Creating a pcap file

c linux udp pcap libpcap
21,968

You shouldn't need to write that header, pcap_open_dead should do it for you. You only need to fill out and write that header yourself if you want to write the file directly instead of using pcap_dump and friends. There's an example here of a trivial program write out a pcap file with those functions.

original answer, concerning writing the file directly:

I can't remember exactly how this works, but I wrote a patch to redir a while ago that would write out pcap files, you may be able to use it as an example.

You can find it attached to this debian bug. (bug link fixed.)

Some of it is for faking the ethernet and IP headers, and may not be applicable as you're using pcap_dump_open and pcap_dump where as the patch linked above writes out the pcap file without using any libraries, but I'll leave this here anyway in case it helps.

Share:
21,968
Robert Kubrick
Author by

Robert Kubrick

Updated on July 09, 2022

Comments

  • Robert Kubrick
    Robert Kubrick almost 2 years

    I need to save UDP packets to a file and would like to use the pcap format to reuse the various tools available (wireshark, tcpdump, ...). There are some information in this thread but I can't find how to write the global file header 'struct pcap_file_header'.

    pcap_t* pd = pcap_open_dead(DLT_RAW, 65535);
pcap_dumper_t* pdumper = pcap_dump_open(pd, filename);

struct pcap_file_header file_hdr;
file_hdr.magic_number = 0xa1b2c3d4;
file_hdr.version_major = 2;
file_hdr.version_minor = 4;
file_hdr.thiszone = 0;
file_hdr.sigfigs = 0;
file_hdr.snaplen = 65535;
file_hdr.linktype = 1;

// How do I write file_hdr to m_pdumper?

while( (len = recvmsg(sd, &msg_hdr, 0)) > 0 )
  pcap_dump((u_char*)m_pdumper, &m_pcap_pkthdr, (const u_char*)&data);

    How should I write the global file header? If there is no specific pcap function available, how can I retrieve the file descriptor to insert the header using write()?

  • Robert Kubrick
    Robert Kubrick about 12 years
    Thanks, but it looks like you have done everything using regular file write() calls. I am using pcap_dump() and can't figure where to get the file descriptor.
  • je4d
    je4d about 12 years
    @RobertKubrick Updated above. I've left the original answer since even with pcap_dump you'll still need to fake an IP header, and the patch linked above may help with that.
  • Robert Kubrick
    Robert Kubrick about 12 years
    True, no need to write the global file header, I just verified.
  • nos
    nos over 11 years
    use pcap_fileno() to get a file descriptor from a pcap_t*. You can however call pcap_dump() directly to write packets to a pcap_t

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Issue in pcap_set_buffer_size()
libpcap get MAC from AF_LINK sockaddr_dl (OSX)
how to verify tcp checksum
Multithreading UDP server with epoll?
Using write()/read() on UDP socket?
UDP multi client server basics
Problems finding pcap.h and linking
Linux: Bind UDP listening socket to specific interface (or find out the interface a datagram came in from)?
Linux UDP Socket sendto: Operation not Permitted
Problems with SO_BINDTODEVICE Linux socket option