Ethereal-dev: Re: [Ethereal-dev] Extracting IP packets from a PCAP file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 7 Jun 2006 19:37:52 -0700

On Jun 7, 2006, at 4:31 PM, Raghavendra .K.M wrote:
I got a executable built using wincap which just parses all the captured packets in a pcap file and displays it as a hex dump along with time stamps.
Starting from here I want to strip out all the link layer headers and get just the IP Packets , and use them . 

How do I do this,
1) Modify your executable to compile a filter string of "ip" (with pcap_compile()) and set that filter string on the open file (with pcap_setfilter()).
2) Find the link-layer header type of the packets in the file (with pcap_datalink()) and use that (and, for some protocols, the contents of the link-layer header) to determine the size of the link-layer header, and then skip past that to get to the beginning of the IP header. 


will windump solve this problem
It might be worth looking at to see how to do 1) and 2), although you wouldn't be able to just cut and paste the code.
(BTW, this is probably more appropriate for tcpdump- workers@xxxxxxxxxxx or winpcap-users@xxxxxxxxxxx.) 
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev