Hannes Gredler wrote:
you may want to check libpcap/savefile.c
[http://cvs.tcpdump.org/cgi-bin/cvsweb/libpcap/savefile.c?rev=1.147]
to get a better understanding about the .pcap file format.
...and you might want to note that savefile.c is part of libpcap,
meaning that if you just want to read those files, you can just use
libpcap to read it, rather than writing your own code that understands
the file format.
However, all that will give you, for each packet, is:
1) the size of the packet as it was received on the network (or before
it was transmitted, in the case of packets sent by the machine doing the
capture);
2) the number of packet bytes in the capture (which could be less, if
the capture was done with a "snapshot length" less than the maximum
packet size);
3) a time stamp for the packet, approximating the reception or
transmission time (it's not the time the first or last bit of the packet
was put on the wire or was received from the wire - it's the time the
packet was processed by some particular part of the OS's networking stack);
4) the raw contents of the packet.
"Raw" means *raw* - if you want to find the type of packet, or the IP
header if it's an IP packet, or the TCP or UDP header if it's a TCP or
UDP packet, or the TCP or UDP payload, or..., you'll have to write your
own code to do that.
See tcpdump's source code for an example of code to do that.
Note also that there might already be programs to do the type of
analysis you want to do; see, for example, the "Related links" page on
the tcpdump.org Web site:
http://www.tcpdump.org/related.html
and the Tools page of the Wireshark Wiki:
http://wiki.wireshark.org/Tools
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.