This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Save Ethernet packets in .pcap format

0

Hello, I am building an application to accept output messages(Ethernet packets) from ECU(Electronic Control unit) and display it on a GUI. The GUI is build using QT designer python and the packets from the ECU will be displayed in a Tree Widget. I am using socket program to bind with the ECU. I want to save these output in a .pcap format. Is it possible to save directly in .pcap format ? Are there any library to save the data directly ? Is there already a code implemented for this ? If yes, then how should i proceed further ?

asked 10 May '15, 15:19

Praju's gravatar image

Praju
11336
accept rate: 0%


3 Answers:

1

It should be no problem finding a library for your favorite language

If your favorite language is a straightforward C derivative (C itself, C++, Objective-C), the library is called libpcap on UN*X and WinPcap on Windows; just use that. The API for writing capture files is a bit clumsy if you're not writing packets from a libpcap/WinPcap live capture or file you're reading with libpcap/WinPcap, you'd want to use pcap_open_dead() to specify a packet format of DLT_EN10MB (meaning "packets that begin with an Ethernet header"), and then use pcap_dump_open() to open the output file, pcap_dump() to write packets, and pcap_dump_close() to finish writing out the packets and close the file.

NOTE: if the output messages you receive do not have Ethernet headers, you can't use DLT_EN10MB. If they have only IP headers, use DLT_RAW. If they don't even have IP headers, you will need to, at minimum, put IP headers at the beginning, followed by headers for the transport protocols, e.g. TCP or UDP. I.e., do not assume that messages received at the application level can easily be put into pcap files without some additional work!

If your favorite language isn't a straightforward C derivative (C#, the "C" at the beginning of the name nonwithstanding, is not a straightforward C derivative in the sense that I'm using it), see, for example, the "Wrapper libraries" section of the Wikipedia page for pcap for information about wrapper libraries for your language. With those languages, much of what I said above still applies, but the way you call those functions may be different than the way you do so from code written in straightforward C derivatives.

In the case of Python, the Wikipedia page section lists python-libpcap and pcapy. Neither of them appear to have good online documentation, so I don't know whether either of them do a good job of supporting writing pcap files.

answered 11 May '15, 14:06

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 11 May '15, 14:11

1

The PCAP file format is a rather simple file format. It should be no problem finding a library for your favorite language, and/or file output routines can easily be written by hand as well.

answered 11 May '15, 04:16

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

@jaap Thanks. I will look into it

(11 May '15, 07:08) Praju

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(11 May '15, 08:40) Jaap ♦

file output routines can easily be written by hand as well.

And incorrect file output routines can also be easily written by hand, so I'd suggest looking at using libpcap/WinPcap, or wrappers for them, unless there's a reason why you can't do that.

(11 May '15, 14:08) Guy Harris ♦♦

0

If you're using C/C++ and don't want to mess with libpcap/WinPcap API directly you can use a wrapper library that wraps that functionality and provides a more convenient multi-platform object-oriented C++ API. I wrote such a library: PcapPlusPlus

answered 07 Jun '15, 21:54

seladb's gravatar image

seladb
11
accept rate: 0%