How to read a PCap file from Wireshark with C++

In my Computer Security class I am taking as part of my Masters of Computer Science course, we need to parse a Pcap dump file.

Prerequisites

It is expected you have Visual Studio 2010 already. It may work the same with Visual C++ 2010.

Step 1 – Install Wireshark

We are going to use Wireshark to get a packet capture. Wireshark is a nice easy tool to get a packet capture.

http://www.wireshark.org

Make sure to install Wireshark and let Wireshark install WinPcap when it prompts you.

Step 2 – Create a new project in Visual Studio

I already have post on creating a WinPcap project in Visual Studio and getting it to compile, so follow it.

How to compile WinPcap with Visual Studio 2010?

Step 3 – Get a packet capture.

  1. Open Wireshark and start capturing file.
  2. Open your browser or go to a few sites.
  3. Stop the packet capture.
  4. Save the packet capture to a file.
    I named my file smallcapture.pcap.

Step 4 – Add C++ code to read the packet capture

I am going to paste the code for you and put the comments and steps in the code.

/*
* How to read a packet capture file.
*/

/*
* Step 1 - Add includes
*/
#include <string>
#include <iostream>
#include <pcap.h>

using namespace std;

int main(int argc, char *argv[])
{
	/*
	* Step 2 - Get a file name
	*/

	string file = "C:\\users\\jared\\testfiles\\smallcapture.pcap";

	/*
	* Step 3 - Create an char array to hold the error.
	*/

	// Note: errbuf in pcap_open functions is assumed to be able to hold at least PCAP_ERRBUF_SIZE chars
	//       PCAP_ERRBUF_SIZE is defined as 256.
	// http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__def.html
	char errbuff[PCAP_ERRBUF_SIZE];

	/*
	* Step 4 - Open the file and store result in pointer to pcap_t
	*/

	// Use pcap_open_offline
	// http://www.winpcap.org/docs/docs_41b5/html/group__wpcapfunc.html#g91078168a13de8848df2b7b83d1f5b69
	pcap_t * pcap = pcap_open_offline(file.c_str(), errbuff);

	/*
	* Step 5 - Create a header and a data object
	*/

	// Create a header object:
	// http://www.winpcap.org/docs/docs_40_2/html/structpcap__pkthdr.html
	struct pcap_pkthdr *header;

	// Create a character array using a u_char
	// u_char is defined here:
	// C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Include\WinSock2.h
	// typedef unsigned char   u_char;
	const u_char *data;

	/*
	* Step 6 - Loop through packets and print them to screen
	*/
	u_int packetCount = 0;
	while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
	{
		// Print using printf. See printf reference:
		// http://www.cplusplus.com/reference/clibrary/cstdio/printf/

		// Show the packet number
		printf("Packet # %i\n", ++packetCount);

		// Show the size in bytes of the packet
		printf("Packet size: %d bytes\n", header->len);

		// Show a warning if the length captured is different
		if (header->len != header->caplen)
			printf("Warning! Capture size different than packet size: %ld bytes\n", header->len);

		// Show Epoch Time
		printf("Epoch Time: %d:%d seconds\n", header->ts.tv_sec, header->ts.tv_usec);

		// loop through the packet and print it as hexidecimal representations of octets
		// We also have a function that does this similarly below: PrintData()
		for (u_int i=0; (i < header->caplen ) ; i++)
		{
			// Start printing on the next after every 16 octets
			if ( (i % 16) == 0) printf("\n");

			// Print each octet as hex (x), make sure there is always two characters (.2).
			printf("%.2x ", data[i]);
		}

		// Add two lines between packets
		printf("\n\n");
	}
}

You are now reading packets in C++. Now you can start working on differentiating the packet types.

Resources

  • http://www.tcpdump.org/pcap.html
  • http://www.tcpdump.org/pcap3_man.html

9 Comments

  1. emily says:

    readpcap.c: In function ‘int main(int, char**)’:
    readpcap.c:56: warning: unused variable ‘returnValue’

    Compile error. Please help

  2. Chingon says:

    hello Rhyous. You could help me with a project based on UPnP to connect to wireless router using the WPS protocol?

    I know it has nothing to do with your thread, but no one to turn to who understands C + +

    The project will compile without problems, no errors, just need to modify a bit the code, but I know very little about C + +

  3. Chingon says:

    Solved! i added this line: "#pragma comment (lib, "wpcap")"

  4. Chingon says:

    Thanks but dont work:

    Error 1 error LNK2019: unresolved external symbol _pcap_next_ex that is referenced in function _main C:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj

    Error 2 Error LNK2019: unresolved external symbol _pcap_open_offline that is referenced in function _main C:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj

  5. [...] I am reading a pcap file and I want to print out the ip address and port number of each packet. I am using code from www.tcpdump.org/pcap.htm and www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/. [...]

  6. Emanuel Felipe says:

    When I did Copy/Paste the code didn't work, le wild error in lines 66 and 70 just appeared.
    To fix you should delete the 'l' after %, and "your" code should work fine.

  7. [...] to compile and it should work. You are now ready to develop using WinPcap. Next: How to read a PCap file from Wireshark with C++ Category: C++  |  Comment (RSS) [...]

Leave a Reply

Powered by sweetCaptcha