How to Read a PCap File From Wireshark With C++ _ Rhyous

7/23/2019 How to Read a PCap File From Wireshark With C++ _ Rhyous

1/5

ShareShare 1


2/5

02/06/2013 How to read a PCap file from Wireshark with C++ | Rhyous

www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/

I already have post on creating a WinPcap project in Visual Studio and getting it tocompile, so follow it.

How to compile WinPcap with Visual Studio 2010?

Step 3 Get a packet capture.

1. Open Wireshark and start capturing file.

2. Open your browser or go to a few sites.3. Stop the packet capture.4. Save the packet capture to a file.

I named my file smallcapture.pcap.

Step 4 Add C++ code to read the packet capture

I am going to paste the code for you and put the comments and steps in the code.

01020304050607080910111213

141516171819202122232425

262728293031323334353637

/** How to read a packet capture file.*//** Step 1 - Add includes*/#include #include #include usingnamespacestd;

intmain(intargc, char*argv[]){ /* * Step 2 - Get a file name */

string file = "C:\\users\\jared\\testfiles\\smallcapture.pcap";

/* * Step 3 - Create an char array to hold the error. */

// Note: errbuf in pcap_open functions is assumed to be able to hold// PCAP_ERRBUF_SIZE is defined as 256. // http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__def.html charerrbuff[PCAP_ERRBUF_SIZE];

/* * Step 4 - Open the file and store result in pointer to pcap_t */

// Use pcap_open_offline // http://www.winpcap.org/docs/docs_41b5/html/group__wpcapfunc.html#g pcap_t * pcap = pcap_open_offline(file.c_str(), errbuff);

?
http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#http://www.winpcap.org/docs/docs_41b5/html/group__wpcapfunc.htmlhttp://www.winpcap.org/docs/docs_40_2/html/group__wpcap__def.htmlhttp://www.rhyous.com/2011/11/12/how-to-compile-winpcap-with-visual-studio-2010/


3/5



You are now reading packets in C++. Now you can start working on differentiating thepacket types.

383940414243444546

474849505152535455565758

596061626364656667686970

717273747576777879808182

83848586878889

/*

* Step 5 - Create a header and a data object */

// Create a header object: // http://www.winpcap.org/docs/docs_40_2/html/structpcap__pkthdr.html structpcap_pkthdr *header;

// Create a character array using a u_char // u_char is defined here: // C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Include\WinSoc // typedef unsigned char u_char; constu_char *data;

/* * Step 6 - Loop through packets and print them to screen */ u_int packetCount = 0; while(intreturnValue = pcap_next_ex(pcap, &header, &data) >= 0) {

// Print using printf. See printf reference: // http://www.cplusplus.com/reference/clibrary/cstdio/printf/

// Show the packet number printf("Packet # %i\n", ++packetCount);

// Show the size in bytes of the packet printf("Packet size: %d bytes\n", header->len);

// Show a warning if the length captured is different if(header->len != header->caplen) printf("Warning! Capture size different than packet size: %ld

// Show Epoch Time printf("Epoch Time: %d:%d seconds\n", header->ts.tv_sec, header->

// loop through the packet and print it as hexidecimal representa// We also have a function that does this similarly below: PrintD

for(u_int i=0; (i < header->caplen ) ; i++) { // Start printing on the next after every 16 octets if( (i % 16) == 0) printf("\n");

// Print each octet as hex (x), make sure there is always two

printf("%.2x ", data[i]); }

// Add two lines between packets printf("\n\n"); }}
http://www.cplusplus.com/reference/clibrary/cstdio/printf/http://www.winpcap.org/docs/docs_40_2/html/structpcap__pkthdr.html


4/5



Resources

http://www.tcpdump.org/pcap.htmlhttp://www.tcpdump.org/pcap3_man.html

Tags: WinPcap

Category: C++ | Comment (RSS) | Trackback

8 Comments

1. Chingon says:April 24, 2013 at 5:25 am

hello Rhyous. You could help me with a project based on UPnP to connectto wireless router using the WPS protocol?

I know it has nothing to do with your thread, but no one to turn to whounderstands C + +

The project will compile without problems, no errors, just need to modify a bit

the code, but I know very little about C + +

2. Chingon says:April 23, 2013 at 1:28 pm

Solved! i added this line: "#pragma comment (lib, "wpcap")"

Rhyous says:April 23, 2013 at 1:42 pm

I am so glad you found a solution.

3. Chingon says:April 23, 2013 at 10:59 am

Thanks but dont work:

Error 1 error LNK2019: unresolved external symbol _pcap_next_ex that isreferenced in function _mainC:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj

Error 2 Error LNK2019: unresolved external symbol _pcap_open_offline that isreferenced in function _mainC:\Users\Chingon\Documents\VisualStudio2010\Projects\std\std.obj

4. Proxy Servers read from a PCap file and print out IP addresses and portnumbers in c, but my result seem wrong says:October 21, 2012 at 10:10 am

[...] I am reading a pcap file and I want to print out the ip address and portnumber of each packet. I am using code from www.tcpdump.org/pcap.htm andwww.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/. [...]

5. Emanuel Felipe says:October 17, 2012 at 2:14 pm
http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#comment-36567http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#comment-36815http://proxy-servers.eu/read-from-a-pcap-file-and-print-out-ip-addresses-and-port-numbers-in-c-but-my-result-seem-wrong/http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#comment-63695http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#comment-63747http://www.rhyous.com/http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#comment-63735http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#comment-63935http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/trackback/http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/feed/http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#respondhttp://www.rhyous.com/category/development/c-development/http://www.rhyous.com/tag/winpcap/


5/5



When I did Copy/Paste the code didn't work, le wild error in lines 66 and70 just appeared.To fix you should delete the 'l' after %, and "your" code should work fine.

toto says:October 29, 2012 at 9:53 am

Replying with a pokemon quote is dumb, please stop using theinternet.

6. How to compile WinPcap with Visual Studio 2010? | Rhyous says:November 13, 2011 at 7:07 pm

[...] to compile and it should work. You are now ready to develop using WinPcap.Next: How to read a PCap file from Wireshark with C++ Category: C++| Comment (RSS) [...]
http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#comment-4403http://www.rhyous.com/2011/11/12/how-to-compile-winpcap-with-visual-studio-2010/http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/#comment-37509http://toto.com/

How to Read a PCap File From Wireshark With C++ _ Rhyous

Documents

Transcript of How to Read a PCap File From Wireshark With C++ _ Rhyous