Stack Overflow
Stack Overflow

Questions tagged [pcap]

pcap (packet capture) consists of an application programming interface (API) for capturing network traffic

pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as .

Source

Wikipedia

1283 questions
12
votes
1 answer

what does ntohs() in pcap exactly do?

I read the documentation from one of the answers: The ntohs function takes a 16-bit number in TCP/IP network byte order (the AF_INET or AF_INET6 address family) and returns a 16-bit number in host byte order. Please explain with an example, as in…
tabs_over_spaces
  • 242
  • 1
  • 3
  • 14
11
votes
8 answers

How can I filter a pcap file by specific protocol using python?

I have some pcap files and I want to filter by protocol, i.e., if I want to filter by HTTP protocol, anything but HTTP packets will remain in the pcap file. There is a tool called openDPI, and it's perfect for what I need, but there is no wrapper…
coelhudo
  • 4,162
  • 7
  • 35
  • 53
11
votes
2 answers

C PCAP library unknown types error

I installed the pcap library on my linux system but when including it I get the errors /usr/include/pcap/bpf.h:88:1: error: unknown type name ‘u_int’ /usr/include/pcap/bpf.h:108:2: error: unknown type name ‘u_int’ /usr/include/pcap/bpf.h:1260:2:…
wasp256
  • 5,355
  • 9
  • 53
  • 94
10
votes
4 answers

How do I use tshark to print request-response pairs from a pcap file?

Given a pcap file, I'm able to extract a lot of information from the reconstructed HTTP request and responses using the neat filters provided by Wireshark. I've also been able to split the pcap file into each TCP stream. Trouble I'm running into now…
Steven
  • 17,136
  • 12
  • 61
  • 113
10
votes
3 answers

C - Writing structs to a file (.pcap)

I am trying to write a .pcap file, which is something that can be used in Wireshark. In order to do that, I have a couple of structs with various data types I need to write to a file. (see code) So, I create the struct instances, fill in the data,…
KaiserJohaan
  • 8,578
  • 18
  • 105
  • 187
10
votes
5 answers

Complete reconstruction of TCP Session (HTML pages) from WireShark pcaps, any tools for this?

I wonder if there is a way in wireshark to reconstruct a complete TCP Session (HTML page(s)) if we have wireshark pcaps, can wireshark do the reconstruction? or is there any tool around that can do the reconstruction? Data streamed from a source…
user349026
10
votes
2 answers

TcpDump: showing the absolute timestamp (date + time) of pcap file

I want to see the absolute timestamp of the packets in a pcap file using tcpdump. When I use the command tcpdump -r mypcapfiile it only shows the time,   03:21:14.804778 IP static.vnpt.vn.51193 > 192.168.0.146.smtp how can read the date as well?
Alex
  • 1,498
  • 3
  • 20
  • 37
9
votes
1 answer

Optimal SNAPLEN for PCAP live capture

When using pcap_open_live to sniff from an interface, I have seen a lot of examples using various numbers as SNAPLEN value, ranging from BUFSIZ () to "magic numbers". Wouldn't it make more sense to set as SNAPLEN the MTU of the interface we…
ziu
  • 2,446
  • 2
  • 22
  • 38
9
votes
2 answers

How to send packets larger than 1500 bytes by pcap_sendpacket?

Actually, I have two related questions. I'm capturing filtered network traffic by libpcap on Debian. Then I need to replay this traffic on Win2k3 server. Sometimes I capture packets, both TCP and UDP, much larger than 1500 bytes (default MTU size…
Andriy Tylychko
  • 15,244
  • 5
  • 56
  • 103
9
votes
2 answers

python / dpkt: Find out if packet is a tcp packet or a udp packet ,

I have a python scripts that captures the packets on the ethernet using dpkt, but how do i differentiate between which packets are tcp and which ones are for udp. Eventually i would like to have a list of packets for each tcp connection that was…
ConfusedAboutCPP
  • 563
  • 2
  • 8
  • 16
9
votes
2 answers

Converting a PCAP trace to NetFlow format

I would like to convert some PCAP traces to Netflow format for further analysis with netflow tools. Is there any way to do that? Specifically, I want to use "flow-export" tool in order to extract some fields of interest from a netflow trace as…
Regressor
  • 237
  • 1
  • 2
  • 8
9
votes
2 answers

Parsing pcap taken from wireshark file using - Java

I am working on converting PCAP file taken from wireshark using JAVA without using native or ready libraries. i converted the bytes to string directly just for checking the meaningful parts of it. then i tried to convert it from hexadecimal to…
MBH
  • 15,020
  • 18
  • 91
  • 140
8
votes
2 answers

why pcap_setfilter did not take effect

I'm using libpcap as lib to write a C program for catching up coming IPs. my code snippet as following: struct bpf_program filter; pcap_compile(pcap_handle, &filter, "icmp[icmptype]=0 and '(dst 16.11.26.100 or dst 16.11.27.100)'", 1,…
Jack
  • 4,626
  • 8
  • 46
  • 98
8
votes
3 answers

Is there a way to programatically export files using Wireshark's facilities?

I am trying to automate a repetitive manual process for which I use WireShark: 1) Load a given pcap file 2) Apply a simple filter for a given protocol 3) Use the export dialog box to export the displayed packets to CSV file 4) Use the export dialog…
Uri
  • 84,589
  • 46
  • 214
  • 312
8
votes
2 answers

convert txt packet data to pcap format to open it by Wireshark

Hi I am working on application where I have to read live packets from network work on it. And display it in sophisticated way. But problem is I have packet but it is in text file, so to open it by Wireshark I have to convert it in .pcap…
Aniket
  • 2,044
  • 4
  • 29
  • 48
1
2
3
85 86