Computer Journal

Packet Capture Dump with libpcap

pcapdump 0.1 [sig]

TCP Dump and libpcap
Wireshark

Libpcap is a very simple library to get the data from packet capture files. TCP Dump is a program that captures data from interfaces. It can also print the data it captures in realtime or later. Wireshark is a GUI program that reads cap files (and can also capture data) and displays the information very well.

Wireshark has plenty of bugs and fails to do certain operations on large files. For example, a 1MB download over HTTP can be saved in Wireshark. But trying to save a 100 MB download over HTTP can cause Wireshark to crash. Instead of fixing this bug, I decided to write an HTTP dumper which uses far less memory than Wireshark to simply output the HTTP file. It currently is not working 100% because any broken packets or packets out of order will be accepted and outputted. The DNS dumper does work, dumping a list of dns requests from a cap file.

The pcapdump requires libpcap.

More detailed information coming soon.
Until then, look at the source code.

#include <pcap.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netdb.h>
#include <netinet/udp.h>

char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *capture = pcap_open_offline(filename, errbuf);
if(capture == 0)
{
	printf("Couldn't open file %s.\n", filename);
	perror("pcap_open_offline");
}
struct pcap_pkthdr header;
const u_char *packet;
do
{
	packet = pcap_next(capture, &header);
	if(packet == 0) break;
	// Your code here.

} while(packet != 0);

pcapdump_http1 file.cap [filter blah yak yak yak]
pcapdump_dns1  file.cap [filter blah yak yak yak]

More detailed information coming soon.