This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there a fast way to change C array into PCAP ?

1

Besides changing it to a hex dump and import, is there a faster way to convert C style array (exported from other PCAP) back to a PCAP file?

static unsigned char pkt[56] = {
0x45, 0x00, 0x00, 0x38, 0x00, 0xf2, 0x20, 0x00, /* E..8.. . */
0x40, 0x11, 0x14, 0x33, 0xc0, 0x00, 0x00, 0x02, /* @..3.... */
0x0a, 0x2a, 0x7b, 0x64, 0x7c, 0xab, 0x4e, 0xe5, /* .*{d|.N. */
0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* .$...... */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* ........ */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* ........ */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00        /* ....... */ 
};

asked 16 Jan '15, 12:10

Gallon's gravatar image

Gallon
16557
accept rate: 0%

edited 16 Jan '15, 13:25

Lekensteyn's gravatar image

Lekensteyn
2.2k3724


One Answer:

1

Looks like you are handling raw IP packets. Here is an example using the pcap API. Refer to the respective manual pages and the pcap(3pcap) overview for an explanation of the functions. Further error handling and cleanup is left as an exercise to the reader.

#include <stdio.h>
#include <pcap/pcap.h>

static u_char ip_pkt[] = { 0x45, 0x00, 0x00, 0x38, 0x00, 0xf2, 0x20, 0x00, /* E..8.. . */ 0x40, 0x11, 0x14, 0x33, 0xc0, 0x00, 0x00, 0x02, /* @..3…. */ 0x0a, 0x2a, 0x7b, 0x64, 0x7c, 0xab, 0x4e, 0xe5, /* .*{d|.N. */ 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* .$…… */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* …….. */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* …….. */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /* ……. */ }; static size_t ip_pkt_len = sizeof(ip_pkt)/sizeof(*ip_pkt);

int main(void) { pcap_t pcap; / open pcap context for Raw IP (DLT_RAW), see * http://www.tcpdump.org/linktypes.html */ #define DLT_RAW 12 pcap = pcap_open_dead(DLT_RAW, 65565);

pcap_dumper_t *d;
/* open output file (stdout) */
d = pcap_dump_fopen(pcap, stdout);
if (d == NULL) {
    pcap_perror(pcap, &quot;pcap_dump_fopen&quot;);
    return 1;
}

/* prepare for writing */
struct pcap_pkthdr hdr;
hdr.ts.tv_sec = 0;  /* sec */
hdr.ts.tv_usec = 0; /* ms */
hdr.caplen = hdr.len = ip_pkt_len;
/* write single IP packet */
pcap_dump((u_char *)d, &amp;hdr, ip_pkt);

/* finish up */
pcap_dump_close(d);
return 0;

}

An alternative (easier) way is to use the Scapy (in Python) to craft a capture file. Example with the data provided in the comments:

#!/usr/bin/env python2

Import dependencies

from scapy.all import Dot11, wrpcap

raw 802.11 contents

hex = 'C0 00 3A 01 00 11 22 33 44 55 FF FF FF FF FF FF 00 11 22 33 44 55 20 EF 06 00 00 00 00 00'

Initialize a 802.11 structure from raw bytes

packet = Dot11(bytearray.fromhex())

Optional: use Scapy for data interpretation

print(p.summary()) print(p.show())

Write the contents to file

wrpcap('your.pcap', pkt)

answered 16 Jan ‘15, 14:05

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

edited 25 Feb ‘15, 15:23

thanks a lot! will try that. yes it is RAW IP packet.

(16 Jan ‘15, 14:32) Gallon

There shouldn’t be a need to do #define DLT_RAW 12; pcap_open_dead() takes the platform’s value for DLT_RAW as an argument, and including <pcap.h> should cause that to be defined.

Also, older versions of libpcap generally had just <pcap.h>, so, for maximum portability, the program should include <pcap.h> rather than <pcap/pcap.h>.

(16 Jan ‘15, 19:18) Guy Harris ♦♦

in visual studio I was using this code. I was getting an error of unresolved symbols at pacp_dump_fopen

(15 Feb ‘15, 21:09) sathish308

I was getting an error of unresolved symbols at pacp_dump_fopen

(Presumably that’s a typo for “pcap_dump_fopen()")

You have to link with libpcap (on UN*X) or WinPcap (on WIndows).

(16 Feb ‘15, 01:05) Guy Harris ♦♦

it was working if I use pcap_dump_open().

here we are using Raw packet data. if I want to dump 802.11 packets such as data, management,control packets, what should I do?.

I mean if I want to save a packet of hexa values like this–>C0 00 3A 01 00 11 22 33 44 55 FF FF FF FF FF FF 00 11 22 33 44 55 20 EF 06 00 00 00 00 00

(24 Feb ‘15, 21:40) sathish308

@sathish308 you need to use the DLT_IEEE802_11 link layer type, see http://www.tcpdump.org/linktypes.html. Alternatively, you can use Python and the Scapy library (see edit).

(25 Feb ‘15, 15:25) Lekensteyn
showing 5 of 6 show 1 more comments