Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to write PCAP capture file header?

Tags:

c++

logging

wireshark

libpcap

pcap

Without using libpcap I am trying to write a log file that adheres to the pcap file format (format). This file needs to be readable by WireShark. So far I've written this in C++:

struct pcapFileHeader {
    uint32_t magic_number;   /* magic number */
    uint16_t version_major;  /* major version number */
    uint16_t version_minor;  /* minor version number */
    int16_t  thiszone;       /* GMT to local correction */
    uint32_t sigfigs;        /* accuracy of timestamps */
    uint32_t snaplen;        /* max length of captured packets, in octets */
    uint32_t network;        /* data link type */
};

ofstream fileout;
fileout.open("file.pcap", ios::trunc);

pcapFileHeader fileHeader;
fileHeader.magic_number = 0xa1b2c3d4;
fileHeader.version_major = 2;
fileHeader.version_minor = 4;
fileHeader.thiszone = 0;
fileHeader.sigfigs = 0;
fileHeader.snaplen = 65535; //(2^16)
fileHeader.network = 1;     //Ethernet

fileout <<  fileHeader.magic_number <<
            fileHeader.version_major <<
            fileHeader.version_minor <<
            fileHeader.thiszone <<
            fileHeader.sigfigs <<
            fileHeader.snaplen <<
            fileHeader.network;

fileout.close();

So this should make a blank capture file, but when I open it in Wireshark I am greeted with:

The file "hello.pcap" appears to have been cut short in the middle of a packet or other data.

I've tried opening the output file in binary mode but that didn't help. I would post this in the WireShark forum, but I think this is user error, not something wrong with WireShark.

Help would be much appreciated.

like image 562
Scott Avatar asked Mar 08 '11 19:03

Scott

People also ask

What is pcap header?

The general structure. of pcap files. The global header contains the magic number, GMT offset, timestamp precision, the maximum length of captured packets (in octets), and the data link type. This information is followed by zero or more records of captured packet data.

What is the extension of tcpdump file?

tcpdump. pcap has been registered with IANA for pcap files. The filename extension . pcap appears to be the most commonly used along with .

1 Answers

<< writes the numbers formatted as text (e.g., the five-character string "65535" instead of four bytes representing that number).

To output binary data open the file with ios::binary and use write. This statement will write the entire header:

fileout.write(reinterpret_cast<const char*>(&fileHeader),
              sizeof fileHeader);

The endianness is detected by the reader, so this is portable as long as there's no padding between the struct members.

Note that thiszone should be int32_t.

like image 186
aaz Avatar answered Sep 30 '22 22:09

aaz
Sign in to Comment

Related questions

copy constructor of base and derived classes
Neural Networks: Minimal, open source example with exhaustive training data?
anonymous empty untagged classes, structs, unions, and enums
SuspendThread WOW64 suspending in kernel code
When the C++ standard provides C headers bringing names into the global namespace, does that include overloads?
C++ MPL or_, and_ implementations
Trimming a vector of strings
Cross platform, Interactive text-based interface with command completion
Eclipse C++ content assist, auto activation
Keyboard Hook problems
chroma key with openframeworks/opengl
Boost POOL usage - singleton
Usage of Different IPC mechanism
SSE normalization slower than simple approximation?
What harsh examples are there showing C-style casts are bad?
Software model design
Turbo C++-like editor [closed]
C++ using statement in member function scope
class template partial specialization parametrized on member function return type
Transactional, in-memory, object/key/value storage library?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!