How to read a PCap file from Wireshark with C++

In my Computer Security class I am taking as part of my Masters of Computer Science course, we need to parse a Pcap dump file.

Prerequisites

It is expected you have Visual Studio 2010 already. It may work the same with Visual C++ 2010.

Step 1 – Install Wireshark

We are going to use Wireshark to get a packet capture. Wireshark is a nice easy tool to get a packet capture.

http://www.wireshark.org

Make sure to install Wireshark and let Wireshark install WinPcap when it prompts you.

Step 2 – Create a new project in Visual Studio

I already have post on creating a WinPcap project in Visual Studio and getting it to compile, so follow it.

How to compile WinPcap with Visual Studio 2010?

Step 3 – Get a packet capture.

  1. Open Wireshark and start capturing file.
  2. Open your browser or go to a few sites.
  3. Stop the packet capture.
  4. Save the packet capture to a file.
    I named my file smallcapture.pcap.

Step 4 – Add C++ code to read the packet capture

I am going to paste the code for you and put the comments and steps in the code.

/*
* How to read a packet capture file.
*/

/*
* Step 1 - Add includes
*/
#include <string>
#include <iostream>
#include <pcap.h>

using namespace std;

int main(int argc, char *argv[])
{
	/*
	* Step 2 - Get a file name
	*/

	string file = "C:\\users\\jared\\testfiles\\smallcapture.pcap";

	/*
	* Step 3 - Create an char array to hold the error.
	*/

	// Note: errbuf in pcap_open functions is assumed to be able to hold at least PCAP_ERRBUF_SIZE chars
	//       PCAP_ERRBUF_SIZE is defined as 256.
	// http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__def.html
	char errbuff[PCAP_ERRBUF_SIZE];

	/*
	* Step 4 - Open the file and store result in pointer to pcap_t
	*/

	// Use pcap_open_offline
	// http://www.winpcap.org/docs/docs_41b5/html/group__wpcapfunc.html#g91078168a13de8848df2b7b83d1f5b69
	pcap_t * pcap = pcap_open_offline(file.c_str(), errbuff);

	/*
	* Step 5 - Create a header and a data object
	*/

	// Create a header object:
	// http://www.winpcap.org/docs/docs_40_2/html/structpcap__pkthdr.html
	struct pcap_pkthdr *header;

	// Create a character array using a u_char
	// u_char is defined here:
	// C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Include\WinSock2.h
	// typedef unsigned char   u_char;
	const u_char *data;

	/*
	* Step 6 - Loop through packets and print them to screen
	*/
	u_int packetCount = 0;
	while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
	{
		// Print using printf. See printf reference:
		// http://www.cplusplus.com/reference/clibrary/cstdio/printf/

		// Show the packet number
		printf("Packet # %i\n", ++packetCount);

		// Show the size in bytes of the packet
		printf("Packet size: %d bytes\n", header->len);

		// Show a warning if the length captured is different
		if (header->len != header->caplen)
			printf("Warning! Capture size different than packet size: %ld bytes\n", header->len);

		// Show Epoch Time
		printf("Epoch Time: %d:%d seconds\n", header->ts.tv_sec, header->ts.tv_usec);

		// loop through the packet and print it as hexidecimal representations of octets
		// We also have a function that does this similarly below: PrintData()
		for (u_int i=0; (i < header->caplen ) ; i++)
		{
			// Start printing on the next after every 16 octets
			if ( (i % 16) == 0) printf("\n");

			// Print each octet as hex (x), make sure there is always two characters (.2).
			printf("%.2x ", data[i]);
		}

		// Add two lines between packets
		printf("\n\n");
	}
}

You are now reading packets in C++. Now you can start working on differentiating the packet types.

Resources

  • http://www.tcpdump.org/pcap.html
  • http://www.tcpdump.org/pcap3_man.html

21 Comments

  1. Liubuu says:

    The language barrier. It’s essentially the most serious downside here, and that’s not the factor you should underestimate. Nonetheless, that “after the preliminary stage” factor doesn’t matter for you as a result of most Russian singles hate avenue pick up. Nevertheless, as you point out in your article, there may be all the time some rhyme or reason why they can’t immediately speak on the telephone or bodily meet as much as further the connection. Right here comes the second purpose. Properly, listed below are some tips and tips on how to win a Russian lady. In fact, there are similarities between Russian and Ukrainian ladies, but normally they differ from one another each when it comes to the type of beauty and a complete set of psychological traits! To have an ideal time with a international girl, it is vital to grasp what type of man she is searching for. A man who would teach him the right way to grow to be a decent and good man.

    You may select the courting site proper now (we’ve made the list of some best russian dating websites), enroll, create a profile, and begin chatting with the most effective Russian brides who are in search of a man from the US. The very best Russian dating sites care about their customers, so the structure on such platforms is top-notch. How do the most effective Russian dating websites work? The point is: Russian dating sites are actually the very best place to fulfill lovely Russian women. Sexy Russian Girls: Attractive, Household-Oriented, Controversial The professionals mediating this web site and selecting brides ladies you can see in the profiles will for brides, that Russian sexy russian, as effectively because the Ukrainians, are the dating standard amongst men of all ages. A couple of platforms hot russian women with Russian brides, however, have that flat membership charge-most provide totally different credit packages letting a person make a alternative depending on his needs. So if you’re looking for a hook up, that’s okay, but if you’re going to meet Russian brides, you want one thing else.

