0

I am trying to do an offline capture of the packets from a .cap file using SharpPcap. I intend to capture these packets based on a filter.

Following is my code snippet.

    private static void device_PcapOnPacketArrival(object sender, CaptureEventArgs e)
    {            
        System.Console.WriteLine(e.Packet.LinkLayerType);
    }

    static void ParseLogFile(string l_FileName)
    {
        CaptureFileReaderDevice l_Parser = new CaptureFileReaderDevice(l_FileName);

        l_Parser.Open();
        string l_filter = "tcp";
        string ErrMsg;
        PcapDevice.CheckFilter(l_filter, out ErrMsg);
        l_Parser.Filter = l_filter;
        System.Console.WriteLine("ErrMsg: " + ErrMsg);

        //l_Parser.OnPacketArrival += device_PcapOnPacketArrival;
        //l_Parser.Capture();

        SharpPcap.RawCapture pac;
        while ((pac = l_Parser.GetNextPacket()) != null)
        {
            //Prints the time and length of each received packet
            System.Console.WriteLine(BitConverter.ToString(pac.Data));
        }
        l_Parser.Close();
    }


    public static void Main() {

        ParseLogFile(@"Sample.cap");
        System.Console.WriteLine("THE END");

    }

When I set the filter to "tcp" I don't see any frame logged on the console but I can see see them on the wireshark. WireShark display Console output with tcp filter

Instead if I set the filter to " " I can see all the frames from the .cap file on console. Console output for no filter

Is Packet filtering supported in the offline mode ? If Supported, then is anything wrong with my filter here ?

Barry
  • 43
  • 5
  • Hi Barry. Have you tried the filter examples in the source code release of SharpPcap? Can you verify that those are working correctly for you as they are and when you modify them to filter only on tcp? That would give us a data point with known working code. – Chris Morgan Jul 14 '17 at 16:36
  • And yes, filtering is supported for offline code. – Chris Morgan Jul 14 '17 at 16:36
  • Hi Chris, I tried using the filter examples from http://www.tcpdump.org/manpages/pcap-filter.7.html. only "arp" filter is working on my capture file. When I tried to run these filters on the standard captures, they are working fine. I feel there is some issue with my capture file. – Barry Jul 17 '17 at 06:06

1 Answers1

0

Found the issue. Had to consider vlan while filtering. It works when I use "vlan and tcp" instead of "tcp". More info can be found here http://www.christian-rossow.de/articles/tcpdump_filter_mixed_tagged_and_untagged_VLAN_traffic.php

Barry
  • 43
  • 5
  • Ahh, so your traffic is vlan tagged as well? Interesting that vlan would be required but I guess that makes sense if you wanted to be able to filter at the top level vlan vs. non-vlan tcp traffic. – Chris Morgan Jul 17 '17 at 16:48