Ethereal-users: Re: [Ethereal-users] How to read an Ethereal file?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 4 Jul 2002 14:23:50 -0700
On Tue, Jul 02, 2002 at 12:27:29AM -0500, José Luis de la Cerda Robles wrote:
> Hi there! You'll see, I'm trying to read Ethereal files to analize them with
> a C/C++ program for an specific propose (a school project, you know), but I
> found they're all in ASCII,

"Ethereal files", in the sense of a file written by doing a "Save" or
"Save As" in Ethereal, are not in ASCII.

They're libpcap-format files; that's the same format that tcpdump, for
example, uses for capture files.

> and I was told there are some libraries to do it,

Yes, there's a library that can read libpcap-format files.

It's called "libpcap". :-)

On UNIX, your machine may already have libpcap installed; try doing "man
pcap".  If it's not installed, see

	http://www.tcpdump.org/

Your system might not have a "developer's" package installed for
libpcap, however; some Linux distributions, for example, might have
separate "end-user" and "developer" packages for libpcap - the "end-user"
package is used to run programs that use libpcap, such as tcpdump and
Ethereal; the "developer" package is used to compile programs written
using libpcap - and you'd need to have the "developer's" package
installed.  I don't know what the details of that would be for various
Linux distributions - you'd have to ask the supplier of the
distribution.

The port of libpcap to Windows is WinPcap:

	http://winpcap.polito.it/

In order to compile a program using libpcap/WinPcap, you'd again have to
install the developer's pack; see the download page:

	http://winpcap.polito.it/install/default.htm

> but I don't know how to used them in a C/C++ program (if they are for
> it).

Yes, libpcap is for use in C and C++.   See the "pcap" man page; "man
pcap" should do it on a UNIX system that has libpcap (including the
developer's package) installed, and, on Windows, see

	http://winpcap.polito.it/docs/pcapman.htm

(which, if you ignore the "Win32 specific functions" section, applies to
UNIX as well).

You'd open the capture file with "pcap_open_offline()", and then use
"pcap_loop()" to read the capture file.  You'd have to write a
"callback" routine, which "pcap_loop()" will call for each packet.  The
libpcap 0.7.1 man page gives a bit better description of the arguments
to the callback routine than older versions of the libpcap man page; it
says:

       callback  specifies a routine to be called with three arguments:
       a u_char pointer which is passed in from pcap_dispatch(),  a  const
       struct	pcap_pkthdr  pointer  to  a  structure	with  the
       following members:

	      ts     a struct timeval containing  the  time  when
		     the packet was captured

	      caplen a	bpf_u_int32 giving the number of bytes of
		     the packet that are available from the  cap-
		     ture

	      len    a	bpf_u_int32  giving  the  length  of  the
		     packet, in bytes (which might be  more  than
		     the  number of bytes available from the cap-
		     ture, if the length of the packet is  larger
		     than the maximum number of bytes to capture)

       and a const u_char pointer to the packet data.

"The packet data" is raw packet data, starting with a link-layer header.
You will have to write your own code to interpret that data; libpcap
will *not* do it for you.  You will have to write your own code to
extract link-layer source and destination addresses, and to extract the
packet type and use that to determine whether to analyze the rest of the
packet as an IP packet, or an ARP packet, or....  You will also have to
write your own code to interpret the IP header, and so on.