pcap

问题 I want to use pcap in my Clion project on linux. I installed libpcap-dev: sudo apt-get install libpcap-dev But then I try to compile any file, containing pcap functions like: #include <stdio.h> #include <pcap.h> int main(int argc, char *argv[]) { char *dev, errbuf[PCAP_ERRBUF_SIZE]; dev = pcap_lookupdev(errbuf); if (dev == NULL) { fprintf(stderr, "Couldn't find default device: %s\n", errbuf); return(2); } printf("Device: %s\n", dev); return(0); } I have cmake errors: CMakeFiles/main.cpp.o: In

问题 How do I tell libpcap v1.6.2 to store nanosecond values in struct pcap_pkthdr::ts.tv_usec (instead of microsecond values) when capturing live packets? (Note: This question is similar to How to enable nanosecond resolution when capturing live packets in libpcap? but that question is vague enough that I decided to ask a new question.) For offline and "dead" captures, the following functions can be used to tell libpcap to fill the struct pcap_pkthdr 's ts.tv_usec member with nanosecond values:

问题 I am attempting to find the MAC address using pcap for a small project. As of right now the structure I am working with looks like this: struct ethernet_header { u_char dhost[6]; u_char shost[6]; u_short type; }; The call int the code simply loosk like: void get_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { const struct ethernet_header *ethernet; const struct ip_header *ip; ethernet = (struct ethernet_header *)(packet); ip = (struct ip_header *)(packet + 16);

问题 I already know how to read a pcap file and get the packets it have.B ut how can I write the packets into a new pcap file? I need this to merge two pcap files into one. 回答1: As per my comment, libpcap/WinPcap is a library, not a program, so to use libpcap/WinPcap to merge capture files, you'd have to write your own code to do the merging, using libpcap/WinPcap to read the input files and write the output files. You could use an existing tool, such as tracemerge or Wireshark's mergecap, to

问题 I have a Java application that is writing to the network. It is writing messages in the region of 764b, +/- 5b. A pcap shows that the stream is getting IP fragmented and we can't explain this. Linux 2.6.18-238.1.1.el5 A strace shows: ( strace -vvvv -f -tt -o strace.out -e trace=network -p $PID ) 1: 2045 12:48:23.984173 sendto(45, "\0\0\0\0\0\0\2\374\0\0\0\0\0\3\n\0\0\0\0\3upd\365myData"..., 764, 0, NULL, 0) = 764 2: 15206 12:48:23.984706 sendto(131, "\0\0\0\0\0\0\2\374\0\0\0\0\0\3\n\0\0\0\0

问题 I am attempting to identify the ether type of a packet that I am receiving. The ether type ID is 608 and has no corresponding definition in Ethertype.h(libpcap 1.2.1). The majority of the packets received have an either type of 8 which again has no corresponding definition in Ethertype.h. Does anyone have any ideas of what the cause may be behind this or should I contact TCPDump with an error report. 回答1: What is the return value of pcap_datalink() on the pcap_t on which you're capturing? If

问题 I am working on project using libpcap. Now, I need to know the direction of packet (inbound or outbound) once I got the packet in callback function. I am going to write the methods to compare IP and MAC address between client and these information extract from packet. Am I right? Could you please help me some comments or advices on this problem? Thank you for your time. 回答1: The source or target IP address is sufficient. If the source is local, it's outbound. If the target is local, it's

问题 I'm writing a sniffer for http packets with libpcap. Sometimes printing the content of the http payload I get strange characters.. do you know what could they be? *xNT:���3�@�"P#1u`��$%S{M�� or �~�tsE��}>a�����}/���`�▒�A�y Thanks, for the answers. If the header is in plain text so the problem is my code. Anyway, can a POST request be coded in base64? 回答1: In utils_http.c you have the following function: static int handle_tcp(const struct tcphdr *tcp, int len) { char buf[PCAP_SNAPLEN]; memcpy

问题 To get incoming packet from a pcap file. I set "inbound" filter in pcap_compile() and here is partial code. pcap = pcap_open_offline("test.pcap", errbuf); if (pcap == NULL) { fprintf(stderr, "error reading pcap file: %s\n", errbuf); exit(1); } char filter_exp[] = "inbound"; struct bpf_program pgm; if (pcap_compile(pcap, &pgm, filter_exp, 0, PCAP_NETMASK_UNKNOWN) == -1) { printf("Bad filter - %s\n", pcap_geterr(pcap)); return 1; } if (pcap_setfilter(pcap, &pgm) == -1) { printf("Error setting

问题 Recently I am trying to filter the inbound packet from the pcap file by libpcap in C/C++. Here is partial code. pcap = pcap_open_offline(argv[0], errbuf); if (pcap == NULL) { fprintf(stderr, "error reading pcap file: %s\n", errbuf); exit(1); } char filter_exp[] = "inbound"; struct bpf_program pgm; if (pcap_compile(pcap, &pgm, filter_exp, 0, PCAP_NETMASK_UNKNOWN) == -1) { printf("Bad filter - %s\n", pcap_geterr(pcap)); return 1; } if (pcap_setfilter(pcap, &pgm) == -1) { printf("Error setting