This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Besides changing it to a hex dump and import, is there a faster way to convert C style array (exported from other PCAP) back to a PCAP file?

static unsigned char pkt[56] = {
0x45, 0x00, 0x00, 0x38, 0x00, 0xf2, 0x20, 0x00, /* E..8.. . */
0x40, 0x11, 0x14, 0x33, 0xc0, 0x00, 0x00, 0x02, /* @..3.... */
0x0a, 0x2a, 0x7b, 0x64, 0x7c, 0xab, 0x4e, 0xe5, /* .*{d|.N. */
0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* .$...... */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* ........ */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* ........ */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00        /* ....... */ 
};

asked 16 Jan '15, 12:10

Gallon's gravatar image

Gallon
16557
accept rate: 0%

edited 16 Jan '15, 13:25

Lekensteyn's gravatar image

Lekensteyn
2.2k3724


Looks like you are handling raw IP packets. Here is an example using the pcap API. Refer to the respective manual pages and the pcap(3pcap) overview for an explanation of the functions. Further error handling and cleanup is left as an exercise to the reader.

#include <stdio.h>
#include <pcap/pcap.h>

static u_char ip_pkt[] = {
    0x45, 0x00, 0x00, 0x38, 0x00, 0xf2, 0x20, 0x00, /* E..8.. . */
    0x40, 0x11, 0x14, 0x33, 0xc0, 0x00, 0x00, 0x02, /* @..3.... */
    0x0a, 0x2a, 0x7b, 0x64, 0x7c, 0xab, 0x4e, 0xe5, /* .*{d|.N. */
    0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* .$...... */
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* ........ */
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* ........ */
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00        /* ....... */ 
};
static size_t ip_pkt_len = sizeof(ip_pkt)/sizeof(*ip_pkt);

int main(void)
{
    pcap_t *pcap;
    /* open pcap context for Raw IP (DLT_RAW), see
     * http://www.tcpdump.org/linktypes.html */
#define DLT_RAW 12
    pcap = pcap_open_dead(DLT_RAW, 65565);

    pcap_dumper_t *d;
    /* open output file (stdout) */
    d = pcap_dump_fopen(pcap, stdout);
    if (d == NULL) {
        pcap_perror(pcap, "pcap_dump_fopen");
        return 1;
    }

    /* prepare for writing */
    struct pcap_pkthdr hdr;
    hdr.ts.tv_sec = 0;  /* sec */
    hdr.ts.tv_usec = 0; /* ms */
    hdr.caplen = hdr.len = ip_pkt_len;
    /* write single IP packet */
    pcap_dump((u_char *)d, &hdr, ip_pkt);

    /* finish up */
    pcap_dump_close(d);
    return 0;
}

An alternative (easier) way is to use the Scapy (in Python) to craft a capture file. Example with the data provided in the comments:

#!/usr/bin/env python2
# Import dependencies
from scapy.all import Dot11, wrpcap

# raw 802.11 contents
hex = 'C0 00 3A 01 00 11 22 33 44 55 FF FF FF FF FF FF 00 11 22 33 44 55 20 EF 06 00 00 00 00 00'

# Initialize a 802.11 structure from raw bytes
packet = Dot11(bytearray.fromhex())

# Optional: use Scapy for data interpretation
print(p.summary())
print(p.show())

# Write the contents to file
wrpcap('your.pcap', pkt)
permanent link

answered 16 Jan '15, 14:05

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

edited 25 Feb '15, 15:23

thanks a lot! will try that. yes it is RAW IP packet.

(16 Jan '15, 14:32) Gallon

There shouldn't be a need to do #define DLT_RAW 12; pcap_open_dead() takes the platform's value for DLT_RAW as an argument, and including <pcap.h> should cause that to be defined.

Also, older versions of libpcap generally had just <pcap.h>, so, for maximum portability, the program should include <pcap.h> rather than <pcap/pcap.h>.

(16 Jan '15, 19:18) Guy Harris ♦♦

in visual studio I was using this code. I was getting an error of unresolved symbols at pacp_dump_fopen

(15 Feb '15, 21:09) sathish308

I was getting an error of unresolved symbols at pacp_dump_fopen

(Presumably that's a typo for "pcap_dump_fopen()")

You have to link with libpcap (on UN*X) or WinPcap (on WIndows).

(16 Feb '15, 01:05) Guy Harris ♦♦

it was working if I use pcap_dump_open().

here we are using Raw packet data. if I want to dump 802.11 packets such as data, management,control packets, what should I do?.

I mean if I want to save a packet of hexa values like this-->C0 00 3A 01 00 11 22 33 44 55 FF FF FF FF FF FF 00 11 22 33 44 55 20 EF 06 00 00 00 00 00

(24 Feb '15, 21:40) sathish308

@sathish308 you need to use the DLT_IEEE802_11 link layer type, see http://www.tcpdump.org/linktypes.html. Alternatively, you can use Python and the Scapy library (see edit).

(25 Feb '15, 15:25) Lekensteyn
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×238
×16
×2

question asked: 16 Jan '15, 12:10

question was seen: 3,004 times

last updated: 25 Feb '15, 15:25

p​o​w​e​r​e​d by O​S​Q​A