Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Parsing pcap taken from wireshark file using - Java

I am working on converting PCAP file taken from wireshark using JAVA without using native or ready libraries.

i converted the bytes to string directly just for checking the meaningful parts of it.

then i tried to convert it from hexadecimal to string. It was not meaningful.

there is java library jNetPcap which is wrapping all the libpcap library native calls which is written in c.

The following picture is captured the wireless network. so the pcap contains the same information: Source ip, destination ip, protocol, length and info

Wireshark picture

I am trying to get the same result form the pcap file which contains the data in hexadecimal or binary:

d4c3 b2a1 0200 0400 0000 0000 0000 0000
0000 0400 0100 0000 2fd4 b355 2af8 0600
3600 0000 3600 0000 0100 5e00 0016 f409
d8ed d951 0800 46c0 0028 0000 4000 0102
4049 c0a8 0308 e000 0016 9404 0000 2200
fa02 0000 0001 0300 0000 e000 00fb 2fd4

at the end i want to get to the output to be like something like this:

Output

Any clue or suggestions where to get the packets and file format can help me alot. there maybe somebody else who already came along with this problem ?

Thank you

like image 362
MBH Avatar asked Jul 25 '15 20:07

MBH


People also ask

How do I read a pcap file?

Right-click the PCAP icon for the event and select More Options > View PCAP Information. Double-click the event that you want to investigate, and then select PCAP Data > View PCAP Information from the event details toolbar.

How do I read a pcap file in Wireshark?

PCAP analysis. To load a PCAP file in Wireshark, open Wireshark and in the menu bar, click 'File', then click 'Open' and navigate to the file's location, then click 'Open. ' In our analysis of the PCAP file, we will try three analysis techniques to find any indicators of malicious activity.

How can I read pcap files without Wireshark?

To get them, visit the Wireshark Download page. pcap format was originally created for tcpdump, not Wireshark, so it's older than Wireshark. There are other programs, such as tcpdump and other programs that use libpcap to read files, and recent versions of Microsoft Network Monitor, that can read pcap files.


2 Answers

I found this on another blog and may seems helpful to you:

  1. you can read offline pcap file like this (all of the packets): http://jnetpcap.com/node/905

  2. Extract necessary information and save them one by one in the Txt files.

in order to extract information, you can do like this: http://jnetpcap.com/tutorial/usage

like image 151
Garry Avatar answered Oct 11 '22 08:10

Garry


The asker mentioned that jNetPcap is not ideal because it wraps a native library. In the time since the accepted answer, a pure Java library has emerged: https://github.com/aboutsip/pkts

like image 31
CrazyPyro Avatar answered Oct 11 '22 09:10

CrazyPyro