[KnitGnosis]

Hello all. I've used this site a lot for reference but I am new to posting.

I'm trying to write a C++ program using the WinPcap libraries that will intake a pcap file and scan through each packet to extract IP addresses, port numbers, HTTP information and DNS information. Everything is working very well except for when I try to print out DNS or HTTP packet information.

If your familiar with the WinPcap libraries you should recognize this snippet:

 	// Use pcap_open_offline. Opens a saved pcap file for reading. Store this data in pointer object pcap_t.
    // http://www.winpcap.org/docs/docs_41b5/html/group__wpcapfunc.html#g91078168a13de8848df2b7b83d1f5b69
    pcap_t *pcap = pcap_open_offline(file.c_str(), errbuff);
 
	// Create a header object:
    // http://www.winpcap.org/docs/docs_40_2/html/structpcap__pkthdr.html
    struct pcap_pkthdr *header;

	// Create the u_char character array.
	const u_char *data;

	// Loop through the packets and print information about them.
    u_int packetCount = 0;
    while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
    {

This iterates through each packet and stores the packet header as a struct, and the packet data as a u_char.
This creates a problem. If I try to print an item from the data array say:

 	printf("DNS Response: ");
	for(unsigned int y=76; (y < header->caplen +1); y++)
		printf("%c", data[y-1]);
	printf("\n")

Position 76 of the data array of a UDP DNS response packet is where the IP address starts. Instead of printing out the IP address I get characters and smiling faces, asterixs, arrows, and other assorted garbage. I believe this is due to stdout reading the value as a character, since it's stored as a u_char, when its not and should be read as an integer or something.

If I use:

 printf("%.2x ", data[i-1]);

I can see the data as hex, and the hex values are correct. But I want to see it as 192.168.0.1 or something that looks like a legitimate IP address and is human readable. Anyone have any suggestions as to how I can print this stuff out without seeing all the garbage characters? It's very annoying when every 01 or 02 is printed out as a smiley face so you have www msn com.

[Skydiver]

"%c" tells printf() to treat the data as a character and print out the actual ASCII character. "%.2x" tells printf() to treat the data as integers and print it out as a 2 digit hexadecimal number. I think that you are looking to use plain of "%d", but you can find what option(s) you want by reading the printf() documentation yourself:
http://en.cppreferen...pp/io/c/fprintf

[KnitGnosis]

%d throws an error because of invalid type, I read the documentation on printf but none of the options that should work, do work, because it cannot convert them from the u_char it is stored as. I found a rather long work around by using if statements:

 	if (data[y-1] == 02){
		printf(".");
	}
	else if (data[y-1] == 01){
		printf("");
	}
	else if (data[y-1] == 03){
		printf(".");
	}
	else
	        printf("%c",data[y-1]);

and for any IP addresses I want to extract I have to pull them out into a variable then feed that to a conversion function to store them as int then use printf %d to print them out, but I have another complicated loop to iterate through every other one in order to insert the periods where data[y-1] is 02, or 03. It works, but seems inefficient, and has the potential to break. There has to be an easier way to interpret the data and print it out in readable form.

[Skydiver]

That is a simple switch statement:

switch(data[y-1])
{
case 1:
    break;
case 2:
case 3:
    putchar('.');
    break;
default:
    putchar(data[y-1]);
    break;
}

[jimblumberg]

Have you thought about using the inet_ntop() and inet_pton() functions to convert IP addresses to human-readable form and back?

See this link: Beej's guide to network programming, see section 9.14 for a description of these functions.

Jim

This post has been edited by jimblumberg: 05 October 2012 - 01:27 PM
Reason for edit:: Typo