[opendpi:93] Using with Live PCAP

325 views
Skip to first unread message

Nick Jost

unread,
Apr 20, 2010, 9:02:10 PM4/20/10
to opendpi
I changed the demo so that the openPcap function read like (includes
linty bits):
static void openPcapFile(void)
{
pcap_t *handle; /* Session handle */
char *dev = "wlan0"; /* The device to sniff on */
char errbuf[PCAP_ERRBUF_SIZE]; /* Error string */
struct bpf_program fp; /* The compiled filter */
char filter_exp[] = "port 80"; /* The filter expression */
bpf_u_int32 mask; /* Our netmask */
bpf_u_int32 net; /* Our IP */

/* Define the device */
if (dev == NULL) {
fprintf(stderr, "Couldn't find default device: %s\n", errbuf);
return (2);
}
printf("Setting dev: %s\n", dev);

/* Find the properties for the device */
if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1) {
fprintf(stderr, "Couldn't get netmask for device %s: %s\n", dev,
errbuf);
net = 0;
mask = 0;
}
printf("Net(%d) and Mask(%d)\n", net, mask);

/* Open the session in promiscuous mode */
_pcap_handle = pcap_open_live(dev, BUFSIZ, 1, -1, errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device %s: %s\n", dev, errbuf);
return (2);
}
printf("Opened session\n");

_pcap_datalink_type = pcap_datalink(_pcap_handle);

==============================================================

When I do this and run I get an error that I don't get with my non DPI
capture program (including linty file error):
ERROR: no pcap file path provided; use option -f with the path to a
valid pcap file
Setting dev: wlan0
Net(10372523) and Mask(16711679)
Couldn't open device wlan0: ��O

==============================================================

Normally when the device can't open this is because you aren't in su
mode. However I am. Is this a function of libtools (which I'm not at
all familiar with)? Am I doing something obviously wrong to get this
working in live mode?



--
Subscription settings: http://groups.google.com/group/opendpi/subscribe?hl=en

Nick Jost

unread,
Apr 20, 2010, 9:03:12 PM4/20/10
to opendpi
Should note I'm using 1.2 since that was the latest posted.
Message has been deleted

Jonathan Saint-Léger

unread,
Apr 21, 2010, 4:53:14 AM4/21/10
to opendpi
Hi Nick,

If you change your openPcapFile() this way, then you should change the
parseOptions function located in the same file.
disable the //check parameters block, where they check wheter
_pcap_file is NULL or not. Since you feed the program with a live
capture and don't use the _pcap_file variable any more, it's ok.

You can also modify your parseOptions function a bit deeper so that
you set the interface as a parameter when you run the demo and not
"hard-coded" as you did.

Regards

Nick Jost

unread,
Apr 21, 2010, 12:51:38 PM4/21/10
to opendpi
I'm sorry, I thought it was evident that I did remove the early exit
as...it didn't exit and used the wlan0 dev name. The problem is the
device open fails per my code:
_pcap_handle = pcap_open_live(dev, BUFSIZ, 1, -1, errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device %s: %s\n", dev,
errbuf);
return (2);
}
printf("Opened session\n");


returns:
Couldn't open device wlan0: ��O

All the options does is set up the command line it doesn't (at a quick
glance) make any pcap calls, right? So my error _should_ , in theory,
exist elsewhere.

Nicholas Jost

Nick Jost

unread,
Apr 21, 2010, 6:29:36 PM4/21/10
to opendpi
I now believe that I was being far too optimistic. The whole thing
(possibly DPI???) assumes post processing when I _definately don't_
want to do post processing. Is there a live example I can turn to?

Jonathan Saint-Léger

unread,
Apr 22, 2010, 3:43:32 AM4/22/10
to opendpi
My mistake!

I was tricked by the fact you kept the error message "ERROR: no pcap
file path provided; use option -f with the path to a valid pcap file".

I use the same thing to open pcap live, but re-reading your code, I
think you mixed up the two variables 'handle' and '_pcap_handle' (when
doing the check: if handle==NULL instead of if _pcap_handle==NULL)?

my piece of code is more like this:

_pcap_handle= pcap_open_live(interface, 1518, 1, -1,
pcap_error_buffer);

if (_pcap_handle == NULL){
printf ...
}

I run it live and it works fine, but i'm doing it on an ethernet
interface though...

Nick Jost

unread,
Apr 22, 2010, 1:47:27 PM4/22/10
to opendpi
ARGH! What a bone head mistake. More questions to follow.

Nick Jost

unread,
Apr 22, 2010, 1:51:35 PM4/22/10
to opendpi
Speaking of which as this attempts to total flows I'm still not sure a
live capture "works" right. I've got to try to modify it now to
return results as it has them. Thanks again for catching that though.

Harish Parchuri

unread,
Feb 23, 2012, 2:39:41 AM2/23/12
to ope...@googlegroups.com
Hi,

I am capturing live traffic and sending to Opendpi to detect protocol. just because i am calling Opendpi nat able to capture more than half of packets going through interface to resolve this problem i have added threading to process the packet . In that case i am getting most of the protocols as unknown. any help will be graceful...

 
Reply all
Reply to author
Forward
0 new messages