Stack Overflow
Stack Overflow

Questions tagged [pcap]

pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. The pcap file format is a binary format, and is the de facto standard format for network packet capture.

pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as .

Source: Wikipedia

pcap also refers to the file format originally generated by the libpcap library. This binary format has become a de facto standard format for packet capture, and is now generated by other network analyzer tools, such as Wireshark.

Source: https://www.lesliesikos.com/pcap

1410 questions
40
votes
1 answer

set a filter of packet length in wireshark

I've capture a pcap file and display it on wireshark. I want to analysis those udp packets with 'Length' column equals to 443. On wireshark, I try to found what's the proper filter. udp && length 443 # invalid usage udp && eth.len == 443 # wrong…
Daniel YC Lin
  • 15,050
  • 18
  • 63
  • 96
39
votes
3 answers

pcap struct pcap_pkthdr len vs caplen

We're sniffing packets using libpcap on linux The header we get on each packet looks like: struct pcap_pkthdr { struct timeval ts; /* time stamp */ bpf_u_int32 caplen; /* length of portion present */ bpf_u_int32 len;…
nos
  • 223,662
  • 58
  • 417
  • 506
36
votes
4 answers

How to parse packets in a python library?

How to you parse a packet from either a .pcap file, or an interface, using python? I'm specifically looking for a solution that uses a well documented library.
PSS
  • 5,561
  • 5
  • 28
  • 30
26
votes
4 answers

Sending packets from pcap with changed src/dst in scapy

I am trying to send a previously recorded traffic (captured in pcap format) with scapy. Currently I am stuck at striping original Ether layer. The traffic was captured on another host and I basically need to change both IP and Ether layer src and…
Jason Bart
  • 311
  • 1
  • 3
  • 6
24
votes
2 answers

Parsing a pcap file in python

I am trying to parse through a pcap file in python. My goal is to be able to pull out the type of TCP or UDP file it is and the time they start/end. Does anyone have any advice in any certain packages might be useful to use and the documentation for…
Matthew Spriesterbach
  • 241
  • 1
  • 2
  • 3
22
votes
1 answer

Pcap functions have "undefined reference"

I'm trying to go through this tutorial: http://www.tcpdump.org/pcap.html Now I have install pcap (code hints and all that is working) using : sudo apt-get install libpcap-dev and so far I have the following code (file name is…
Yahya Uddin
  • 26,997
  • 35
  • 140
  • 231
21
votes
6 answers

How to concatenate two tcpdump files (pcap files)

How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few times.
anon
20
votes
1 answer

filtering by domain

I want to filter my pcap file by their domains. I mean, I want to see the packets comes on a website ends with ".com", ".org" or ".net". I tried: dns contains "com", ip.src_host == com, ip.src_host == com, http contains "com". None of them worked…
Eray Balkanli
  • 7,752
  • 11
  • 48
  • 82
18
votes
1 answer

How to filter MAC addresses using tcpdump?

I am running tcpdump on DD-WRT routers in order to capture uplink data from mobile phones. I would like to listen only to some mac addresses. To do this I tried to run the command using a syntax similar to Wireshark: tcpdump -i prism0 ether src[0:3]…
Giovanni Soldi
  • 385
  • 1
  • 4
  • 12
16
votes
5 answers

Getting the number of packets in a pcap capture file?

I need a program which prints the number of packets in a capture file which uses the pcap format. This number does not seem available in the pcap header (probably because it is written before the capture starts) and it does not seem there is a…
bortzmeyer
  • 34,164
  • 12
  • 67
  • 91
16
votes
3 answers

Easiest way to convert pcap to JSON

I have a bunch of pcap files, created with tcpdump. I would like to store these in a database, for easier querying, indexing etc. I thought mongodb might be a good choice, because storing a packet the way Wireshark/TShark presents them as JSON…
Erik
  • 11,944
  • 18
  • 87
  • 126
15
votes
8 answers

Export pcap data to csv: timestamp, bytes, uplink/downlink, extra info

I was wondering if there is any tool that can parse pcap data and convert it to a csv file with the following information: timestamp, bytes, uplink/downlink, some extra info.. Basically, the uplink/downlink could be seen by the IP/MAC address, and…
Ekhi
  • 497
  • 2
  • 6
  • 11
15
votes
1 answer

Filter a pcap dump file for a specific time range

Is there any easy way to create a pcap file for the packets related to a specific datetime range maybe using tshark, tcpdump or another commandline tool? tshark -R with frame.time seems promising but I haven't been able to work that out…
Filippo Vitale
  • 7,597
  • 3
  • 58
  • 64
14
votes
2 answers

TcpDump: showing the absolute timestamp (date + time) of pcap file

I want to see the absolute timestamp of the packets in a pcap file using tcpdump. When I use the command tcpdump -r mypcapfiile it only shows the time,   03:21:14.804778 IP static.vnpt.vn.51193 > 192.168.0.146.smtp how can read the date as well?
Alex
  • 1,914
  • 6
  • 26
  • 47
14
votes
3 answers

jNetPcap vs Jpcap

wondering any of you can give me a bit of comments + insights please. In term of performance, which one should I use, jNetPcap or Jpcap? Thanks!
Gilbeg
  • 741
  • 2
  • 9
  • 19
1
2 3
93 94