4 Replies - 1828 Views - Last Post: 05 October 2012 - 12:54 PM Rate Topic: -----

#1 KnitGnosis  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 2
  • Joined: 05-October 12

WinPcap printing packet data

Posted 05 October 2012 - 08:40 AM

Hello all. I've used this site a lot for reference but I am new to posting.

I'm trying to write a C++ program using the WinPcap libraries that will intake a pcap file and scan through each packet to extract IP addresses, port numbers, HTTP information and DNS information. Everything is working very well except for when I try to print out DNS or HTTP packet information.

If your familiar with the WinPcap libraries you should recognize this snippet:

 	// Use pcap_open_offline. Opens a saved pcap file for reading. Store this data in pointer object pcap_t.
    // http://www.winpcap.org/docs/docs_41b5/html/group__wpcapfunc.html#g91078168a13de8848df2b7b83d1f5b69
    pcap_t *pcap = pcap_open_offline(file.c_str(), errbuff);
 
	// Create a header object:
    // http://www.winpcap.org/docs/docs_40_2/html/structpcap__pkthdr.html
    struct pcap_pkthdr *header;

	// Create the u_char character array.
	const u_char *data;

	// Loop through the packets and print information about them.
    u_int packetCount = 0;
    while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
    {



This iterates through each packet and stores the packet header as a struct, and the packet data as a u_char.
This creates a problem. If I try to print an item from the data array say:

 	printf("DNS Response: ");
	for(unsigned int y=76; (y < header->caplen +1); y++)
		printf("%c", data[y-1]);
	printf("\n")



Position 76 of the data array of a UDP DNS response packet is where the IP address starts. Instead of printing out the IP address I get characters and smiling faces, asterixs, arrows, and other assorted garbage. I believe this is due to stdout reading the value as a character, since it's stored as a u_char, when its not and should be read as an integer or something.

If I use:
 printf("%.2x ", data[i-1]);



I can see the data as hex, and the hex values are correct. But I want to see it as 192.168.0.1 or something that looks like a legitimate IP address and is human readable. Anyone have any suggestions as to how I can print this stuff out without seeing all the garbage characters? It's very annoying when every 01 or 02 is printed out as a smiley face so you have www :bigsmile: msn :bigsmile: com.

Is This A Good Question/Topic? 0
  • +

Replies To: WinPcap printing packet data

#2 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3589
  • View blog
  • Posts: 11,157
  • Joined: 05-May 12

Re: WinPcap printing packet data

Posted 05 October 2012 - 11:51 AM

"%c" tells printf() to treat the data as a character and print out the actual ASCII character. "%.2x" tells printf() to treat the data as integers and print it out as a 2 digit hexadecimal number. I think that you are looking to use plain of "%d", but you can find what option(s) you want by reading the printf() documentation yourself:
http://en.cppreferen...pp/io/c/fprintf
Was This Post Helpful? 0
  • +
  • -

#3 KnitGnosis  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 2
  • Joined: 05-October 12

Re: WinPcap printing packet data

Posted 05 October 2012 - 12:02 PM

%d throws an error because of invalid type, I read the documentation on printf but none of the options that should work, do work, because it cannot convert them from the u_char it is stored as. I found a rather long work around by using if statements:

 	if (data[y-1] == 02){
		printf(".");
	}
	else if (data[y-1] == 01){
		printf("");
	}
	else if (data[y-1] == 03){
		printf(".");
	}
	else
	        printf("%c",data[y-1]);



and for any IP addresses I want to extract I have to pull them out into a variable then feed that to a conversion function to store them as int then use printf %d to print them out, but I have another complicated loop to iterate through every other one in order to insert the periods where data[y-1] is 02, or 03. It works, but seems inefficient, and has the potential to break. There has to be an easier way to interpret the data and print it out in readable form.
Was This Post Helpful? 0
  • +
  • -

#4 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3589
  • View blog
  • Posts: 11,157
  • Joined: 05-May 12

Re: WinPcap printing packet data

Posted 05 October 2012 - 12:09 PM

That is a simple switch statement:
switch(data[y-1])
{
case 1:
    break;
case 2:
case 3:
    putchar('.');
    break;
default:
    putchar(data[y-1]);
    break;
}


Was This Post Helpful? 0
  • +
  • -

#5 jimblumberg  Icon User is offline

  • member icon


Reputation: 4096
  • View blog
  • Posts: 12,673
  • Joined: 25-December 09

Re: WinPcap printing packet data

Posted 05 October 2012 - 12:54 PM

Have you thought about using the inet_ntop() and inet_pton() functions to convert IP addresses to human-readable form and back?

See this link: Beej's guide to network programming, see section 9.14 for a description of these functions.

Jim

This post has been edited by jimblumberg: 05 October 2012 - 01:27 PM
Reason for edit:: Typo

Was This Post Helpful? 1
  • +
  • -

Page 1 of 1