0

I am new with the pcap library and I am building a program that loads pcap file and process it for my needs with winpcap.

this is part of my pseudo code:

pcap_file= pcap_open_offline(pcap_path, errbuff);

while ( !EOF )
{
    //read the next packet from pcap file
    pcap_next_ex(pcap_file, &header, &data);
    if ( the packet belongs to ETH->IP->UDP->RTP->H264 protocol)
        process_packet(header, data);
}

I found the function pcap_compile() but from my understanding this is for live capture.

Since I load pcap file offline I struggled to find similar filter function.

How can I filter packet that loaded from pcap file? The filter should pass only packets from the ETH->IP->UDP->RTP->H264 protocol.

user3378689
  • 209
  • 1
  • 4
  • 12
  • 1
    It's not clear what your question is. – acraig5075 May 13 '14 at 07:00
  • Hi. sorry if I didn't explain myself properly. how can I filter packet that loaded from pcap file? the filter should pass only packets from the ETH->IP->UDP->RTP->H264 protocol thanks. – user3378689 May 13 '14 at 07:03
  • As far as I can recall, pcap doesn't care whether it's a live capture or from an offline file, but I could be wrong. You should probably read their manual. – o_weisman May 13 '14 at 07:20
  • 1
    According to Guy Harris [here](https://www.mail-archive.com/tcpdump-workers@lists.tcpdump.org/msg01797.html): "pcap_setfilter() works on a pcap_t that you've opened with pcap_open_offline() the same way it works on a pcap_t you've opened with pcap_open_live()." – o_weisman May 13 '14 at 07:28

1 Answers1

3

I found the function pcap_compile() but from my understanding this is for live capture.

No, it's for live capture AND reading from a savefile.

The filter should pass only packets from the ETH->IP->UDP->RTP->H264 protocol.

No such filter is possible using pcap_compile().

To identify RTP traffic, you'd either have to know what UDP ports would be used by the traffic, and filter based on that, or you'd have to look at a few fields in the UDP payload and try to guess whether it's RTP traffic (and be willing to live with non-RTP packets passing the filter). Wireshark has a fairly weak heuristic to identify RTP running atop UDP; it is not enabled by default, because it's so weak that it would probably identify non-RTP traffic as being RTP traffic.

As for H.264, Wireshark recognizes that based on the SIP/SDP setup traffic, which means it involves more complicated packet parsing than can be done with a pcap filter and, more importantly, involves keeping state information, which is impossible with pcap filters.