Ask Your Question
0

How Can I Display as Much Pcapng Information As Possible?

asked 2020-03-12 23:32:31 +0000

trist gravatar image

Hello,

I'm looking to build a Pcapng parser. As such I need to programatically determine how large the Section Header Block, and in essence, reverse engineer my parser from raw data. Pcap files were easy, the general header was 24 bytes at the beginning of each file, and the file header was 16 bytes, that's it. It seems that, after reading the 40 page whitepaper on Pcapng, that it's going to be a little tougher.

How do I enable seeing as much information regarding Pcapng data on Wireshark? I'm looking at a Pcapng file right now, but can't tell anything Pcapng related about it.

image description

Would appreciate the help.

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
1

answered 2020-03-13 00:04:50 +0000

cmaynard gravatar image

updated 2020-03-13 00:21:51 +0000

It seems that, after reading the 40 page whitepaper on Pcapng ...

The current PCAP Next Generation (pcapng) Capture File Formatdraft document is 52 pages, so perhaps you're not looking at the most recent version? Other versions do exist, such as those at https://tools.ietf.org/html/draft-tue..., https://pcapng.github.io/pcapng/ or https://www.tcpdump.org/pcap/pcap.html and probably others, but they're all obsolete.

If you're looking for a pcapng parser to help you decipher the file, then look no further than Wireshark itself. If you've loaded a pcapng file into Wireshark, you can use "View -> Reload as File Format/Capture" (Ctrl+Shift+F) to cause Wireshark to load and display the raw file contents itself rather than to load and display the packets from the file. This should cause you to be able to see the various pcapng blocks and be able to drill down into them. For example:

Frame 1: 184 bytes on wire (1472 bits), 184 bytes captured (1472 bits)
MIME file
PCAPNG File Format
    Block: Section Header Block 1
    Block: Interface Description Block 0
    Block: Enhanced Packet Block 1

You can also have a look at the Wireshark source code, such as the epan/dissectors/file-pcapng.c and wiretap/pcapng.c files.

By the way, if you're looking to support all extensions, the Wireshark [PcapNg wiki page] (https://wiki.wireshark.org/Developmen...) has a link to Augmented PCAP Next Generation Dump File Format page that you might also want to take a look at. I don't know how many other extensions may have been implemented but not included in the main pcapng file format specification, but hopefully not many, as this could quickly become problematic with different projects possibly using the same block type for different blocks. That practice should be highly discouraged.

EDIT: Hmm, @guy-harris beat me to the answer ... but how come the askbot didn't warn me that the page was modified? Not sure if I should leave this answer here or delete it. I guess I'll leave it, but only because I included some links to the Wireshark source code, which might also be useful.

edit flag offensive delete link more

Comments

" I guess I'll leave it,"
Bits and bytes are cheap and I learned from both your answers. :-)

Chuckc gravatar imageChuckc ( 2020-03-13 00:55:20 +0000 )edit

Wow, this is EXACTLY what I was looking for. This really solidifies the 40+ page specification I read and I can now work on my parser with confidence. Thank you so much. I was sweating for 4 hours when my Techlead came and told me to write a parser for this. But now I feel in my comfort zone again. Cheers!

trist gravatar imagetrist ( 2020-03-13 01:17:17 +0000 )edit
0

answered 2020-03-12 23:57:55 +0000

Guy Harris gravatar image

If you want to see the pcapng file format data, rather than just the captured packet data, newer versions of Wireshark have a "Reload as File Format/Capture" menu item in the View menu - it causes the file to be dissected as a single entity by Wireshark's pcap file or pcapng file dissectors.

(Yes, this is sort of the beginning of Fileshark....)

I don't know what the "40 page white paper is", but the pcapng specification is probably the first place anybody writing a pcapng reader or writer should go; reverse engineering shouldn't be necessary (although I did reverse-engineer the Sun snoop reader in Wireshark because I didn't know about RFC 1761 at the time).

edit flag offensive delete link more

Comments

Wireshark-dev: [Wireshark-dev] Fileshark (AKA Dissecting Files with Wireshark)
https://www.wireshark.org/lists/wires...

Yes please! I've wanted to open syslog and other log files in the Wireshark GUI for years.

Chuckc gravatar imageChuckc ( 2020-03-13 01:00:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-03-12 23:32:31 +0000

Seen: 3,202 times

Last updated: Mar 13 '20