tcpdump mailing list archives
Re: Writing pcap files with fake headers?
From: Eloy Paris <peloy () chapus net>
Date: Wed, 7 Apr 2010 00:15:17 -0400
Hi Roy, On Tue, Apr 06, 2010 at 09:56:37PM -0400, Roy Smith wrote:
I've got an application which listens for UDP (SNMP) data. We want to add a logging feature where every UDP packet that's received is stored for future analysis. The obvious file format is pcap. It's simple and lets us take advantage of lots of existing pcap-aware tools. The problem is we don't have all the data to write out the normal packet contents that would be in a pcap file. The UDP header is trivial to reconstruct (we'd probably set the UDP checksum to 0xFFFF for simplicity). We don't have enough information to properly re-construct the IPv4 (or IPv6) header, but we could invent a plausible one (pretend nothing was ever fragmented, etc). The ethernet header is another story. About the best we can do is generate a well-formed (if meaningless) DIX frame header with the destination and source MAC addresses all zeros, the ether type 0x0800 or 0x0806, and either leave the CRC all zeros or go to the trouble to compute a real checksum. Of course, there's nothing that says the packet came in over ethernet at all, but it's a convenient fiction. Does this seem like a plausible strategy? Or am I heading off into the weeds?
If you don't have layer 2 information for the packets you wish to save then the easiest thing is probably to use DLT_RAW as the datalink type. DLT_RAW packets begin with an IP header, i.e. no layer 2 header. You do need to come up with a fake IP header, though. Here's a starting point: pcap_t *pd; pcap_dumper_t *pdumper; pd = pcap_open_dead(DLT_RAW, 65535 /* snaplen */); /* Create the output file. */ pdumper = pcap_dump_open(pd, "/tmp/capture.pcap"); while (1) { /* * Create fake IP header and put UDP header * and payload in place */ ... /* write packet to savefile */ pcap_dump(pdumper, xxxx, yyyy); } pcap_close(pd); pcap_dump_close(pdumper); Hope this helps. Cheers, Eloy Paris.- netexpect.org - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Writing pcap files with fake headers? Roy Smith (Apr 06)
- Re: Writing pcap files with fake headers? ronnie sahlberg (Apr 06)
- Re: Writing pcap files with fake headers? Guy Harris (Apr 06)
- Re: Writing pcap files with fake headers? Aaron Turner (Apr 06)
- Re: Writing pcap files with fake headers? Eloy Paris (Apr 06)
- Re: Writing pcap files with fake headers? Michael Richardson (Apr 07)
- Re: Writing pcap files with fake headers? ronnie sahlberg (Apr 06)