如何从 pcap-ng 文件中的数据包数据中提取链路层数据？

Question

I have a pcap-ng file, and I'd like to extract the source/destination IPs.

According to the winpcap dump file format , the data I'm looking for is in the Packet Data section of the enhanced packet block.

I've been using this library in C# to parse through the pcap-ng file. And while I've been able to successfully get out the Enhanced Packet Block, I'm really not sure how to get into it.

The current Enhanced Packet Block Packet Data comes out as a byte array, using the following method.

private static void extractEnhancedPacketBlock()
{
    var myFile = "\\path\\to\\my.pcapng"

    using (StreamWriter file = new StreamWriter(myFile))
    {
        foreach (var enhancedPacketBlock in reader.EnhancedPacketBlocks)
        {
            byte[] packetData = enhancedPacketBlock.Data;

            Console.WriteLine(BitConverter.ToString(packetData));
        }
    }
}

Which outputs what you would expect, similar to the following:

79-2C-C8-80-A8-65-00-00-BC-C4-2F-65-09-00-42-00-01-5E...etc

A good answer to this could be a few different things like, guidance on where to look to learn more about what I need to do next. A library that already does that that I could use (I've tried a lot of libraries, and none of them seem to go this deep). Or if you already have some code that does this, that would be awesome. I'm also open to moving to Python if necessary.

---

Additional info.

I know that I can parse the source IP and destination IP out of the Enhanced Packet Blocks, and I know that it will require a hexadecimal to IP conversion, but I do not know where the IP Hex exists in the Enhanced Packet Blocks. I know it's not in the same place every time, but I need to know how to calculate this.

Answer 1

Use https://github.com/chmorgan/packetnet for parsing the packet data

Example:

var packet = Packet.ParsePacket(LinkLayers.Ethernet, enhancedPacketBlock.Data);
var ip = packet.Extract<IPPacket>();