0

I have a pcap file captured by wireshark, now I need to read each packet of it and write them to a vector of structure. I got some promblem with writing packets into the structure. the structure:

struct pktStruct {
    struct pcap_pkthdr * pkt_header; // header object
    const u_char * pkt_data; // data object
    long time; // used to compare with each other
};

the code how I save each packet to structure:

string resultFile = "/home/xing/Desktop/tmp.pcap";
char errbuff[PCAP_ERRBUF_SIZE]; 
pcap_t * resultPcap = pcap_open_offline(resultFile.c_str(), errbuff);
struct pcap_pkthdr * header; // header object
const u_char * data; // data object
vector<pktStruct> pktVector; // this vector contains each pktStruct
pktStruct myStruct; 
    while (int i=pcap_next_ex(resultPcap,&header,&data) >=0) {

        myStruct.pkt_header = header;
        myStruct.pkt_data = data;
        myStruct.time = header->ts.tv_sec * 1000000 + header->ts.tv_usec;
        pktVector.push_back(myStruct);
    }

when I printed each packet's information I found each structure which stored a packet is totally the same. did I save the same packet to each structure of the vector?

wangx1ng
  • 73
  • 1
  • 2
  • 10

1 Answers1

0

The packet header and data pointers you get from libpcap/WinPcap are not valid forever.

If you're using pcap_loop() or pcap_dispatch(), after your callback returns, those packet header and data pointers passed to your callback will not point to the same data they did when your callback was running.

If you're using pcap_next() or pcap_next_ex(), after you make another call to the routine in question, the previous pointers you got from that routine will not point to the same data they did before.

So you MUST make a copy of the packet header and data:

struct pktStruct {
    struct pcap_pkthdr pkt_header; // header object - *not* a pointer
    const u_char * pkt_data; // data object
    long time; // used to compare with each other
};

and

string resultFile = "/home/xing/Desktop/tmp.pcap";
char errbuff[PCAP_ERRBUF_SIZE]; 
pcap_t * resultPcap = pcap_open_offline(resultFile.c_str(), errbuff);
struct pcap_pkthdr * header; // header object
const u_char * data; // data object
const u_char * data_copy;
vector<pktStruct> pktVector; // this vector contains each pktStruct
pktStruct myStruct; 
    while (int i=pcap_next_ex(resultPcap,&header,&data) >=0) {

        myStruct.pkt_header = *header;
        data_copy = (u_char *)malloc(myStruct.pkt_header.caplen);
        memcpy(data_copy, data, myStruct.pkt_header.caplen);
        myStruct.pkt_data = data_copy;
        myStruct.time = header->ts.tv_sec * 1000000 + header->ts.tv_usec;
        pktVector.push_back(myStruct);
    }

This means you may need to free those copies.

  • Hi, thanks for anwsering, now I can save each packet's data into each struct. but still, each struct has the same header info. I used the code below trying to make a copy of header but it didn't work correctly:`header_copy = (pcap_pkthdr *)malloc(sizeof(header)); memcpy((void *)header_copy,(const void *)header,sizeof(header)); myStruct.pkt_header = header_copy; `can you give me some direction about how to save headers to each struct correctly? – wangx1ng Jun 17 '15 at 02:35
  • I followed your suggestion and not to define my pkt_header as a pointor, and it did save the right header to each struct, but I need to sort the vector and use `pcap_dump()` which needs a `pcap_pkthdr *` argument to write my vector to a new pcap file. now I can't use the function `pcap_dump` to write my vector into the new pcap file since I don't have a `pcap_pkthdr *` object now, what do I have to do to write my vector into pcap now? – wangx1ng Jun 17 '15 at 02:52
  • A `struct pcap_pkthdr *` is a pointer to a `struct pcap_pkthdr`. Just as in C, in C++ the `&` operator will return a pointer to its operand. (But you already knew that, as indicated by your use of the `&` operator in the call to `pcap_next_ex()`.) –  Jun 17 '15 at 03:09
  • exactly, this mess just confused my brain! thank you so much! – wangx1ng Jun 17 '15 at 03:41