pcap

IPv6 decoder for pcapy/impacket

I use the pcapy/impacket library to decode network packets in Python. It has an IP decoder which knows about the syntax of IPv4 packets but apparently no IPv6 decoder. Does anyone get one? In a private correspondance, the Impacket maintainers say it may be better to start with Scapy ...

libpcap, pcap_next_ex, and incompatible pointer types

Disclaimer: This is for a homework assignment, but the question is not regarding the assignment, just about general syntax weirdness. I'm trying to use libpcap in the context of a much larger program, but when I try to get the packet header and data for each packet gcc complains that the third parameter to pcap_next_ex is of an incompat...

Can libpcap reassemble TCP segments

I need to sniff TCP traffic into my application. Can libpcap reassemble TCP segments or I have to do it manually? The home page says "Full documentation is provided with the source packages in man page format". After I sudo apt-get install libpcap-dev I only find one man pcap. Is it all the documentation available or I simply missed so...

Getting the number of packets in a pcap capture file?

I need a program which prints the number of packets in a capture file which uses the pcap format. This number does not seem available in the pcap header (probably because it is written before the capture starts) and it does not seem there is a "footer" in the file, with this information. So, I believe the only algorithm is to loop over ...

How to concatenate two tcpdump files (pcap files)

How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few times. ...

How do I modify the destination MAC address in a packet?

I've a question related to a very basic thing in Perl, but I'm unable to find an efficient solution. Here's a bit of context first. I use Net::Pcap etc and when I'm in my function which processes packets (used by pcap_loop) I get a $packet scalar which contains my whole packet (ethernet header + ip header + tcp/udp header + payload). W...

How to read multiple pcap files >2GB?

I am trying to parse large pcap files with libpcap but there is a file limitation so my files are separated at 2gb. I have 10 files of 2gb and I want to parse them at one shot. Is there a possibility to feed this data on an interface sequentially (each file separately) so that libpcap can parse them on the same run? ...

PCAP Alternatives

Are there any alternatives to PCAP DLL for capturing packets, that are not drivers? ...

pcap struct pcap_pkthdr len vs caplen

We're sniffing packets using libpcap on linux The header we get on each packet looks like: struct pcap_pkthdr { struct timeval ts; /* time stamp */ bpf_u_int32 caplen; /* length of portion present */ bpf_u_int32 len; /* length this packet (off wire) */ }; Now, It is my understanding that caplen ...

libpcap : No Wireless Devices detected

Hi. I want to capture packets going out of my machine, and I'm using libpcap (version 1.0.0-1) for the same. The problem is, that a basic program like this - #include <stdio.h> #include <pcap.h> int main(int argc, char *argv[]) { char *dev, errbuf[PCAP_ERRBUF_SIZE]; dev = pcap_lookupdev(errbuf); if (dev == NULL) { ...

how do you decrypt SSH .pcap file that uses Diffie Hellman ecryption. With public and private keys.

how do you decrypt SSH .pcap file that uses Diffie Hellman ecryption. With public and private keys. We are trying through Wireshark with no luck. please advise. ...

Using pcap in VS .NET 2003 and error C2085, C2061

Hi all, I'm new to using Visual Studio. I'm currently using VS .NET 2003 on Vista, and I'm trying to port a program from Linux to Windows. The program uses the pcap library. I have installed WinPcap 4.0.2 and downloaded the Developer's Pack WpdPack_4_0_2. However, I have no idea what to do with the developer's pack, i.e. what do I do w...

How portable is the output of pcap_compile?

pcap_compile() compiles a string into a filter program in the form of a bpf_program struct. In theory I could save the compiled form of the program and supply it to pcap_setfilter() on a different network interface or even on a different machine. Will that work? Is the bpf_program form portable across different interfaces? Different pro...

How to send pcap file packets on NIC?

I have some network traffic captured pcap file and want to send its packets on NIC; is it possible? Is there any application to do this? ...

Determining type of pcap file.

How can I determine if a saved .pcap file contains an ERF (Extensible Record Format) header? pcap_open_offline() doesn't provide this information. I'm running into issues where some captures I open have the 16-byte header, and some don't, and I can't find any documentation online in how to determine the format. ...

Which Packet Capture Format is better?

I am writing an application to save the captured IP packets to file. Which of the following packet capture format is better suited for use as the file format? Click on the link for more information on each. Snoop (rfc1761) PCAP In addition, is there a C# library for any of the above format? ...

Why ruby's(ver 1.9) pcap gem, hanging after accessing it?

Hello. Using ruby 1.9 and latest gem install pcap + fix for compiling (convert ->ptr/->len to _PTR/_LEN), i found that after doing simple code: require 'pcap' cap = Pcap::Capture.open_offline('1.dmp') cap.each { |pkt| p pkt.src; } exit Pcap gem not leaving block cap.each, i.e. output: ... 213.248.106.202 192.168.1.50 213.248.106.20...

uncompress gzipped HTTP message

Hi everybody, I am analyzing Pcap captures with C and I need to uncompress the Gzipped body of the HTTP replies. I know that I can do that using Wireshark manually, but I would need to do it on the fly, inside my program. My understanding is that I should look into zlib and the RFC. But since it's a little analysis program, do you know...

How can I filter a pcap file by specific protocol using python?

Hello I have some pcap files and I want to filter by protocol, i.e., if I want to filter by HTTP protocol, anything but HTTP packets will remain in the pcap file. There is a tool called openDPI, and it's perfect for what I need, but there is no wrapper for python language. Does anyone knows any python modules that can do what I need...

How to use pcap_breakloop?

Hi all, I have a pcap_loop function in another function, that captures packets until the user stops it, i.e. void functionA() { signal(SIGINT, terminate_process); pcap_loop(handle, -1, callback, NULL); ... } void terminate_process(int signum) { pcap_breakloop(handle); pcap_close(handle); } Is it possible to set a d...