How can I extract Link-Layer data from Packet Data in pcap-ng file?

Question

I have a pcap-ng file, and I'd like to extract the source/destination IPs.

According to the winpcap dump file format , the data I'm looking for is in the Packet Data section of the enhanced packet block.

I've been using this library in C# to parse through the pcap-ng file. And while I've been able to successfully get out the Enhanced Packet Block, I'm really not sure how to get into it.

The current Enhanced Packet Block Packet Data comes out as a byte array, using the following method.

private static void extractEnhancedPacketBlock()
{
    var myFile = "\\path\\to\\my.pcapng"

    using (StreamWriter file = new StreamWriter(myFile))
    {
        foreach (var enhancedPacketBlock in reader.EnhancedPacketBlocks)
        {
            byte[] packetData = enhancedPacketBlock.Data;

            Console.WriteLine(BitConverter.ToString(packetData));
        }
    }
}

Which outputs what you would expect, similar to the following:

79-2C-C8-80-A8-65-00-00-BC-C4-2F-65-09-00-42-00-01-5E...etc

A good answer to this could be a few different things like, guidance on where to look to learn more about what I need to do next. A library that already does that that I could use (I've tried a lot of libraries, and none of them seem to go this deep). Or if you already have some code that does this, that would be awesome. I'm also open to moving to Python if necessary.

---

Additional info.

I know that I can parse the source IP and destination IP out of the Enhanced Packet Blocks, and I know that it will require a hexadecimal to IP conversion, but I do not know where the IP Hex exists in the Enhanced Packet Blocks. I know it's not in the same place every time, but I need to know how to calculate this.

Answer 1

Use https://github.com/chmorgan/packetnet for parsing the packet data

Example:

var packet = Packet.ParsePacket(LinkLayers.Ethernet, enhancedPacketBlock.Data);
var ip = packet.Extract<IPPacket>();