Limit size of reading pcap file?

[Thiago]

Hi Esteban!

I would like to know if their is a limit size for reading PCAP file with the function "ReadPcap".

    list<packet_ptr> packets_read;
    ReadPcap(&packets_read,PCAP_Filename);

I have done some test with a PCAP file of 40Mb and I have to split it before to read it :s

Thank you for your help.

[Esteban Pellegrino]

I don't think there is a limit, only the RAM memory...

For what reason did you split the file?

--
You received this message because you are subscribed to the Google Groups "libcrafter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to libcrafter+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Thiago]

For a PCAP file of <5MB that works properly but when I used a PCAP file of 40Mb the program blocks to the ReadPcap function and do not provide a warning or error message.

More precisely in this function Crafter::LoopPcap :
       at this line : if ((r = pcap_loop (handle, cnt, callback, user)) < 0)

I split the file in order to make a test if it was the reason of the stun and after splitting that works.

There is another way to handle large pcap file ?

[Esteban Pellegrino]

Maybe the library is still processing the packets?

What about the CPU and memory usage over that time?

[Thiago]

During this time :
100%cpu and 24.5% RAM
    25843 root      20   0  972m 949m 3604 R  100 24.7  38:14.96 U400_PCAP_decod

Still busy during 30+min !

Quite confusing

[Thiago]

I have used a vector of packet instead of a list and the performance is better !

Is it possible to process a pcap file packet by packet with the library ?

[Esteban Pellegrino]

What do you mean? To process packets without loading all of them to the RAM memory? Using a interface similar to the sniffer but with pcap files?

Let check that out, I think is not possible right now...

On Oct 29, 2013 12:20 PM, "Thiago" <fournier....@gmail.com> wrote:

I have used a vector of packet instead of a list and the performance is better !

Is it possible to process a pcap file packet by packet with the library ?

--

[Esteban Pellegrino]

Yes, there is way to process packet per packet from a pcap file. If you have a huge pcap file this is the way to go. You need to provide a packet handler to the ReadPcap function :

    void ReadPcap(const std::string& filename, Packet::PacketHandler PacketHandlerFunction, void* user = 0, const std::string& filter = "");

Here there is a simple example to see how to use that function. The third argument is s void* pointer that could be used to pass additional information to the packet handler, not too c++-ish :-(

#include <iostream>
#include <string>
#include <crafter.h>

/* Collapse namespaces */
using namespace std;
using namespace Crafter;

/* Function for handling a packet */
void PacketHandler(Packet* sniff_packet, void* user) {
    /* sniff_packet -> pointer to the packet captured */
    /* user -> void pointer to the data supplied by the user */

    /* Check if there is a payload */
    RawLayer* raw_payload = sniff_packet->GetLayer<RawLayer>();
    if(raw_payload) {
        /* Summarize some data */

        cout << "[+] ------- [+]" << endl;
        TCP* tcp_layer = sniff_packet->GetLayer<TCP>();
        cout << "[#] TCP packet from source port: " << dec << tcp_layer->GetSrcPort() << endl;

        cout << "[#] With Payload: " << endl;
        raw_payload->Print();
    }
}


int main(int argc, char* argv[]) {
    if(argc != 2) {
        cerr << "Usage : " << argv[0] << " <file.pcap>" << endl;
        return -1;
    }
    string filename(argv[1]);
    ReadPcap(filename, PacketHandler, 0, "tcp");
    return 0;
}

[Thiago]

Thank you for your answer, it's exactly what I want to do.

So I have to add to the library a new function ReadPcap (with the function pcap_next_ex) and a new type PacketHandler?

[Esteban Pellegrino]

Which version of the library are you using?

That function is already on libcrafter.

[Thiago]

I am working with the crafter-0.2

[Thiago]

I took a look on github, and i see that i haven't the latest version of the library.I will try with the new one.

[Esteban Pellegrino]

The code on the example works on latest libcrafter on the git repo, but that function is not on 0.2 :-(

I recommend you to clone libcrafter from git and update your version. Latest have some new features too...

Current master branch is very stable and was tested in the last 5 months. I just need to add cmake, support  osx and windows and some unit testing before release 0.3.

Just in case, execute make uninstall to get rid of the files of crafter 0.2

[Thiago]

Perfect !!

This works fine !

Thanks for your help