02/06/2013

How to read a PCap file from Wireshark with C++ | Rhyous

Rhyous
Knight of the Code

How to read a PCap file from Wireshark with C++

November 13, 2011, 7:03 pm by Rhyous
Like 0 0 Tw eet 1
Share 1

In my Computer Security class I am taking as part of my Masters of Computer Science course, we need to parse a Pcap dump file.

Prerequisites
It is expected you have Visual Studio 2010 already. It may work the same with Visual C++ 2010.

Step 1 Install Wireshark

We are going to use Wireshark to get a packet capture. Wireshark is a nice easy tool to get a packet capture. http://www.wireshark.org Make sure to install Wireshark and let Wireshark install WinPcap when it prompts you.

Step 2 Create a new project in Visual Studio

www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/ 1/5

02/06/2013

How to read a PCap file from Wireshark with C++ | Rhyous

I already have post on creating a WinPcap project in Visual Studio and getting it to compile, so follow it. How to compile WinPcap with Visual Studio 2010?

Step 3 Get a packet capture.

1. 2. 3. 4. Open Wireshark and start capturing file. Open your browser or go to a few sites. Stop the packet capture. Save the packet capture to a file. I named my file smallcapture.pcap.

Step 4 Add C++ code to read the packet capture

I am going to paste the code for you and put the comments and steps in the code. 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 / * *H o wt or e a dap a c k e tc a p t u r ef i l e . * / / * *S t e p1-A d di n c l u d e s * / # i n c l u d e< s t r i n g > # i n c l u d e< i o s t r e a m > # i n c l u d e< p c a p . h > u s i n gn a m e s p a c es t d ; i n tm a i n ( i n ta r g c ,c h a r* a r g v [ ] ) { / * *S t e p2-G e taf i l en a m e * / s t r i n gf i l e=" C : \ \ u s e r s \ \ j a r e d \ \ t e s t f i l e s \ \ s m a l l c a p t u r e . p c a p " ; / * *S t e p3-C r e a t ea nc h a ra r r a yt oh o l dt h ee r r o r . * /
?

/ /N o t e :e r r b u fi np c a p _ o p e nf u n c t i o n si sa s s u m e dt ob ea b l et oh o l da tl e a / / P C A P _ E R R B U F _ S I Z Ei sd e f i n e da s2 5 6 . / /h t t p : / / w w w . w i n p c a p . o r g / d o c s / d o c s _ 4 0 _ 2 / h t m l / g r o u p _ _ w p c a p _ _ d e f . h t m l c h a re r r b u f f [ P C A P _ E R R B U F _ S I Z E ] ; / * *S t e p4-O p e nt h ef i l ea n ds t o r er e s u l ti np o i n t e rt op c a p _ t * /

/ /U s ep c a p _ o p e n _ o f f l i n e / /h t t p : / / w w w . w i n p c a p . o r g / d o c s / d o c s _ 4 1 b 5 / h t m l / g r o u p _ _ w p c a p f u n c . h t m l # g 9 1 0 7 8 1 p c a p _ t*p c a p=p c a p _ o p e n _ o f f l i n e ( f i l e . c _ s t r ( ) ,e r r b u f f ) ;
2/5

www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/

02/06/2013

How to read a PCap file from Wireshark with C++ | Rhyous

3 8 3 9 4 0 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 8 4 9 5 0 5 1 5 2 5 3 5 4 5 5 5 6 5 7 5 8 5 9 6 0 6 1 6 2 6 3 6 4 6 5 6 6 6 7 6 8 6 9 7 0 7 1 7 2 7 3 7 4 7 5 7 6 7 7 7 8 7 9 8 0 8 1 8 2 8 3 8 4 8 5 8 6 8 7 8 8 8 9

