

(BTW, this is probably more appropriate for tcpdump-
workers@tcpdump.org or winpcap-users@winpcap.org.)
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev