Ethereal-dev: Re: [Ethereal-dev] Extracting IP packets from a PCAP file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Raghavendra .K.M" <raghav_rkm@xxxxxxxxx>
Date: Wed, 7 Jun 2006 16:31:32 -0700 (PDT)
Hi all,
 
thanks for the inputs,
 
the requirement is to develop a tool something like a pseudo -server.
 
So given a pcap file , I want to just get the IP packets of it .
 
Pcap will have time stamps information about the packet received.
 
From IP packets and timestamp info my tool would simulate a server and interact with a remote client .

I got a executable built using wincap which just parses all the captured packets in a pcap file  and displays it as a hex dump along with time stamps.
 
Starting from here I want to strip out all the link layer headers and get just the IP Packets , and use them .
 
How do I do this, will windump solve this problem
 
Appreciate you help,
Raghu


Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Jun 6, 2006, at 4:25 PM, Raghavendra .K.M wrote:

> I need to implement a parser which parser a pcap file extracts IP
> packets out of it and dumps it into a txt file on windows platform

IP packets are binary, so you can't just dump them into a text file.
Do you mean you want to dump the raw data in hex/text format, similar
to the bottommost pane of the Ethereal window? Or do you want to
dump out an analysis of the data in the packet, similar to the middle
packet of the Ethereal window?

> Is there any source code available

Yes - they're called "tcpdump" (or "WinDump") and "Ethereal". :-)

> or should I have to understand the PCAP file format and write the
> parser from scratch.

Tcpdump/WinDump don't understand the pcap file format; they use
libpcap/WinPcap to read it.

The only part of Ethereal that understands the pcap file format is
the low-level file reading code, which exists because it has to
support random access to the file, handle compressed files, and
handle a lot of other file formats, none of which libpcap does.

However, the hard part isn't understanding the file format, the hard
part is understanding the *packet* format. tcpdump is a relatively
simple program to parse packets, and the current top of tree version
is 72453 lines of C code. Ethereal has even more lines than that.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev