0

I have an application that displays stats about packets in a pcap file. Here is a partial output from a run I did without filters: 192.168.42.4:5082-17.253.27.205:20480 88:66:5a:04:e0:76 00:80:ae:b2:1e:92 S.SA.A

I then ran again with a port filter for 5082 and got nothing, no packets were found.

here is the set filter I used on the reader:

reader->setFilter("port 5082");

reader->setFilter("host 192.168.42.4") and this works fine. I can get filters for MAC addresses, IP, and protocol to work. I can't get any filter with ports in it to work.

reader->setFilter("ost 192.168.42.4 and src port 5082") fails as well.

The following fails as well:

pcpp::PortFilter p(5082, pcpp::SRC_OR_DST);
if (!reader->setFilter(p)) {
    fmt::print("Could not set up filter on file");
}

Note: 0 packets found, no error on setFilter.

Any ideas?

scottjr155
  • 11
  • 2
  • I notice I was missing the h on the line: reader->setFilter("ost 192.168.42.4 and src port 5082") fails as well. fixed this and ran again same results – scottjr155 Sep 08 '22 at 04:18
  • Do these packets have vlans or other tunneling protocols? libpcap doesn't always parse these packets well. Can you attach a sample of this pcap file? – seladb Sep 08 '22 at 08:14
  • Sorry, I have a trace file I can upload, but I am new to StackOverflow and this is my first question and I can't seem to find a way to upload a binary trace file. – scottjr155 Sep 08 '22 at 17:28
  • Just for anyone else using pcappplusplus - make sure you use pcpp::hostToNet16. – scottjr155 Sep 08 '22 at 17:49
  • std::string sp = std::to_string(pcpp::hostToNet16(tcpHdr->portSrc)); std::string dp = std::to_string(pcpp::hostToNet16(tcpHdr->portDst)); – scottjr155 Sep 08 '22 at 17:49

1 Answers1

1

I found the problem. seladb question made me take a close look at the capture file. Some how the port numbers I am getting from pcapplusplus are not the same as in the capture as displayed by Wireshark. Now I will have to go back and figure out why my port number from pcapplusplus is corrupt.

Thanks for your response.

scottjr155
  • 11
  • 2