Extract files from packet payload

Question

Libpcap helps to capture network packets and save them in '.pcap' files. I know how to do this but how to extract files from the payload? I want to analyze pcap file, extract files (maybe using 'magic numbers' ?), guess their extension and save these files so I can view them. If someone downloaded a PNG image I want to get image.png on my computer. I know I can use Wireshark or any other sniffer but my aim is to write my own one. The question is: how do I extract files from pcap capture file?

C code will be much appreciated.

Notice: WinPcap is OK, but it would be better if the code was multiplatform.

@Khan, I know, but I want to write my own lightweight packet sniffer. Wireshark works with lots of problems and slowdowns on Mac, so I wanna get a sniffer that works on every platform. Even on jailbroken iPhone. — ForceBru, Dec 14 '14 at 10:32
Doesn't the pcap website/documentation tell you how to do that? — o_weisman, Dec 14 '14 at 10:34
@o_weisman it's just about packet capturing but nothing else — ForceBru, Dec 14 '14 at 10:35
http://www.winpcap.org/docs/docs_412/html/group__wpcap__tut7.html ? — o_weisman, Dec 14 '14 at 10:38

score 2 · Answer 1 · answered Dec 14 '14 at 10:37

2

Well you can use wireshark to view the packet. The link below shows you how to make your own packet sniffer in C

http://www.binarytides.com/packet-sniffer-code-c-linux/

answered Dec 14 '14 at 10:37

Khan

464
3
6
18

I know perfectly well _how to capture packets_, but it would be once to have more info about payload processing. – ForceBru Dec 14 '14 at 10:40

score 1 · Answer 2 · answered Dec 14 '14 at 10:34

1

Wireshark is able to do that.

See: http://www.behindthefirewalls.com/2014/01/extracting-files-from-network-traffic-pcap.html

answered Dec 14 '14 at 10:34

Weston

1,845
13
12

Extract files from packet payload

2 Answers2