Stack Overflow
Stack Overflow

Questions tagged [pcap]

pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. The pcap file format is a binary format, and is the de facto standard format for network packet capture.

pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as .

Source: Wikipedia

pcap also refers to the file format originally generated by the libpcap library. This binary format has become a de facto standard format for packet capture, and is now generated by other network analyzer tools, such as Wireshark.

Source: https://www.lesliesikos.com/pcap

1410 questions
13
votes
1 answer

How to convert H264 RTP stream from PCAP to a playable video file

I have captured stream of H264 in PCAP files and trying to create media files from the data. The container is not important (avi,mp4,mkv,…). When I'm using videosnarf or rtpbreak (combined with python code that adds 00 00 00 01 before each packet)…
yoosha
  • 681
  • 2
  • 7
  • 12
13
votes
1 answer

what does ntohs() in pcap exactly do?

I read the documentation from one of the answers: The ntohs function takes a 16-bit number in TCP/IP network byte order (the AF_INET or AF_INET6 address family) and returns a 16-bit number in host byte order. Please explain with an example, as in…
tabs_over_spaces
  • 352
  • 1
  • 3
  • 14
13
votes
1 answer

tshark outputting all fields?

Is it possible to get tshark output every field (within the packet) using the -T fields option, or similar? e.g. For every field in the packet/reconstruction, I would like something like…
gak
  • 32,061
  • 28
  • 119
  • 154
12
votes
4 answers

How do I use tshark to print request-response pairs from a pcap file?

Given a pcap file, I'm able to extract a lot of information from the reconstructed HTTP request and responses using the neat filters provided by Wireshark. I've also been able to split the pcap file into each TCP stream. Trouble I'm running into now…
Steven
  • 17,796
  • 13
  • 66
  • 118
12
votes
8 answers

How can I filter a pcap file by specific protocol using python?

I have some pcap files and I want to filter by protocol, i.e., if I want to filter by HTTP protocol, anything but HTTP packets will remain in the pcap file. There is a tool called openDPI, and it's perfect for what I need, but there is no wrapper…
coelhudo
  • 4,710
  • 7
  • 38
  • 57
11
votes
5 answers

Complete reconstruction of TCP Session (HTML pages) from WireShark pcaps, any tools for this?

I wonder if there is a way in wireshark to reconstruct a complete TCP Session (HTML page(s)) if we have wireshark pcaps, can wireshark do the reconstruction? or is there any tool around that can do the reconstruction? Data streamed from a source…
user349026
11
votes
2 answers

Parsing pcap taken from wireshark file using - Java

I am working on converting PCAP file taken from wireshark using JAVA without using native or ready libraries. i converted the bytes to string directly just for checking the meaningful parts of it. then i tried to convert it from hexadecimal to…
MBH
  • 16,271
  • 19
  • 99
  • 149
11
votes
3 answers

How do you decrypt SSH .pcap file that uses Diffie Hellman encryption. With public and private keys

How do you decrypt SSH .pcap file that uses Diffie Hellman encryption. With public and private keys. We are trying through Wireshark with no luck.
cchang
  • 119
  • 1
  • 1
  • 3
11
votes
2 answers

C PCAP library unknown types error

I installed the pcap library on my linux system but when including it I get the errors /usr/include/pcap/bpf.h:88:1: error: unknown type name ‘u_int’ /usr/include/pcap/bpf.h:108:2: error: unknown type name ‘u_int’ /usr/include/pcap/bpf.h:1260:2:…
wasp256
  • 5,943
  • 12
  • 72
  • 119
10
votes
2 answers

python / dpkt: Find out if packet is a tcp packet or a udp packet ,

I have a python scripts that captures the packets on the ethernet using dpkt, but how do i differentiate between which packets are tcp and which ones are for udp. Eventually i would like to have a list of packets for each tcp connection that was…
ConfusedAboutCPP
  • 573
  • 3
  • 8
  • 20
10
votes
2 answers

Converting a PCAP trace to NetFlow format

I would like to convert some PCAP traces to Netflow format for further analysis with netflow tools. Is there any way to do that? Specifically, I want to use "flow-export" tool in order to extract some fields of interest from a netflow trace as…
Regressor
  • 247
  • 1
  • 2
  • 11
10
votes
3 answers

C - Writing structs to a file (.pcap)

I am trying to write a .pcap file, which is something that can be used in Wireshark. In order to do that, I have a couple of structs with various data types I need to write to a file. (see code) So, I create the struct instances, fill in the data,…
KaiserJohaan
  • 9,028
  • 20
  • 112
  • 199
10
votes
1 answer

What's the difference between a PCAP file with a magic number of "0x4d3cb2a1" and "0xd4c3b2a1"?

I've got two PCAP files, A and B. A has a 'magic number' in the header of d4 c3 b2 a1, B has a 'magic number' in the header of 4d 3c b2 a1. According to the wireshark documentation (http://wiki.wireshark.org/Development/LibpcapFileFormat), only…
growse
  • 3,554
  • 9
  • 43
  • 66
9
votes
1 answer

Optimal SNAPLEN for PCAP live capture

When using pcap_open_live to sniff from an interface, I have seen a lot of examples using various numbers as SNAPLEN value, ranging from BUFSIZ () to "magic numbers". Wouldn't it make more sense to set as SNAPLEN the MTU of the interface we…
ziu
  • 2,634
  • 2
  • 24
  • 39
9
votes
2 answers

How to send packets larger than 1500 bytes by pcap_sendpacket?

Actually, I have two related questions. I'm capturing filtered network traffic by libpcap on Debian. Then I need to replay this traffic on Win2k3 server. Sometimes I capture packets, both TCP and UDP, much larger than 1500 bytes (default MTU size…
Andriy Tylychko
  • 15,967
  • 6
  • 64
  • 112
1
2
3
93 94