开发者

collect packet length in pcap file

开发者 https://www.devze.com 2023-01-05 17:37 出处:网络
hi guys how can i collect the packet length for eac开发者_如何学编程h packet in the pcap file? thanks a lotI suggest a high-tech method, which very few people know: reading the documentation.

hi guys how can i collect the packet length for eac开发者_如何学编程h packet in the pcap file? thanks a lot


I suggest a high-tech method, which very few people know: reading the documentation.

man pcap tells us there are actually two different lengths available:

              caplen a  bpf_u_int32  giving the number of bytes of the packet that are
                     available from the capture

              len    a bpf_u_int32 giving the length of the packet,  in  bytes  (which
                     might  be  more  than the number of bytes available from the cap-
                     ture, if the length of the packet is larger than the maximum num-
                     ber of bytes to capture)

An example in C:

/* Grab a packet */
                packet = pcap_next(handle, &header);
                if (packet == NULL) {   /* End of file */
                        break;
                }
                printf ("Got a packet with length of [%d] \n",
                                     header.len);

Another one in Python with the pcapy library:

import pcapy

reader = pcapy.open_offline("packets.pcap")

while True:
    try:
        (header, payload) = reader.next()
        print "Got a packet of length %d" % header.getlen()
    except pcapy.PcapError:
        break


Those two examples below work fine:

  • using C, WinPcap
  • using python, SCAPY

(WinPcap)(Compiler CL , Microsoft VC) I have wrote this function (in C) to get packet size and it works fine. Don't forget to include pcap.h and set HAVE_REMOTE in compiler preprocessors

u_int getpkt_size(char * pcapfile){

pcap_t *indesc;
char errbuf[PCAP_ERRBUF_SIZE];
char source[PCAP_BUF_SIZE];
u_int res;
struct pcap_pkthdr *pktheader;
u_char *pktdata;
u_int pktsize=0;



/* Create the source string according to the new WinPcap syntax */
if ( pcap_createsrcstr( source,         // variable that will keep the source string
                        PCAP_SRC_FILE,  // we want to open a file
                        NULL,           // remote host
                        NULL,           // port on the remote host
                        pcapfile,        // name of the file we want to open
                        errbuf          // error buffer
                        ) != 0)
{
    fprintf(stderr,"\nError creating a source string\n");
    return 0;
}

/* Open the capture file */
if ( (indesc= pcap_open(source, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errbuf) ) == NULL)
{
    fprintf(stderr,"\nUnable to open the file %s.\n", source);
    return 0;
}


/* get the first packet*/

    res=pcap_next_ex( indesc, &pktheader, &pktdata);

    if (res !=1){
        printf("\nError Reading PCAP File");
                    return 0;
            }



/* Get the packet size*/
pktsize=pktheader->len;

/* Close the input file */
pcap_close(indesc);

return pktsize;

}

Another wroking Example in Python using the wonderful SCAPY

    from scapy.all import *

    pkts=rdpcap("data.pcap",1) # reading only 1 packet from the file
    OnePkt=pkts[0] 
    print len(OnePkt) # prints the length of the packet
0

精彩评论

暂无评论...
验证码 换一张
取 消