Can anyone help me with the C programming for splitting a network packet capture file (.pcap file) into smaller sized files (of same type or other). Though utilities like editcap or T-shark are already available for the job, I would really like to understand the coding behind it.
Asked
Active
Viewed 425 times
3 Answers
0
You can open pcap file with pcap_open_offline and read individual packets with pcap_next.
tumdum
- 1,981
- 14
- 19
-
Thanks a lot Tomasz. Can you also give me some idea on how a .pcap file can be split into overlapping time series. Can I use editcap/T-Shark for that?? – Himant Jan 13 '15 at 14:24
0
Winpcap offers wide range of solution to this problem
After reading ...in Test Packet Capture solution
for ( j=0; j<ulen; j++, pChar++ )
{
printf( "%c", isprint( (unsigned char)*pChar ) ? *pChar : '.' );
}
for ( j=0; j<ulen; j++)
{
fprintf(fp1, "%s", pChar);
//fprintf(fp1, "%s", strtok(pChar,"MIND_ID"));
fsize1 = ftell(fp1);
if (fsize1 > 665600) // close after 1MB
{ fclose(fp1);
printf("\n The size of given file 1 is : %d \n", fsize1);
break;
}
}
use this code to store first and then split the given file into any number you want.
0
for splitting a network packet capture file (.pcap file) use library pcap_file_generator
Samle reading pcap file:
PCAPFILE * pfr = lpcap_open("./pcaplibtestfile.pcap");
pcap_hdr_t phdr;
if( lpcap_read_header( pfr, &phdr ))
{
int rese_rec_read = 0 ;
pcaprec_hdr_and_data_t p_rec_data;
do{
rese_rec_read = lpcap_read_frame_record( pfr , &p_rec_data);
}while(rese_rec_read>0);
sample writing to file:
PCAPFILE * pfl = lpcap_create("./pcaplibtestfile.pcap");
for( i=0;i< PKTS_COUNT;i++ )
{
/* TODO: fill data memcpy(eda.data , YOUR_DATA_BUF,SIZE_YOUR_DATA_BUF );
eda.len = SIZE_YOUR_DATA_BUF;
*/
lpcap_write_data( pfl , &eda , i, 0 );
}
lpcap_close_file( pfl );
Wladimir Koroy
- 123
- 1
- 1