| Su | Mo | Tu | We | Th | Fr | Sa |
|---|---|---|---|---|---|---|
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 |
Browse archivesRandom Media
Big Brother is Watching
Google AdsRecent blog posts
|
Wireshark Captured Packet AnalysisI have been using ethereal/ wireshark network protocol analyser on GNU/ Linux for over last 3 years, for trouble shooting, for a subject that I am teaching, for analysing protocols, to study network behaviours and also for my research work. Highly recommended if you are anyway involved with computer networks of any type. So the developer in you has captured the packets using ethereal/ wireshark and now need to perform some macho custom analysis of the captured data, that may not be possible or too cumbersome using wireshark. Here is my own experience with that and hope it helps you save some time. Make sure you save your packet capture file in libpcap format from withing ethereal/ wireshark. XML formats are bad for speedy analysis of large files, and in case you try to analyse them using xPath, well best of luck, may your analysis finish before the next new year. Install libpcap and libpcapnav, we will use the pcapnav library for analysis of stored pcap capture files. libpcapnav is well documented and easy to use wrapper over libpcap, for reading and writing libpcap format capture files. Each packet in the pcap file has the following header (as defined in pcap.h, in your include directory):
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
struct timeval will provide you very high resolution time for the exact time of capture of packet. Read this link carefully to see how to use struct timeval. The pcapnav library functions will get you the above mentioned header and the raw captured packet for analysis. Copy the raw packet into the ethernet header (header as defined in net/ethernet.h in your local include directory):
struct ether_header
{
u_int8_t ether_dhost[ETH_ALEN]; /* destination eth addr */
u_int8_t ether_shost[ETH_ALEN]; /* source ether addr */
u_int16_t ether_type; /* packet type ID field */
};
And in your code, something like this may help: struct ether_header ethd; memcpy(ðd, packet, sizeof(ethd)); Keep in mind that the data would be in network byte order and you may need to use ntohl/ ntohs C library functions. From the member variable ether_type you can know what is inside the captured ethernet packet and do the necessary conversions/ anaylysis. FYI IP Header definition is in netinet/ip.h (inside your local include directory) in case the ethernet frame includes an IP datagram. Happy hacking.
Submitted by Ajay Pal Singh Atwal on February 26, 2007 - 10:13pm. categories [ Code | GNU/ Linux ]
Ajay Pal Singh Atwal's blog | 821 reads
Post new comment |
![[I am an FSF Associate Member]](files/fsfmember.png "[I am an FSF Associate Member]"){kind=small}