Description of each field in the pcap File Header 24B:
Magic: 4b: 0x1a 2B 3C 4d: used to mark the start of the file Major: 2b, 0x02 00: The main version number of the current file minor: 2b, 0x04 00 current file minor version number thiszone: 4B local standard time; all zero sigfigs: 4B timestamp precision; all zero snaplen: 4B maximum storage length linktype: 4B common link types: 0 BSD loopback devices, ipvt for later OpenBSDPacket Baotou and packet Data CompositionField Description: Timestamp: The timestamp is high, accurate to seconds timestamp: The timestamp is low, accurate to microsecondscaplen: the length of the current data area, that is, the length of the captured data frame, the location of the next data frame is obtained. Len: offline Data Length :The length of the actual data frame in the network, which is generally not greater than caplen. In most cases, it is equal to the caplen value. Packet Data: Packet (usually the data frame at the link layer). The length is caplen, followed by the next packet stored in the current pcap file, that is: the pcap file does not specify the interval between captured packet packets. The next group of data starts from the file. We need to determine by the first packet package. Finally, the packet data format is actually the standard network protocol format, which can be found in any network textbooks.
The following is my implementation, which resolves custom UDP packet capture files.
Typedef struct tagiphead
{
Int version; // version
Int headlength; // the header length.
Int diffsever;
Int totallength; // The total length.
Int identification;
Int flag;
Int fragment;
Int TTL;
Int protocoltype; // protocol type
Int checksum;
Unsigned long srcip; // source IP address
Unsigned long dstip; // destination IP address
} Ip_head;
Typedef struct tagudphead
{
Unsigned short srcport; // Source Port
Unsigned short dstport; // destination port
Int length; // UDP Packet Length
} Udp_head;
Unsigned long fileparse: parse (const char * filename, bool & bthreadrun) //, hwnd)
{
If (_ wass_session)
{
Delete _ wass_session;
_ Wass_session = NULL;
}
_ Wass_session = new wasssessions ();
//////////////////////////////////////// //////////////////////////////////
Unsigned long lres = 0;
File * pfile = NULL;
Int nreadsize = 0;
Char buff [file_read_len];
Char ACIP [30];
Char portalip [30];
Char radiusip [30];
Unsigned long timestamp1;
Unsigned long timestamp2;
Cconfigure * Config = new cconfigure ();
If (config)
{
// Read the IP address and add it to the iplist
Unsigned long iptmp = 0;
Unsigned short porttmp = 0;
Config-> getipconfig (ACIP, portalip, radiusip );
Cut_ip (ACIP, iptmp, porttmp );
Acport_list.push_back (porttmp );
Acip_list.push_back (iptmp );
Cut_ip (portalip, iptmp, porttmp );
Portalip_list.push_back (iptmp );
Portalport_list.push_back (porttmp );
Delete config;
Config = NULL;
}
//////////////////////////////////////// //////////////////////////////////
Memset (buff, 0, file_read_len );
Do
{
Pfile = fopen (filename, "rb ");
// Pfile = _ open (filename, _ o_rdonly | _ o_binary );
If (! Pfile)
{
// Failed for the file opened
Fprintf (stderr, "open the file failed: % s", strerror (errno ));
Lres = 2;
Break;
}
Nreadsize = fread (buff, sizeof (char), 24, pfile );
If (nreadsize = 24)
{
While (! Feof (pfile) & bthreadrun)
{
Memset (buff, 0, file_read_len );
Nreadsize = fread (buff, sizeof (char), 16, pfile );
Unsigned long npacketlen = 0;
Memcpy (& timestamp1, buff, 4 );
Memcpy (& timestamp2, buff + 4 );
Memcpy (& npacketlen, buff + 8, 4 );
// Npacketlen = ntohl (npacketlen );
Char * Buf = new char [npacketlen];
Memset (BUF, 0, npacketlen );
Int nreadcount = 0;
// Read the package
While (nreadcount <npacketlen)
{
Nreadsize = fread (buff, sizeof (char), npacketlen-nreadcount, pfile );
Memcpy (BUF + nreadcount, buff, nreadsize );
Nreadcount + = nreadsize;
}
// Process IP/UDP packets here
Int noffset = 14; // data offset position
_ IP-> parse (BUF + noffset); // ip resolution
If (_ IP-> wass_ip_head.protocoltype = 17) // only process UDP
{
Noffset + = 20;
_ UDP-> parse (BUF + noffset); // UDP resolution
Noffset + = 8;
STD: List <unsigned long >:: iterator acit = acip_list.begin ();
STD: List <unsigned long >:: iterator portalit = portalip_list.begin ();
Bool bfoundip = false;
// Do not consider algorithms for the moment to traverse IP addresses
// While (acit ++! = Acip_list.end ())
For (; acit! = Acip_list.end (); acit ++)
{
Unsigned long AIP = * acit;
Char atmp [20];
Ipulongtostring (AIP, atmp );
Ipulongtostring (_ IP-> wass_ip_head.dstip, atmp );
If (_ IP-> wass_ip_head.dstip = * acit | _ IP-> wass_ip_head.srcip = * acit)
{
For (; portalit! = Portalip_list.end (); portalit ++)
{
If (_ IP-> wass_ip_head.dstip = * portalit | _ IP-> wass_ip_head.srcip = * portalit)
{
Bfoundip = true;
Break;
}
}
Break;
}
}
If (bfoundip)
{
// This indicates that data can be parsed.
_ Portalpacket = new cportalpacket ();
_ Portalpacket-> parse (BUF + noffset, npacketlen-noffset );
// Set the source IP address and destination IP address, source port, and destination port of the package.
_ Portalpacket-> setipandport (_ IP-> wass_ip_head.srcip,
_ IP-> wass_ip_head.dstip, _ UDP-> wass_udp_head.srcport, _ UDP-> wass_udp_head.dstport );
_ Portalpacket-> setpackettime (timestamp1, timestamp2 );
_ Wass_session-> addpacket (_ portalpacket, _ sessions );
}
Else
{
}
}
If (BUF)
{
Delete [] Buf;
}
}
}
} While (false );
If (pfile)
{
Fclose (pfile );
}
//////////////////////////////////////// //////////////////////////////////
//: Postmessage (_ hwnd, wm_finished, 0, 0 );
Return lres;
}
Posted on:, modified on.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
