This project is read-only.

pcap dump file

Jul 6, 2011 at 12:55 PM
Edited Jul 7, 2011 at 1:28 PM

Hi

1. I need to monitor network for longer period of time analyze later and create statistic graphs.

For example I will monitor network for 8 hours, then draw pie graph, how much of the traffic was http, how much tcp or udp whatever

So I came to conclusion that saving it to txt file could do the job, but files could be really LARGE, I'm guessing even more than 1 gigabyte?

But we got pcap dump file method which saves to libpcap file.

But what exactly is saved to this file?

How can I read from this file (I did read example)? For example could I iterate through whole file searching for http packets and adding values to counter?

 

I'm not sure if pcap dump file could help me, because it will work exactly the same as collecting packets myself (or maybe reading from file is faster and takes less resources?)

2. How can I stop callback function?

              using (PacketCommunicator communicator = selectedDevice.Open(65536, PacketDeviceOpenAttributes.Promiscuous, 1000))
                {
         
                    // Open the dump file
                    using (PacketDumpFile dumpFile = communicator.OpenDump(path))
                    {
                        deviceList.Invoke(new MethodInvoker(() => { deviceList.Text += ("Listening on " + selectedDevice.Description + "\r\n"); }));

                        // start the capture
                        if ((packetBackgroundWorker.CancellationPending == true))
                        {
                            e.Cancel = true;
                            communicator.Break();

                        }
                        communicator.ReceivePackets(0, dumpFile.Dump);
                    }
                }

this one won't stop background worker, file is still written

EDIT: I have managed to dump to file without callback function, but if you got time to explain me how to stop callback function, I would be glad :)

3. Filters.

I have no idea how it works exactly

In this piece of code I get null reference at http.head/version which seems reasonable because http uses tcp/ip

using (BerkeleyPacketFilter filter = communicator.CreateFilter("ip"))

IpV4Datagram ip = packet.Ethernet.IpV4;
UdpDatagram udp = packet.Ethernet.IpV4.Udp;
HttpDatagram http = packet.Ethernet.IpV4.Tcp.Http;
ipBox.Invoke(new MethodInvoker(() => { ipBox.Text += (ip.Source + ":" + udp.SourcePort + " -> " + ip.Destination + ":" + udp.DestinationPort + "    " + ip.Length + "\r\n"); }));
ipBox.Invoke(new MethodInvoker(() => { ipBox.Text += (http.Header + "\r\n" +http.Version + "\r\n"); }));

 

But then I set filter to "ip and tcp" and it works

but then I set filter to "ip or tcp and ip" and null reference at http

why is that?

Also I set filter with empty string which should accept all packets ("If no expression is given, all packets on the net will be accepted by the kernel-level filtering engine." <-- sentence from https://www.winpcap.org/docs/docs_40_2/html/group__language.html)

but then... I get "Object reference not set to an instance of an object." again at http :(

So how does it work?

 

4. How can I determine what kind of packet did I receive?

For example checking if packet was dns, http, tcp, arp etc?

Regards

Raston

Jul 8, 2011 at 12:43 PM

Hi Raston,

 

1. Pcap dump files are files that simply saves the entire packet frame.

You can easily read them using Wireshark, which also has some built it filter and statistics tools or using Pcap.Net if you want to write code to analyze it.

Pcap dump files can also be quite large since they save all the packets.

For statistics I would just filter what you want to measure using different filters and PacketCommunicators and only use the Statistics methods of PacketCommunicator to get the statistics (so you don't need the Packets in memory).

This would be much more efficient and you will be able to handle much higher bandwidth.

 

2. You called Break() before calling ReceivePackets().

Break should be used after you call ReceivePackets() while ReceivePackets() is running (from a different thread).

Remember that calling ReceivePackets with 0 means it's an infinite loop so you can only stop it from inside the call (in your case you can't since you call Dump() and not your own method) or from a different thread.

 

3. If the packet is not TCP it will still pass the "ip" filter. Pcap.Net won't be able to parse the TCP and won't be able to find its payload and give it to you as HTTP.

A packet can't be both UDP and TCP. You should know what packet you have before you use the Udp and Tcp properties. You can check what kind of packet is it using IpV4Datagram.Protocol property.

"ip or tcp and ip" filter is equivalent to "ip".

Again, if you pass all packets some of them might not be TCP packets. If the packet is not an HTTP packet what you get from Http property won't help you much. If the packet is not a TCP packet Http property might simply not work because it assumes the TCP part is correct. You can use IsValid to see if the packet is parsable in the protocol.

 

4. If you don't filter it in advance you can check the different level fields.

On EthernetDatagram you have the EtherType property.

On IpV4Datagram you have the Protocol property.

And On TcpDatagram and UdpDatagram you can try to use the ports. But this is not guaranteed according to the protocols standards.

 

I hope this helps,

 

Boaz.

Jul 11, 2011 at 11:18 AM

Great post Boaz, thank you :)

If I have additional questions connected with this topic, I'm gonna post it here

Dec 8, 2011 at 10:04 AM

Hi Boaz,

Reference to this, I would like to ask how to implement PCAP capturing in scheduled manner? Where I need to capture per hour so that PCAP file will be created in hourly basis for further analysis.

 

Cheers,

techguy

 

 

 

 

 

Dec 10, 2011 at 10:04 AM

Hi techguy,

 

I'm not sure what you mean exactly.

You can just check the time, close the file and use a new one.

Or post process a file to split it to several per hour files.

 

I hope this helps,

Boaz.

Dec 10, 2011 at 7:19 PM

Hi Boaz,

Thanks from your response, I can start this process in an timer event however I'm only concern what if I change to another dump file after a certain time does it affects the buffer or will not miss certain packets?

 

Thanks,

techguy

Dec 10, 2011 at 8:26 PM

When you dispose the dump file object any buffer it has would flush.

Dec 10, 2011 at 9:37 PM

Hi Boaz,

Which means no buffering mechanism would takes place as it change the dump file to a new one, so the only solution in order not to lost any packets would be using a special hardware that stores temporary packets in its buffer?

Thanks again.

techguy

Dec 10, 2011 at 9:39 PM

I don't understand why would you use packets?

If you switch a file once every hour I don't see a reason for losing any packets.

Dec 10, 2011 at 9:49 PM

Can you post sample code how to do it every hour by just switching the dump file?

Dec 13, 2011 at 9:40 AM

Hi Boaz,

I managed to take the chunks of packet (per file) for further analysis by counting the packets instead of timer events;

 

Thanks anyway.

techguy