/ * *S t e p5-C r e a t eah e a d e ra n dad a t ao b j e c t * / / /C r e a t eah e a d e ro b j e c t : / /h t t p : / / w w w . w i n p c a p . o r g / d o c s / d o c s _ 4 0 _ 2 / h t m l / s t r u c t p c a p _ _ p k t h d r . h t m l s t r u c tp c a p _ p k t h d r* h e a d e r ; / /C r e a t eac h a r a c t e ra r r a yu s i n gau _ c h a r / /u _ c h a ri sd e f i n e dh e r e : / /C : \ P r o g r a mF i l e s( x 8 6 ) \ M i c r o s o f tS D K s \ W i n d o w s \ v 7 . 0 A \ I n c l u d e \ W i n S o c k 2 . h / /t y p e d e fu n s i g n e dc h a r u _ c h a r ; c o n s tu _ c h a r* d a t a ; / * *S t e p6-L o o pt h r o u g hp a c k e t sa n dp r i n tt h e mt os c r e e n * / u _ i n tp a c k e t C o u n t=0 ; w h i l e( i n tr e t u r n V a l u e=p c a p _ n e x t _ e x ( p c a p ,& h e a d e r ,& d a t a )> =0 ) { / /P r i n tu s i n gp r i n t f .S e ep r i n t fr e f e r e n c e : / /h t t p : / / w w w . c p l u s p l u s . c o m / r e f e r e n c e / c l i b r a r y / c s t d i o / p r i n t f / / /S h o wt h ep a c k e tn u m b e r p r i n t f ( " P a c k e t#% i \ n " ,+ + p a c k e t C o u n t ) ; / /S h o wt h es i z ei nb y t e so ft h ep a c k e t p r i n t f ( " P a c k e ts i z e :% db y t e s \ n " ,h e a d e r > l e n ) ;

/ /S h o waw a r n i n gi ft h el e n g t hc a p t u r e di sd i f f e r e n t i f( h e a d e r > l e n! =h e a d e r > c a p l e n ) p r i n t f ( " W a r n i n g !C a p t u r es i z ed i f f e r e n tt h a np a c k e ts i z e :% l db y t e s

/ /S h o wE p o c hT i m e p r i n t f ( " E p o c hT i m e :% d : % ds e c o n d s \ n " ,h e a d e r > t s . t v _ s e c ,h e a d e r > t s . t v _

/ /l o o pt h r o u g ht h ep a c k e ta n dp r i n ti ta sh e x i d e c i m a lr e p r e s e n t a t i o n s / /W ea l s oh a v eaf u n c t i o nt h a td o e st h i ss i m i l a r l yb e l o w :P r i n t D a t a ( ) f o r( u _ i n ti = 0 ;( i<h e a d e r > c a p l e n);i + + ) { / /S t a r tp r i n t i n go nt h en e x ta f t e re v e r y1 6o c t e t s i f(( i%1 6 )= =0 )p r i n t f ( " \ n " ) ;

/ /P r i n te a c ho c t e ta sh e x( x ) ,m a k es u r et h e r ei sa l w a y st w oc h a r a p r i n t f ( " % . 2 x" ,d a t a [ i ] ) ;

/ /A d dt w ol i n e sb e t w e e np a c k e t s p r i n t f ( " \ n \ n " ) ;

You are now reading packets in C++. Now you can start working on differentiating the packet types.
www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/ 3/5

02/06/2013

How to read a PCap file from Wireshark with C++ | Rhyous

Resources http://www.tcpdump.org/pcap.html http://www.tcpdump.org/pcap3_man.html

Tags: WinPcap Category: C++ | Comment (RSS) | Trackback

8 Comments
1. Chingon says: April 24, 2013 at 5:25 am hello Rhyous. You could help me with a project based on UPnP to connect to wireless router using the WPS protocol? I know it has nothing to do with your thread, but no one to turn to who understands C + + The project will compile without problems, no errors, just need to modify a bit the code, but I know very little about C + + 2. Chingon says: April 23, 2013 at 1:28 pm Solved! i added this line: "#pragma comment (lib, "wpcap")" Rhyous says: April 23, 2013 at 1:42 pm I am so glad you found a solution. 3. Chingon says: April 23, 2013 at 10:59 am Thanks but dont work: Error 1 error LNK2019: unresolved external symbol _pcap_next_ex that is referenced in function _main C:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj Error 2 Error LNK2019: unresolved external symbol _pcap_open_offline that is referenced in function _main C:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj 4. Proxy Servers read from a PCap file and print out IP addresses and port numbers in c, but my result seem wrong says: October 21, 2012 at 10:10 am [...] I am reading a pcap file and I want to print out the ip address and port number of each packet. I am using code from www.tcpdump.org/pcap.htm and www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/. [...] 5. Emanuel Felipe says: October 17, 2012 at 2:14 pm
www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/ 4/5

02/06/2013

How to read a PCap file from Wireshark with C++ | Rhyous

When I did Copy/Paste the code didn't work, le wild error in lines 66 and 70 just appeared. To fix you should delete the 'l' after %, and "your" code should work fine. toto says: October 29, 2012 at 9:53 am Replying with a pokemon quote is dumb, please stop using the internet. 6. How to compile WinPcap with Visual Studio 2010? | Rhyous says: November 13, 2011 at 7:07 pm [...] to compile and it should work. You are now ready to develop using WinPcap. Next: How to read a PCap file from Wireshark with C++ Category: C++ | Comment (RSS) [...]

www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/

5/5