    So, the place to satisfy a Russian girl? And you’ll be shocked to see how many individuals are taken with assembly a Russian girl pertaining to marriage. In spite of everything, in case you are concluded to marry a fabulous Russian woman. This Russian sexy woman also has a blast with her friends on the cinema. They love to sit down in a kitchen with their mates and discuss every part! Let’s speak about them. Discuss to your mail order bride and get to know her better. Technically, you are able to do it offline and all you want in such a case is e book a flight to Moscow or to Saint Petersburg and get these beautiful girls concerned with you. If you want your companion, and the feeling is mutual, you can get entry to her private photographs and videos on the web site. These ladies appear to be able to find an answer to practically any state of affairs, and nothing can cease them from hitting their targets. Right now, she is divorced, however it doesn’t cease her from planning new relationships. That does not sound straightforward, right? This would possibly sound like a mix that is nearly not possible to search out, but that's what most Russian brides are! Handy. Dating sites are top-rated locations.

    They create handy relationship sites that offer high-quality providers to their customers and help folks discover their lovers. The third feature of such Russian dating websites is that on them, you may meet Russian ladies for marriage, not just for informal relationships. Let’s make it clear: you’ll be ready to fulfill a Russian woman who can converse English, it’s not that hard. Use the ideas and don’t hesitate to make them yours. Nonetheless, the younger generation of women tends to be non-religious or consider themselves to be Christians but don’t comply with any religious customs or kind their opinions primarily based on religion. To speak with different members, nonetheless, you'll want to take out a subscription. I am a woman, take me to the site for ladies! Relationship platforms give each women and men the chance to fulfill their soulmates. Online dating providers (we’re speaking about the great ones) have thousands of beautiful ladies, numerous messaging instruments, etc, and so forth. They are like your native relationship companies - you sign up, find a lady, view her images, and start chatting - however with some main variations. So if you are serious about courting that Russian woman, then start exhibiting her that vowel are and book that flight going to Russia.

  2. […] Sto leggendo un file pcap e voglio stampare l’indirizzo ip e numero di porta di ogni pacchetto. Io sto usando il codice da http://www.tcpdump.org/pcap.htm e https://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/. […]

  3. Massimo Perrone says:

    Thanks for the example. I think you should call pcap_close() at the end, just outside the while loop.

  4. Ahmad Zia says:

    It work the same with vs2012

  5. SN says:

    I keep getting error LNK2019: unresolved external symbol pcap_next_ex referenced in function main
    error LNK2019: unresolved external symbol pcap_open_offline referenced in function main

    I tried adding #pragma comment (lib, "wpcap") to the main.cpp file. But that did not solve this problem.

  6. Dammy says:

    I have the same problem as Hind and Bakke. Have you been able to solve the problem? if yes, how did you go about it. Also, I want to read the data part of my wireshark capture. I need to be able to extract the information from the capture. Can anyone be of help?

  7. Elad says:

    You can also use C++ libraries that wrap libpcap/WinPcap. One of them is PcapPlusPlus: https://github.com/seladb/PcapPlusPlus

  8. hind says:

    thank you for this .. i tried to compile it it gives no errors but it gives me this message while running it "Unhandled exception at 0x100169fd (wpcap.dll) in testwinpcap.exe: 0xC0000005: Access violation reading location 0x00000224."

    how can i solve this problem.

  9. Bakke says:

    Hello I am from Ecuador and test your code but for some reason I get this error please could help me about this information? I install all the libpcap but the error keeps coming.
    Excepción no controlada en 0x100169FD (wpcap.dll) en ProyectoRedes.exe: 0xC0000005: Infracción de acceso al leer la ubicación 0x00000224.

    Unhandled exception in 0x100169FD (wpcap.dll) in ProyectoRedes.exe Project: 0xC0000005: Access violation reading the location 0x00000224.

    thanks and regards

  10. James VanOeffelen says:

    Hello, I have compiled and run this project in VS2012. It works well, however, it will not open a pcap file if it is larger than 5MB. Do you know of a reason and a possible fix for this?

  11. Bayanaa says:

    I captured packets in which audio samples are included.
    I saved some packets using wireshark as .pcap extension.
    I run your code. But in console it shows:
    packet number, packet size and epoch time, and set of hex files . How to extract audio samples from these?

    Is it possible to capture packets using pcap and extract audio samples in real time?
    Thank you

  12. fontikos says:

    Thanks! It worked like a charm.

  13. emily says:

    readpcap.c: In function ‘int main(int, char**)’:
    readpcap.c:56: warning: unused variable ‘returnValue’

    Compile error. Please help

  14. Chingon says:

    hello Rhyous. You could help me with a project based on UPnP to connect to wireless router using the WPS protocol?

    I know it has nothing to do with your thread, but no one to turn to who understands C + +

    The project will compile without problems, no errors, just need to modify a bit the code, but I know very little about C + +

  15. Chingon says:

    Solved! i added this line: "#pragma comment (lib, "wpcap")"

  16. Chingon says:

    Thanks but dont work:

    Error 1 error LNK2019: unresolved external symbol _pcap_next_ex that is referenced in function _main C:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj

    Error 2 Error LNK2019: unresolved external symbol _pcap_open_offline that is referenced in function _main C:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj

  17. Emanuel Felipe says:

    When I did Copy/Paste the code didn't work, le wild error in lines 66 and 70 just appeared.
    To fix you should delete the 'l' after %, and "your" code should work fine.

  18. [...] to compile and it should work. You are now ready to develop using WinPcap. Next: How to read a PCap file from Wireshark with C++ Category: C++  |  Comment (RSS) [...]

Leave a Reply to SN

How to post code in comments?