4

I am analysing a pcap file and i have exported a dissection as c Arrays in Wireshark, i need to extract some data from the bytes in question. However i do not know how i can access all those arrays. They look like this:

/* Frame (73 bytes) */
static const unsigned char pkt1324[73] = {
0x80, 0xe6, 0x50, 0x06, 0xe7, 0xae, 0x48, 0xfd, /* ..P...H. */
0x8e, 0xdf, 0x2f, 0x06, 0x86, 0xdd, 0x60, 0x00, /* ../...`. */
0x00, 0x00, 0x00, 0x13, 0x11, 0x30, 0x20, 0x01, /* .....0 . */
0x06, 0x60, 0x32, 0x07, 0x04, 0xc0, 0x00, 0x00, /* .`2..... */
0x00, 0x00, 0x00, 0x00, 0x40, 0x61, 0x20, 0x01, /* ....@a . */
0x08, 0x18, 0xdb, 0xf8, 0x70, 0x00, 0xcd, 0x3e, /* ....p..> */
0x83, 0xa5, 0x98, 0x71, 0x9b, 0x42, 0x16, 0x33, /* ...q.B.3 */
0xe8, 0xeb, 0x00, 0x13, 0x96, 0xfa, 0x50, 0x45, /* ......PE */
0xea, 0x50, 0x41, 0x0a, 0x21, 0xa8, 0xff, 0x31, /* .PA.!..1 */
0x37                                            /* 7 */
};
this is an empty line
/* Frame (84 bytes) */-> next frame

My question is,these arrays are in a .c/.h file , i would like to access all the arrays to extract some data but their name and size changes.

What is the best way to do this knowing that i will need to read a couple hundred arrays and extract certain bytes???

Joao s
  • 150
  • 1
  • 8

2 Answers2

3

you could use a tool like this : https://github.com/seladb/PcapPlusPlus PcapPlusPlus is a multiplatform C++ network sniffing and packet parsing and crafting framework. PcapPlusPlus is meant to be lightweight, efficient and easy to use. It's a C++ wrapper for popular engines like libpcap, WinPcap, DPDK and PF_RING http://seladb.github.io/PcapPlusPlus-Doc

ROCFER
  • 267
  • 2
  • 9
  • I have read through the documentation and i do not think that tool has what i am looking for, what i am really looking for is a way to go through all the arrays i exported previously that have both different names and sizes. Thank you btw – Joao s Jun 05 '18 at 15:01
1

You can parse the file using regex, which added in c++11

// g++ --std=c++11

#include <iostream>
#include <fstream>
#include <sstream>
#include <regex>
#include <string>


class Array
{
    std::string m_Name;
    size_t m_Size;

public:
    Array() = delete;

    Array(const std::string &name, std::string size)
    {
        this->m_Name = name;
        this->m_Size = static_cast<size_t>(stoi(size));
    }

    const std::string &GetName() const { return m_Name; }
    size_t GetSize() const { return m_Size; }
};


std::string readFile(const std::string &path)
{
    std::ifstream fileStream(path);
    std::stringstream buffer;

    std::string line;

    while (std::getline(fileStream, line))
        buffer << line << std::endl;

    return buffer.str();
}


void writeFile(const std::string &path, const std::string &data)
{
    std::ofstream fileStream(path);

    fileStream << data;
}


std::vector<Array> parseData(const std::string &data)
{
    std::regex reg("static const unsigned char (pkt\\d+)\\[(\\d+)\\]");

    auto begin = std::sregex_iterator(data.begin(), data.end(), reg);
    auto end = std::sregex_iterator();

    std::vector<Array> arrays;

    for (std::sregex_iterator i = begin; i != end; i++)
    {
        std::smatch match = *i;
        std::string name = match[1];
        std::string size = match[2];

        arrays.push_back(Array(name, size));
    }

    return arrays;
}


int main()
{
    std::string pktPath = "a.pkt";
    std::string data = readFile(pktPath);

    std::vector<Array> arrays = parseData(data);

    std::stringstream names;
    std::stringstream sizes;

    names << "const unsigned char *names[] = {";
    sizes << "size_t sizes[] = {";

    for (const Array &arr : arrays)
    {
        names << arr.GetName() << ",";
        sizes << arr.GetSize() << ",";
    }

    names << "};";
    sizes << "};";

    std::stringstream headerStream;
    headerStream << "#include <cinttypes>" << std::endl;
    headerStream << "#include \"" << pktPath << "\"" << std::endl << std::endl;
    headerStream << "size_t sizeOfArrays = " << arrays.size() << ";" << std::endl;
    headerStream << names.str() << std::endl;
    headerStream << sizes.str() << std::endl;

    std::string header = headerStream.str();
    std::string headerPath = pktPath + ".h";
    writeFile(headerPath, header);
}

this code creates new file named a.pkt.h with followed code:

#include <cinttypes>
#include "a.pkt"

size_t sizeOfArrays = 1;
const unsigned char *names[] = {pkt1324,};
size_t sizes[] = {73,};

Now you have parsed your .pkt files and got header, which includes all your arrays and sizes of them.

#include "a.pkt.h"


int main()
{
    for (size_t i = 0; i < sizeOfArrays; i++)
    {
        const unsigned char *array = names[i];
        size_t size = sizes[i];

        doSomething(array, size);
    }
}

If you have any questions about my code, comment it.

kerrytazi
  • 583
  • 1
  • 4
  • 15