tcpdump mailing list archives
Writing pcap files with fake headers?
From: Roy Smith <roy () panix com>
Date: Tue, 6 Apr 2010 21:56:37 -0400
I've got an application which listens for UDP (SNMP) data. We want to add a logging feature where every UDP packet that's received is stored for future analysis. The obvious file format is pcap. It's simple and lets us take advantage of lots of existing pcap-aware tools. The problem is we don't have all the data to write out the normal packet contents that would be in a pcap file.
The UDP header is trivial to reconstruct (we'd probably set the UDP checksum to 0xFFFF for simplicity). We don't have enough information to properly re-construct the IPv4 (or IPv6) header, but we could invent a plausible one (pretend nothing was ever fragmented, etc).
The ethernet header is another story. About the best we can do is generate a well-formed (if meaningless) DIX frame header with the destination and source MAC addresses all zeros, the ether type 0x0800 or 0x0806, and either leave the CRC all zeros or go to the trouble to compute a real checksum. Of course, there's nothing that says the packet came in over ethernet at all, but it's a convenient fiction.
Does this seem like a plausible strategy? Or am I heading off into the weeds?
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Writing pcap files with fake headers? Roy Smith (Apr 06)
- Re: Writing pcap files with fake headers? ronnie sahlberg (Apr 06)
- Re: Writing pcap files with fake headers? Guy Harris (Apr 06)
- Re: Writing pcap files with fake headers? Aaron Turner (Apr 06)
- Re: Writing pcap files with fake headers? Eloy Paris (Apr 06)
- Re: Writing pcap files with fake headers? Michael Richardson (Apr 07)
- Re: Writing pcap files with fake headers? ronnie sahlberg (Apr 06)