1

I have following file: test_network.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
I know that in this file are few video streams. How do I extract them?

[The file is ~180 GB]

d-cubed
  • 1,034
  • 5
  • 30
  • 58
dscTobi
  • 157
  • 1
  • 5
  • 15

3 Answers3

4
  1. Use a Pcap library (libpcap, WinPcap, Pcap.Net)
  2. Extract the TCP over IP over Ethernet.
  3. Reconstruct the TCP stream (see Reconstructing data from PCAP sniff).
  4. Save the TCP stream data to a file.

Try some Pcap TCP reconstruction tools:

http://www.codeproject.com/KB/IP/TcpRecon.aspx

http://code.google.com/p/pcap-reconst/

Community
  • 1
  • 1
brickner
  • 6,595
  • 3
  • 41
  • 54
  • So, i used `tshark` to see how many streams are in that pcap file and addresses of src/dst. Next, i use `tshark` to capture packets only for specific src/dst address and write them to another pcap file. Finally, i wrote program using `libpcap` to extract payload of every packet and write it to `some.mpg` Now i need to check this `mpg` file to be sure that it is not corrupted. But i don't know how to do this. – dscTobi Jun 10 '10 at 14:57
  • If you only extract the payload this may not be enough. You need to reconstruct the data according to the sequence numbers. If you check the TCP sequence numbers and other parameters this should be a a valid file (as if you've downloaded it using TCP). I don't know how to validate an mpg file, but I'm sure there a lot of software that does that. Any MPG player can let you know... – brickner Jun 10 '10 at 15:32
2

There are tools developed to achieve your goal, some of these are open source, for example:

Gianluca Costa
  • 476
  • 4
  • 6
0

You can check following link for understad pcap specification: PCAP especification

This website could be useful for you: tcpdump.org

Also you can use c++ library: libpcap++

barroco
  • 3,018
  • 6
  • 28
  • 38
  • The file you list as "PCAP especification" is actually the specification for pcap-ng files; the file in question is pcap, not pcap-ng. libpcap can read pcap files; libpcap 1.1.0 and later can also read some pcap-ng files. A program that uses libpcap can, with libpcap 1.1.0 and later, read both pcap and pcap-ng files without having to be changed to support pcap-ng; using libpcap means you don't need to know how pcap or pcap-ng files are structured. –  Dec 30 '12 at 20:08