read a pcap file and write the packets into a database

Jun 15, 2012 at 2:31 PM

I have a strange (imo) requirement for a client:

I need to read pcap files and write the packets into a database (specifically a mongo collection).

The Packet type is not serializable so (obviously) there is no easy way to do this and I thought it was worth the time to ask if anyone else has done something similar?

What I am doing now is populating a simple DTO class from a Packet data:

    public class DTO
    {
        public Byte[] Data { getset; }
        public DateTime TimeStamp { getset; }
        public DataLinkKind DataLink { getset; }
    }

like so:

                    DTO dto = new DTO()
                    {
                        Data = packet.Buffer,
                        TimeStamp = packet.Timestamp,
                        DataLink = packet.DataLink.Kind
                    };

I am not an expert with this particular domain (pcap) but the DTO allows me to serialize to disk w/o a non trivial amount of custom serializaton logic and later reconstitute via this code:

Packet testPacket = new Packet(dto.Data, dto.TimeStamp, dto.DataLink);

Doing this seems to work as:

Boolean result = packet.Equals(testPacket);

evaluates to true for my tests...

My primary concern at this point is if I am losing any data?

Thank you for your valuable time.

Chris

 

 

 

 

 

 

 

 

 

 

Coordinator
Jun 16, 2012 at 6:01 AM

Hi Chris,

No reason that any data would be lost this way.

 

This looks pretty straight forward to me, and it seems that it's good that you have the freedom to decide how to serialize the Packet instance.

 

Boaz.

Jun 16, 2012 at 7:02 AM

Outstanding. Thank you for the sanity check, I greatly appreciate it!

Chris

Jun 16, 2012 at 7:02 AM

Outstanding. Thank you for the sanity check, I greatly appreciate it!

Chris

Jun 20, 2012 at 10:01 PM

Continuing the discussion.

I've got all of these packets in my database and the user is able to query for a specific time range so that I can build an 'extract' pcap file.

Is there a code sample that I'm not seeing that could help with this task?

Examining the documentation am I wrong with the thought that I'd have to 'send' the packets again to be captured?

Fishing for ideas here...


Thx,


Chris

Coordinator
Jun 22, 2012 at 7:18 AM

Hi Chris,

 

I believe you can use the PacketDumpFile.Dump() static method.

 

I hope this helps,

 

Boaz.

Jun 22, 2012 at 10:02 AM

I completely missed that method... thank you! I kept looking for instance constructors on the PacketDumpFile class and then allowed myself to get tunnel vision with the samples using devices for dumps. Thank you again for your responsiveness, you've been a great help answering my questions.