在C ++中读取pcap文件

Question

I want to read a pcap file and get the header information of the packets of a flow...

for this I found a c++ program from http://www.cnblogs.com/xiangshancuizhu/archive/2012/10/14/2723654.html which read the pcap file and have a header pointer , this pointer

class just point to length of header, but I want to access the other features of header

such as syn,fin,ack,seq no,....here is my code, how can I do this?

 char errbuff[PCAP_ERRBUF_SIZE];

/*
* Step 4 - Open the file and store result in pointer to pcap_t
*/

// Use pcap_open_offline
// http://www.winpcap.org/docs/docs_41b5/html/group__wpcapfunc.html#g91078168a13de8848df2b7b83d1f5b69
pcap_t * pcap = pcap_open_offline(file.c_str(), errbuff);

/*
* Step 5 - Create a header and a data object
*/

// Create a header object:
// http://www.winpcap.org/docs/docs_40_2/html/structpcap__pkthdr.html
struct pcap_pkthdr *header;

// Create a character array using a u_char
// u_char is defined here:
// C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Include\WinSock2.h
// typedef unsigned char   u_char;
const u_char *data;

/*
* Step 6 - Loop through packets and print them to screen
*/
u_int packetCount = 0;
while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
{
    // Print using printf. See printf reference:
    // http://www.cplusplus.com/reference/clibrary/cstdio/printf/

    // Show the packet number
    printf("Packet # %i\n", ++packetCount);

    // Show the size in bytes of the packet
    printf("Packet size: %d bytes\n", header->len);

and header is a structure like:

struct pcap_pkthdr {
    struct timeval ts;  /* time stamp */
    bpf_u_int32 caplen; /* length of portion present */
    bpf_u_int32 len;    /* length this packet (off wire) */
};

and I want this structure have more members, what should I do? thanks a lot.

Answer 1

You can't add more fields to pcap_pkthdr - libpcap won't do anything with those fields. Packet data fields, such as the link-layer, IP, and TCP headers, are NOT features of that header.

The packet data is pointed to by the data variable. That's where the link-layer header is, where the IP header is in IP packets, where the TCP header is in TCP packets, and so on. See, for example, Tim Carstens' tutorial on how to use libpcap .

You might want to look at building your program using libcrafter , which is "a high level library for C++ designed to make easier the creation and decoding of network packets". You may not be interested in the "crafting" part, but would be interested in the "decoding" part.

Answer 2

If you want to read a pcap file (without using any external lib to read pcap file) you need to parse that file according to the format which is something like this

GLOBAL_HEADER | PACKET_HEADER |PACKET_DATA | PACKET_HEADER |PACKET_DATA|....

Read global header and after that, you parse data in a loop till file ends. You must know the proper format and your structures must be correct

for this, you can follow this link https://www.tcpdump.org/pcap.html **UDP Header is not mentioned in the link