How to read a PCap file from Wireshark with C++
In my Computer Security class I am taking as part of my Masters of Computer Science course, we need to parse a Pcap dump file.
Prerequisites
It is expected you have Visual Studio 2010 already. It may work the same with Visual C++ 2010.
Step 1 – Install Wireshark
We are going to use Wireshark to get a packet capture. Wireshark is a nice easy tool to get a packet capture.
Make sure to install Wireshark and let Wireshark install WinPcap when it prompts you.
Step 2 – Create a new project in Visual Studio
I already have post on creating a WinPcap project in Visual Studio and getting it to compile, so follow it.
How to compile WinPcap with Visual Studio 2010?
Step 3 – Get a packet capture.
- Open Wireshark and start capturing file.
- Open your browser or go to a few sites.
- Stop the packet capture.
- Save the packet capture to a file.
I named my file smallcapture.pcap.
Step 4 – Add C++ code to read the packet capture
I am going to paste the code for you and put the comments and steps in the code.
/* * How to read a packet capture file. */ /* * Step 1 - Add includes */ #include <string> #include <iostream> #include <pcap.h> using namespace std; int main(int argc, char *argv[]) { /* * Step 2 - Get a file name */ string file = "C:\\users\\jared\\testfiles\\smallcapture.pcap"; /* * Step 3 - Create an char array to hold the error. */ // Note: errbuf in pcap_open functions is assumed to be able to hold at least PCAP_ERRBUF_SIZE chars // PCAP_ERRBUF_SIZE is defined as 256. // http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__def.html char errbuff[PCAP_ERRBUF_SIZE]; /* * Step 4 - Open the file and store result in pointer to pcap_t */ // Use pcap_open_offline // http://www.winpcap.org/docs/docs_41b5/html/group__wpcapfunc.html#g91078168a13de8848df2b7b83d1f5b69 pcap_t * pcap = pcap_open_offline(file.c_str(), errbuff); /* * Step 5 - Create a header and a data object */ // Create a header object: // http://www.winpcap.org/docs/docs_40_2/html/structpcap__pkthdr.html struct pcap_pkthdr *header; // Create a character array using a u_char // u_char is defined here: // C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Include\WinSock2.h // typedef unsigned char u_char; const u_char *data; /* * Step 6 - Loop through packets and print them to screen */ u_int packetCount = 0; while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0) { // Print using printf. See printf reference: // http://www.cplusplus.com/reference/clibrary/cstdio/printf/ // Show the packet number printf("Packet # %i\n", ++packetCount); // Show the size in bytes of the packet printf("Packet size: %d bytes\n", header->len); // Show a warning if the length captured is different if (header->len != header->caplen) printf("Warning! Capture size different than packet size: %ld bytes\n", header->len); // Show Epoch Time printf("Epoch Time: %d:%d seconds\n", header->ts.tv_sec, header->ts.tv_usec); // loop through the packet and print it as hexidecimal representations of octets // We also have a function that does this similarly below: PrintData() for (u_int i=0; (i < header->caplen ) ; i++) { // Start printing on the next after every 16 octets if ( (i % 16) == 0) printf("\n"); // Print each octet as hex (x), make sure there is always two characters (.2). printf("%.2x ", data[i]); } // Add two lines between packets printf("\n\n"); } }
You are now reading packets in C++. Now you can start working on differentiating the packet types.
Resources
- http://www.tcpdump.org/pcap.html
- http://www.tcpdump.org/pcap3_man.html
[…] Sto leggendo un file pcap e voglio stampare l’indirizzo ip e numero di porta di ogni pacchetto. Io sto usando il codice da http://www.tcpdump.org/pcap.htm e http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/. […]
Thanks for the example. I think you should call pcap_close() at the end, just outside the while loop.
It work the same with vs2012
I keep getting error LNK2019: unresolved external symbol pcap_next_ex referenced in function main
error LNK2019: unresolved external symbol pcap_open_offline referenced in function main
I tried adding #pragma comment (lib, "wpcap") to the main.cpp file. But that did not solve this problem.
Solved the problem I had. Be very careful to avoid any and all typos in the instructions provided at http://www.rhyous.com/2011/11/12/how-to-compile-winpcap-with-visual-studio-2010/
I have the same problem as Hind and Bakke. Have you been able to solve the problem? if yes, how did you go about it. Also, I want to read the data part of my wireshark capture. I need to be able to extract the information from the capture. Can anyone be of help?
You can also use C++ libraries that wrap libpcap/WinPcap. One of them is PcapPlusPlus: https://github.com/seladb/PcapPlusPlus
thank you for this .. i tried to compile it it gives no errors but it gives me this message while running it "Unhandled exception at 0x100169fd (wpcap.dll) in testwinpcap.exe: 0xC0000005: Access violation reading location 0x00000224."
how can i solve this problem.
Hello I am from Ecuador and test your code but for some reason I get this error please could help me about this information? I install all the libpcap but the error keeps coming.
Excepción no controlada en 0x100169FD (wpcap.dll) en ProyectoRedes.exe: 0xC0000005: Infracción de acceso al leer la ubicación 0x00000224.
Unhandled exception in 0x100169FD (wpcap.dll) in ProyectoRedes.exe Project: 0xC0000005: Access violation reading the location 0x00000224.
thanks and regards
Hello, I have compiled and run this project in VS2012. It works well, however, it will not open a pcap file if it is larger than 5MB. Do you know of a reason and a possible fix for this?
I captured packets in which audio samples are included.
I saved some packets using wireshark as .pcap extension.
I run your code. But in console it shows:
packet number, packet size and epoch time, and set of hex files . How to extract audio samples from these?
Is it possible to capture packets using pcap and extract audio samples in real time?
Thank you
Thanks! It worked like a charm.
readpcap.c: In function ‘int main(int, char**)’:
readpcap.c:56: warning: unused variable ‘returnValue’
Compile error. Please help
hello Rhyous. You could help me with a project based on UPnP to connect to wireless router using the WPS protocol?
I know it has nothing to do with your thread, but no one to turn to who understands C + +
The project will compile without problems, no errors, just need to modify a bit the code, but I know very little about C + +
Solved! i added this line: "#pragma comment (lib, "wpcap")"
I am so glad you found a solution.
Thanks but dont work:
Error 1 error LNK2019: unresolved external symbol _pcap_next_ex that is referenced in function _main C:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj
Error 2 Error LNK2019: unresolved external symbol _pcap_open_offline that is referenced in function _main C:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj
When I did Copy/Paste the code didn't work, le wild error in lines 66 and 70 just appeared.
To fix you should delete the 'l' after %, and "your" code should work fine.
Replying with a pokemon quote is dumb, please stop using the internet.
[...] to compile and it should work. You are now ready to develop using WinPcap. Next: How to read a PCap file from Wireshark with C++ Category: C++ | Comment (RSS) [...]