hi guys how can i collect the packet length for eac开发者_如何学编程h packet in the pcap file? thanks a lot
I suggest a high-tech method, which very few people know: reading the documentation.
man pcap tells us there are actually two different lengths available:
caplen a bpf_u_int32 giving the number of bytes of the packet that are available from the capture len a bpf_u_int32 giving the length of the packet, in bytes (which might be more than the number of bytes available from the cap- ture, if the length of the packet is larger than the maximum num- ber of bytes to capture)
An example in C:
/* Grab a packet */ packet = pcap_next(handle, &header); if (packet == NULL) { /* End of file */ break; } printf ("Got a packet with length of [%d] \n", header.len);
Another one in Python with the pcapy library:
import pcapy reader = pcapy.open_offline("packets.pcap") while True: try: (header, payload) = reader.next() print "Got a packet of length %d" % header.getlen() except pcapy.PcapError: break
Those two examples below work fine:
- using C, WinPcap
- using python, SCAPY
(WinPcap)(Compiler CL , Microsoft VC) I have wrote this function (in C) to get packet size and it works fine. Don't forget to include pcap.h and set HAVE_REMOTE in compiler preprocessors
u_int getpkt_size(char * pcapfile){
pcap_t *indesc;
char errbuf[PCAP_ERRBUF_SIZE];
char source[PCAP_BUF_SIZE];
u_int res;
struct pcap_pkthdr *pktheader;
u_char *pktdata;
u_int pktsize=0;
/* Create the source string according to the new WinPcap syntax */
if ( pcap_createsrcstr( source, // variable that will keep the source string
PCAP_SRC_FILE, // we want to open a file
NULL, // remote host
NULL, // port on the remote host
pcapfile, // name of the file we want to open
errbuf // error buffer
) != 0)
{
fprintf(stderr,"\nError creating a source string\n");
return 0;
}
/* Open the capture file */
if ( (indesc= pcap_open(source, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errbuf) ) == NULL)
{
fprintf(stderr,"\nUnable to open the file %s.\n", source);
return 0;
}
/* get the first packet*/
res=pcap_next_ex( indesc, &pktheader, &pktdata);
if (res !=1){
printf("\nError Reading PCAP File");
return 0;
}
/* Get the packet size*/
pktsize=pktheader->len;
/* Close the input file */
pcap_close(indesc);
return pktsize;
}
Another wroking Example in Python using the wonderful SCAPY
from scapy.all import *
pkts=rdpcap("data.pcap",1) # reading only 1 packet from the file
OnePkt=pkts[0]
print len(OnePkt) # prints the length of the packet
精彩评论