问题
I am stuck.
I have used PCAP.NET to read .PCAP files and write the packets into a database. Now I can query the database and get packets back that match the constraints. I need a way to write the results to a new .PCAP file.
The problem is that, as far as I can tell, the only way to generate a new PCAP file is via the DumpFile which can only be initialized via a PacketCommunicator that is itself tied to a PacketDevice.
an example can be seen here: http://pcapdotnet.codeplex.com/wikipage?title=Pcap.Net%20Tutorial%20-%20Handling%20offline%20dump%20files&referringTitle=Pcap.Net%20User%20Guide
Well and good, but in this scenario I don't have a device.
Should I roll my own PCAP writer just for this purpose?
Have I missed something obvious?
How can I get these packets into a new PCAP file?
I am convinced that I have overlooked something simple... PCAP is new territory for me and I'm feeling very out of sorts. The Unix folks at work indicate that libpcap which winpcap and therefore pcap.net are based upon provides the ability to write directly to a pcap file. Is the functionality not exposed in the library?
Recommendations are very much appreciated.
Thanks,
Chris
P.S. This is a revision to my original question asked here: .NET writing PCAP files
回答1:
Is the functionality not exposed in the library?
Which library?
It's exposed in libpcap/WinPcap, but opening the file for output is a bit awkward - you need a pcap_t for a capture device, a pcap_t for a capture file, or a dummy pcap_t for the link-layer header type and snapshot length of the file you're writing if the packets you're writing aren't coming from a live capture or an existing capture file.
I couldn't find any reference documentation for Pcap.NET, just tutorial documentation, but there didn't seem to be anything that let you open a dummy handle - you can open a capture device or a offline capture file, but I didn't see anything about creating a dummy handle from which you can't read packets but that you can use when opening a capture file for writing - so all the functionality available in libpcap/WinPcap is NOT exposed in Pcap.NET, as far as I can tell.
回答2:
You can create a pcap header and a format, the specification is easy and you don't need a external library apart of the pcap.h.
struct pcap_file_header {
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;
bpf_int32 thiszone; /* gmt to local correction */
bpf_u_int32 sigfigs; /* accuracy of timestamps */
bpf_u_int32 snaplen; /* max length saved portion of each pkt */
bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */
};
So your file first create a header for the pcap file, for example:
struct pcap_file_header pheader;
pheader.magic = 0xA1B2C3D4; // MAGIC NUMBER FOR TCPDUMP
pheader.version_major = PCAP_VERSION_MAJOR;
pheader.version_minor = PCAP_VERSION_MINOR;
pheader.thiszone = 0;
pheader.sigfigs = 0;
pheader.snaplen = 1500;
pheader.linktype = 1;
And for write each packet you need a struct like:
typedef struct {
int32_t t0;
int32_t t1;
int32_t len;
int32_t caplen;
} pcap_header_writeable;
So you will write on the file like:
pcap_header_writeable header;
header.t0 = 0;
header.t1 = 0;
header.len = length;
header.caplen = length;
// write the header on the file
// write the packet on the file after the header
回答3:
In the Pcap.Net User Guide, the "Handling offline dump files" page has an example using the PacketDumpFile class to write out a dump file. I'm not seeing any Pcap.Net reference manual; to answer this question, the user read the Pcap.Net source code.
来源:https://stackoverflow.com/questions/11150245/pcap-library-capabilities-writing-new-pcap-files