Ethereal-dev: Re: [Ethereal-dev] Extracting IP packets from a PCAP file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 6 Jun 2006 18:00:46 -0700

On Jun 6, 2006, at 4:25 PM, Raghavendra .K.M wrote:

I need to implement a parser which parser a pcap file extracts IP packets out of it and dumps it into a txt file on windows platform

IP packets are binary, so you can't just dump them into a text file. Do you mean you want to dump the raw data in hex/text format, similar to the bottommost pane of the Ethereal window? Or do you want to dump out an analysis of the data in the packet, similar to the middle packet of the Ethereal window?

Is there any source code available

Yes - they're called "tcpdump" (or "WinDump") and "Ethereal". :-)

or should I have to understand the PCAP file format and write the parser from scratch.

Tcpdump/WinDump don't understand the pcap file format; they use libpcap/WinPcap to read it.

The only part of Ethereal that understands the pcap file format is the low-level file reading code, which exists because it has to support random access to the file, handle compressed files, and handle a lot of other file formats, none of which libpcap does.

However, the hard part isn't understanding the file format, the hard part is understanding the *packet* format. tcpdump is a relatively simple program to parse packets, and the current top of tree version is 72453 lines of C code. Ethereal has even more lines than that.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev