I have a cap file with a lot of packets. I want to "replay" it for my server's basic performance test. So I need to get the content of application layer, above TCP layer, of each request packet and resend these contents one by one. I use command
to print protocol tree in each packet and I can see the application layer from this which is my target to peel. I've tried to follow "-V -r" code logic in tshark.c to reproduce one in my code. However, it's to hard for me. Then I tried to build the tshark into libtshark.so by adding "-fPIC -shared" into tshark linking line. After this, I linked libtshark.so to my program and got a "unrecognized file" error with libtshark.so. Do you know how to achieve my target with libwireshark.so? Please help me out of this, which has stuck me for 1 week and nothing in progress. I appreciate all your help in advance. Thank you. There is a share from Ramesh Natarajan(http://www.thegeekstuff.com/2014/12/libwireshark-library-c-example/) who get exactly what I want. but I cannot make it happen because the share is not a complete description. Any one can help on this? Thank you. Yours, David asked 11 Jun '15, 01:33  David Zhou edited 11 Jun '15, 05:45 |
One Answer:
Please take a look at pcap replay tools like the following ones
There are many other tools available. Please google them yourself. See also here:
Scapy might be interesting as well. Regards answered 11 Jun '15, 03:08  Kurt Knochner ♦ edited 11 Jun '15, 03:09 showing 5 of 7 show 2 more comments |
I appreciate your help and thank you for the information. However, the problem is still there. You see: "https://ask.wireshark.org/questions/4072/how-can-i-play-back-captured-data" I've installed tcpreplay and tryied with my .cap(tcpprep -a bridge -o login.cap) and there comes a "Segmentation fault(core dumped)". "http://stackoverflow.com/questions/360889/is-there-a-windows-tool-for-capture-and-playback-of-modified-udp-packets " bittwist can only replay and just change IP and port. I want more than that. "http://www.lovemytool.com/blog/2009/12/playcap_playback_for_wireshark_capture_files_by_joke_snelders.html" this is a mfc tool. And I'm looking for a method to peel application layer from .cap packets and do some stuffs, then send back. and this method shall be called in my linux c/c++ program.
There is no definition of "application layer" in pcap files, just the link layer type then the binary data. To get the tcp data you'll need to parse and handle the link-layer, IP and TCP frames to locate the data.
libwireshark does indeed do this, in conjunction with wiretap, but it isn't built as a general purpose shared library, i.e. it needs a lot of setup of state etc. which is what tshark, Wireshark etc. provide.
yes, from tshark command I can print the packets' trees from link layer to the TCP layer and above ,all of the packets' content well formated. And this means that tshark can split different layer's content, which is what I want. Can anybody tell me how can I do this like tshark does?
well, then take the source code of those tools and modify it as you need it. That would be WAY easier than to use libwireshark from scratch and also write the whole replay part (which is not easy) yourself!
Do you know that Wireshark/libwireshark does not contain any code to send packets?
yes. And this is part of my sentence. I want only the "peel" method. The other things, including sending, shall be done in my further code.
do you know any of these tools have the function to split different layers of a packet? If so, I could modify it.
Well, all of them have parts of that implemented.
I guess it would be easier, if you could tell us more about your application and what exactly you want to replay. If it's TCP, and you want to do performance tests (as you said) you can't just replay the rcorded payload, as you will have to handle the full TCP protocol (handshake, SEQ/ACK, etc.). Maybe there is a much simpler way to do a performance tests, but then we would need much more details.