pcap

问题 Here is the situation: in my scenario I have, 3 computers, A, B and C. Computer A sends data to computer B. Computer B captures these packets with pcap, appends the headers, redoes the checksums, and injects it out another ethernet interface to computer C. So basically A sends to C, though through C's point of view, the data is coming from computer B. My problem is this: following TCPDUMP's tutorial on dissecting a captured packet, I've learned to calculate offsets and using typecasting to

问题 I am trying to analyse a file containing packets captured using tcpdump. I first want to categorize the packets into flows using 5-tuple. Then I need to get the size and inter-arrival time of each packet in each flow. I tried Conversation list in wireshark but it gives only the number of packets in the flow not information about each packet in the flow. A suggestion for any code (c++ or shell script) that can do the job? Thank you 回答1: UmNyobe, If you haven't heard of Scapy yet I beleive what

问题 This is a follow-up question to this: Rebuilding a packet to inject via pcap What I want to accomplish: functionA: Capture packets with pcap. Modify source/destination addresses. Recalculate checksums. Inject with pcap. functionB: Create two threads. Thread 1 sends a magic packet to wake sleeping client. Thread 2 captures packets with pcap and caches the packets into an array of u_char *'s, since pcap puts the packet data serially into "u_char * packet". When both threads terminate, I then

问题 I have a PCAP file that was created on a Mac with mergecap that can be parsed on a Mac with Apple's libpcap but cannot be parsed on a Linux system. combined file has an extra 16-byte header that contains 0a 0d 0d 0a 78 00 00 00 before the 4d 3c 2b 1a intro that's common in pcap files. Here is a hex dump: 0000000: 0a0d 0d0a 7800 0000 4d3c 2b1a 0100 0000 ....x...M<+..... 0000010: ffff ffff ffff ffff 0100 4700 4669 6c65 ..........G.File 0000020: 2063 7265 6174 6564 2062 7920 6d65 7267 created by

问题 I try to capture an HTTP-download with Python using dpkt and pcap. The code looks like ... pc = pcap.pcap(iface) for ts, pkt in pc: handle_packet(pkt) def handle_packet(pkt): eth = dpkt.ethernet.Ethernet(pkt) # Ignore non-IP and non-TCP packets if eth.type != dpkt.ethernet.ETH_TYPE_IP: return ip = eth.data if ip.p != dpkt.ip.IP_PROTO_TCP: return tcp = ip.data data = tcp.data # current connection c = (ip.src, ip.dst, tcp.sport, tcp.dport) # Handle only new HTTP-responses and TCP-packets # of

问题 I want to write a small application using Libpcap in C on Linux. Currently, it starts to sniff and wait for the packets. But that's not what I need actually. I want it to wait for N seconds and then stop listening. How can I achieve that? Here is my code: void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { printf("got packet\n); } int main() { int ret = 0; char *dev = NULL; /* capture device name */ char errbuf[PCAP_ERRBUF_SIZE]; /* error buffer */ pcap_t

问题 Scapy has a sendpfast function that sends packets using tcpreplay. However, this function first creates a temporary pcap file and then calls tcpreplay on that. This adds too much delay. Is there anyway to bypass it and directly send data to tcpreplay. I know that tcpreplay can read data from STDIN. Context: I want to generate large traffic (with different srcIP) every second and send it through network. One option is to save all traffic with timestamps in a giant pcap file and run tcpreplay.

问题 I'd like to be able to intercept/ modify data in tcp flow, on the side of tcp client. Examples for pcap show how to parse tcp packet header/ payload. But suppose, i want to modify packet payload before tcp client reads it, or drop the packet entirely. How can i do that with pcap capure? 回答1: As above, you can't do interception/modification with pcap. For this you need one of the following OS-dependent techniques: Linux : libnetfilter_queue + iptables MacOS , FreeBSD : divert sockets + ipfw

问题 I am trying to send a previously recorded traffic (captured in pcap format) with scapy. Currently I am stuck at striping original Ether layer. The traffic was captured on another host and I basically need to change both IP and Ether layer src and dst. I managed to replace IP layer and recalculate checksums, but Ether layer gives me trouble. Anyone has experience resending packets from capture file with applied changes to IP and Ether layer(src and dst)? Also, the capture is rather big couple

问题 I am trying to write a .pcap file, which is something that can be used in Wireshark. In order to do that, I have a couple of structs with various data types I need to write to a file. (see code) So, I create the struct instances, fill in the data, use FILE* fp = fopen("test.pcap","w"), and then I'm unsure how to properly write it to the file. I believe I should use memcpy but I'm not sure of the best way to do it. I have mostly resorted to C++ libraries in the past to do this. Any suggestions