pcap-ng support
493 views
Skip to first unread message
Jozef Zuzelka
Nov 2, 2016, 10:22:19 AM11/2/16
to PcapPlusPlus support
Hello,
does I'd like to ask if there is a better support for pcap-ng in this library than it is mentioned on wireshark wiki page?
"Libpcap
1.1.0 and later have a limited ability to read them as well, although libpcap
doesn't yet supporting writing them" (https://wiki.wireshark.org/Development/LibpcapFileFormat)
PcapPlusPlus Support
Nov 2, 2016, 5:07:31 PM11/2/16
to PcapPlusPlus support
Unfortunately the answer is no. Currently only pcap format is supported as this is the only format supported by libpcap (Linux and Apple) and WinPcap.
In order to add pcap-ng format I need to write the parser myself or use a C/C++ library that does that already (but it needs support multi-platform). If you know of such library please let me know and I'll try to integrate it to PcapPlusPlus
In order to add pcap-ng format I need to write the parser myself or use a C/C++ library that does that already (but it needs support multi-platform). If you know of such library please let me know and I'll try to integrate it to PcapPlusPlus
Jozef Zuzelka
Nov 2, 2016, 5:48:03 PM11/2/16
to PcapPlusPlus support
I found this site with a list of applications and libraries which supports pcap-ng, but most of them don't support write to a file (and are implemented in other languages).
Some more implementations I have found yet:
wireshark module: Wiretap (It may be multi-platform):
tcpdump github (does not support write to a file? but looks multi-platform [at least windows<->linux + we can look if it differs radically from apple's implementation and extend it]):
nmap (differs from the file above, but I don't know how much..also looks its for both windows&linux):
I haven't checked licences yet and also I don't know if some of them can be used in PcapPlusPlus (How much effort it would take to integrate them - C->C++).
Some more implementations I have found yet:
wireshark module: Wiretap (It may be multi-platform):
https://wiki.wireshark.org/Development/PcapNg ;
https://wiki.wireshark.org/WiretapPcapng ;
https://jelmer.uk/klaus/wireshark/blob/a20cfcc745f6fc0f1bba7dbb6255bb4fbe34c6a9/wiretap/pcapng.c
apple's implementation (according to the wireshark wiki - it supports both read and write): https://wiki.wireshark.org/WiretapPcapng ;
https://jelmer.uk/klaus/wireshark/blob/a20cfcc745f6fc0f1bba7dbb6255bb4fbe34c6a9/wiretap/pcapng.c
tcpdump github (does not support write to a file? but looks multi-platform [at least windows<->linux + we can look if it differs radically from apple's implementation and extend it]):
nmap (differs from the file above, but I don't know how much..also looks its for both windows&linux):
I haven't checked licences yet and also I don't know if some of them can be used in PcapPlusPlus (How much effort it would take to integrate them - C->C++).
PcapPlusPlus Support
Nov 2, 2016, 7:43:47 PM11/2/16
to PcapPlusPlus support
Some of the libraries that you found are probably not cross-platform (lie Apple's libpcap), others are really big and complicated and very hard to integrate with.
One possible solution can be to "tear off" the pcap-ng parsing code from one of these libraries, but I don't think their license will permit that.
Once I have a parser which is simple to integrate with, written in either C or C++ and is cross-platform, I think it can be quite easy to integrate it into PcapPlusPlus, I'd say maybe 1-3 weeks
One possible solution can be to "tear off" the pcap-ng parsing code from one of these libraries, but I don't think their license will permit that.
Once I have a parser which is simple to integrate with, written in either C or C++ and is cross-platform, I think it can be quite easy to integrate it into PcapPlusPlus, I'd say maybe 1-3 weeks
PcapPlusPlus Support
Nov 3, 2016, 8:10:49 PM11/3/16
to PcapPlusPlus support
I think I found a library that might fit to what you need: https://github.com/rvelea/LightPcapNg
I made some tests and this library seems to be compiling for Windows and Linux, as well as reading and writing pcapng files.
Please take a look and see if it's what you need.
I think I can embed it in PcapPlusPlus but it might take a few weeks
Please tell me what you think
I made some tests and this library seems to be compiling for Windows and Linux, as well as reading and writing pcapng files.
Please take a look and see if it's what you need.
I think I can embed it in PcapPlusPlus but it might take a few weeks
Please tell me what you think
Jozef Zuzelka
Nov 4, 2016, 10:02:30 AM11/4/16
to PcapPlusPlus support
I tried to compile it on macOS => light_alloc.c:50:2: error: unknown type name 'ssize_t'; did you mean 'size_t'? ~~>ssize_t<~~ block_body_size;
When I replaced ssize_t with int (First results of google did not show right file to include, so just to try if there were any other errors and to try their tests) it seemed to be working also on macOS, although there was an error in some tests: (/test_histogram.test mpeg-ts.pcapng => ERROR at light_io.c::light_read_from_path::38: -930238288 <= 0, ...output omitted...)
I need to save captured traffic into a file and to either add custom block with information about each packet or extend each block (packet) with custom options. It seems I will be able to do that with that library.
PcapPlusPlus Support
Nov 4, 2016, 6:03:00 PM11/4/16
to PcapPlusPlus support
I'm not sure you can capture traffic with this library, it's mainly meant to read and write pcapng files.
If you still want me to integrate it into PcapPlusPlus please let me know
If you still want me to integrate it into PcapPlusPlus please let me know
Jozef Zuzelka
Nov 4, 2016, 6:11:14 PM11/4/16
to PcapPlusPlus support
For capturing traffic I'd use your library and if you integrate LightPcapNg into PcapPlusPlus I will not have to use both libraries but. (Just PcapPlusPlus for both capturing traffic and writing to pcapng file).
PcapPlusPlus Support
Nov 4, 2016, 6:33:28 PM11/4/16
to PcapPlusPlus support
Ok, I'll try to integrate it to PcapPlusPlus. It'll probably take me a couple of weeks.
The first thing I'll do it forking this library and make sure it compiles with Linux, Windows and Mac. I'd appreciate your help with compiling on Mac OS X
The first thing I'll do it forking this library and make sure it compiles with Linux, Windows and Mac. I'd appreciate your help with compiling on Mac OS X
Jozef Zuzelka
Nov 4, 2016, 7:07:21 PM11/4/16
to PcapPlusPlus support
Ok, thank you. I'll do what I can.
PcapPlusPlus Support
Nov 23, 2016, 8:15:46 AM11/23/16
to PcapPlusPlus support
Hi, I've finished adding support for PCAPNG to PcapPlusPlus. You can get the latest code from master branch.
You should be able to read and write PCAPNG files:
- Read / write packets
- Read / write file metadata (OS, capture app, hardware, file comment)
- Read / write a comment for each packet
The relevant classes are PcapNgFileReaderDevice (for reading PCAPNG files) and PcapNgFileWriterDevice (for writing PCAPNG files)
You can see and example for using the code in Pcap++Test in TestPcapNgFileReadWrite test
Jozef Zuzelka
Nov 23, 2016, 9:25:20 AM11/23/16
to PcapPlusPlus support
Thank you very much.
Compiled successfully on macOS Sierra 10.12.1 (Apple LLVM version 8.0.0 (clang-800.0.38)). If you want here is a makefile output http://pastebin.com/aG7VJPD6.
PcapPlusPlus Support
Nov 23, 2016, 6:40:18 PM11/23/16
to PcapPlusPlus support
Thanks for the info. If you're running in trouble using or running the code please let me know
Reply all
Reply to author
Forward
0 new messages