I'm currently learning about TCP and packets. I'm working in the C programming language, and I understand how the pcap library can be used to sniff traffic on my computer. But can pcap be used to parse and read through a trace file as well? I need to track the TCP state information from a given trace file.
In a nutshell, I'm curious how I can go about opening a trace file with pcap to parse through it? If someone could get me moving towards the right direction, it would be greatly appreciated!
But can pcap be used to parse and read through a trace file as well?
Yes. Most of the APIs you'd use are the same, but you'd use pcap_open_offline() to open a file rather than using pcap_open_live(), or pcap_create() and pcap_activate(), to open a device for a live capture.
Related
I want to read the data generated by USB sound card connected to my RaspberryPi using a C code. The samples should be stored in an array or are written to a csv file.
I am using ALSA library through a function "snd_pcm_readi". Can someone explain how to access the data read by "snd_pcm_readi"?
Or is there a better alternative?
Look at the libusb library, https://libusb.info/
This library gives you simple C functions to find and open the device, and then send and receive data. You may want to do some reading about USB devices.
You may also want to look at udev - you can write a udev rule to symbolically link the desired device to a known filename.
You may need to know the vendor_id and product_id. At the command line, enter lsusb to see the usb devices.
I need to write a program in C to read in pcap files and extract the packets and send them out . It's like a traffic replay. I know there's tcpreplay but I didn't see its C library, it seems to be only a command-line application.
I know how to do it with pcap_open(), but it's only available in WinPcap, I need to do it in linux with libpcap. Anybody can provide some hint? Thanks in advance.
edit: I can parse the packets, but now I just don't know how to open an interface to send the packets out. Thanks.
Use either pcap_open_live() or, in newer versions of libpcap, pcap_create() and pcap_activate() - all of which are available in the current version of WinPcap, by the way.
I am asked for an assignment that requires implementation of FTP protocol. I have gone through the documentation given at RFC959.
I am confused with a couple of implementation details
1)If a file needs to be transferred, what function can be used. can a simple send() function be used for a non text file.
2) Is it possible to get a good tutorial that speaks about implementing Modes and file structures, and to specify, which are essential.
hope to get a reply soon.
FTP transfers file through a plain TCP connection, and you can transfer any kind of file with it. There is no difference between text files and binary files, they are all just sequence of bytes.
For the file transmission is sufficient to open a connection and call the write function many times until the entire file is transmitted (check the return value of write to know how many bytes it sent).
The rest of the FTP protocol is text based and is sent to a different port.
There is a good tutorial on using FTP directly through netcat, that can be useful to understand how things work. Understanding active and passive mode can also be useful, since you are going to implement at least one of them.
Also, use wireshark to follow a TCP stream and see the data you are sending/receiving, it can be very useful in debugging.
The protocol implementation won't give you a file structure. The protocol is here to define some rules and states.
The dev/prog part is up to you. You just need to respect the FTP protocol in order to gain the normalization and the compatibility with other client/server.
Best regards
I am writing a program for analyzing certain type of packets. I got the dump file containing test packets in tcpdump format. is there any way to send this dump into one of the interfaces? I thought tcpdump would be able to do this on its own (unfortunately it isn't). Only thing I managed to do is to look at packets via wireshark (which obviously isn't the way to go).
I could use libpcap function pcap_open_offline(), unfortunately I use pcap_loop() which doesn't seem to work with pcap_open_offline() and rewriting code to pcap_next() would be very painful. Is there any program that could send packets to the interface?
Did you try to take a look to tcpreplay that is done to :
Replay network traffic stored in pcap files
Newer versions of libpcap provide a pcap_inject() function that can be used to write packets back out.
You can see someone's testing program to use pcap_inject() over on UbuntuForums.
So, for a CS project I'm supposed to sniff a network stream and build files from that stream. For example, if the program is pointed to ~/dumps/tmp/ then the directory structure would be this:
~/dumps/tmp
/192.168.0.1/
page1.html
page2.html
[various resources for pages1 & 2]
downloaded file1
/192.168.0.2/
so on and so forth.
I'm doing this in C & pcap on linux (since I already know C++, and figure the learning experience would be good).
Thus far, I've been looking at various header formats for TCP/IP
TCP header
As I figure, I can sort the packets by their dst/src and then order them correctly by sequence and acknowledgement windows.
But that leaves me with a big ? as to how do I figure out how packets a-z are part of an html file and A-Z part of some random file being downloaded etc?
Also, what other kind of header formats should I be looking up? Currently, I have:
I'd post more hyperlink pictures, but I apparently need reputation to do that, sorry
TCP, Ethernet, UDP, and I'll get around to things like FTP (but I'm pretty sure FTP is built on top of TCP, as is HTTP)
So, in short, how do I find files in a network stream, and am I missing any major protocols that I'll need to be able to read?
REPLY
I can't figure out how to reply, so this will have to do.
I have used pcap on several occasions, and will do so again for this project, but I won't use any of Wiresharks stuff (although it is a great program) because I want to no kidding learn this kind of stuff.
Yeah, I'll look into the OSI layer, any suggestions on a good site that covers common protocols?
And I guess I should stop, before this 'question' becomes a discussion.
Where a file begins and ends is not in TCP. You have to deal with the protocol carried over TCP. For example, for HTTP, you have to read the Content-Length header in the HTTP header, which should be equal to the length of the HTTP body (the full html page). Then you accumulate the body over 1 or more TCP packets until you have the total content, as indicated by the Content-Length header.
Since this is a school assignment, you may be limited as to what tools you can use, but you might want to look into Wireshark. If I were given this task as a real-world project, I'd take Wireshark and look into how to use its stream extraction and protocol parsing capabilities and just wrap something around them to automate them and get the desired result.
You need to open a raw socket over a promiscuous Ethernet device. Then use libpcap to store and analyze the packets.
As this is for CS school, I would start with the OSI Model which gives you a good overview and logical structure of network protocols.
Files are on level 6 (MIME) and 7 (various).
Then you need to go through each protocol and check how to determine which contain files and how you can capture them.