0

I have a connection stream in a C++ vector, where each element is a single packet's bytes. I'd like to take that vector and produce a working packet capture file (one that can be opened in Wireshark, for example).

I've done some reading on building pcap files, but it seems to revolve around structs where each part of the packet has its own struct member, meaning I have to write code that arranges and gives meaning to all the bytes.

Is there a quick and simple way to just pour the packet bytes, perhaps only giving a timestamp to each packet, and getting a pcap out of it?

GabeL
  • 655
  • 9
  • 24
  • If you mean with all the structs the various layers (TCP, IP) then you need to do this since somehow information about these layers have to be put into the pcap. Pcap is a data format for network traffic (which include IP and TCP information) and not just a bunch of unrelated bytes. – Steffen Ullrich Nov 01 '16 at 17:30
  • 1
    Have you seen [this](http://stackoverflow.com/a/10113862/6832488) answer? You have to fill a struct pcap_pkthdr with timesaml and packet len and call pcap_dump() with the struct pcap_pkthdr and a pointer to the captured bytes. Details of the pcap file format are [here](https://wiki.wireshark.org/Development/LibpcapFileFormat) – Mario Klebsch Nov 01 '16 at 17:57
  • @MarioKlebsch Thanks, I checked that and that result in some further research which lead me to this: https://ask.wireshark.org/questions/39221/is-there-a-fast-way-to-change-c-array-into-pcap While the resulting pcap is just data packets without classifying the different layers, it's good enough. – GabeL Nov 10 '16 at 15:00

0 Answers0