How to read a PCap file from Wireshark with C++
In my Computer Security class I am taking as part of my Masters of Computer Science course, we need to parse a Pcap dump file.
Prerequisites
It is expected you have Visual Studio 2010 already. It may work the same with Visual C++ 2010.
Step 1 – Install Wireshark
We are going to use Wireshark to get a packet capture. Wireshark is a nice easy tool to get a packet capture.
Make sure to install Wireshark and let Wireshark install WinPcap when it prompts you.
Step 2 – Create a new project in Visual Studio
I already have post on creating a WinPcap project in Visual Studio and getting it to compile, so follow it.
How to compile WinPcap with Visual Studio 2010?
Step 3 – Get a packet capture.
- Open Wireshark and start capturing file.
- Open your browser or go to a few sites.
- Stop the packet capture.
- Save the packet capture to a file.
I named my file smallcapture.pcap.
Step 4 – Add C++ code to read the packet capture
I am going to paste the code for you and put the comments and steps in the code.
/*
* How to read a packet capture file.
*/
/*
* Step 1 - Add includes
*/
#include <string>
#include <iostream>
#include <pcap.h>
using namespace std;
int main(int argc, char *argv[])
{
/*
* Step 2 - Get a file name
*/
string file = "C:\\users\\jared\\testfiles\\smallcapture.pcap";
/*
* Step 3 - Create an char array to hold the error.
*/
// Note: errbuf in pcap_open functions is assumed to be able to hold at least PCAP_ERRBUF_SIZE chars
// PCAP_ERRBUF_SIZE is defined as 256.
// http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__def.html
char errbuff[PCAP_ERRBUF_SIZE];
/*
* Step 4 - Open the file and store result in pointer to pcap_t
*/
// Use pcap_open_offline
// http://www.winpcap.org/docs/docs_41b5/html/group__wpcapfunc.html#g91078168a13de8848df2b7b83d1f5b69
pcap_t * pcap = pcap_open_offline(file.c_str(), errbuff);
/*
* Step 5 - Create a header and a data object
*/
// Create a header object:
// http://www.winpcap.org/docs/docs_40_2/html/structpcap__pkthdr.html
struct pcap_pkthdr *header;
// Create a character array using a u_char
// u_char is defined here:
// C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Include\WinSock2.h
// typedef unsigned char u_char;
const u_char *data;
/*
* Step 6 - Loop through packets and print them to screen
*/
u_int packetCount = 0;
while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
{
// Print using printf. See printf reference:
// http://www.cplusplus.com/reference/clibrary/cstdio/printf/
// Show the packet number
printf("Packet # %i\n", ++packetCount);
// Show the size in bytes of the packet
printf("Packet size: %d bytes\n", header->len);
// Show a warning if the length captured is different
if (header->len != header->caplen)
printf("Warning! Capture size different than packet size: %ld bytes\n", header->len);
// Show Epoch Time
printf("Epoch Time: %d:%d seconds\n", header->ts.tv_sec, header->ts.tv_usec);
// loop through the packet and print it as hexidecimal representations of octets
// We also have a function that does this similarly below: PrintData()
for (u_int i=0; (i < header->caplen ) ; i++)
{
// Start printing on the next after every 16 octets
if ( (i % 16) == 0) printf("\n");
// Print each octet as hex (x), make sure there is always two characters (.2).
printf("%.2x ", data[i]);
}
// Add two lines between packets
printf("\n\n");
}
}
You are now reading packets in C++. Now you can start working on differentiating the packet types.
Resources
- http://www.tcpdump.org/pcap.html
- http://www.tcpdump.org/pcap3_man.html
