Need help opening PCap file

I'm trying to read the contents of a pcap file. Here is the code I have:

#include <iostream>
#include <pcap.h>

using namespace std;

int main()
{
int num, inum,i = 0;
pcap_if_t *alldevs;
pcap_t *adhandle;
struct bpf_program fcode;
bpf_u_int32 net, mask;
char *dev;
string file = "C:\\Users\\kloud135\\Desktop\\dataset.pcap";
char errbuff[PCAP_ERRBUF_SIZE];
pcap_t * pcap = pcap_open_offline(file.c_str(), errbuff);
struct pcap_pkthdr *header;
const u_char *data;
dev = pcap_lookupdev(errbuff);


if (pcap_lookupnet( dev, &net, &mask, errbuff ) == -1)
{
fprintf(stderr, "Can't get netmask for device %s\n", dev);
net = 0;
mask = 0;
}


u_int packetCount = 0;
while( int returnValue = pcap_next_ex( pcap , &header, &data) >= 0)
{
cout << "test";
if (pcap_compile(pcap , &fcode, "ip and tcp", 1, net) < 0)
{
fprintf( stderr, "\nC++ is unable to compile the packet filter. Please check the syntax\n");
pcap_freealldevs(alldevs);
return -1;
}

if ( pcap_setfilter( pcap, &fcode) < 0)
{
fprintf(stderr, "\nThere is an error in setting the filter.\n");
pcap_freealldevs(alldevs);
return -1;
}

printf("Packet number %i\n", ++packetCount);
printf("Packet size: %d bytes\n", header->len);
if ( header->len != header->caplen)
printf("Warning! Packet size different from capture size: %ld bytes\n", header->len);

printf("Epoch time: %d:%d seconds\n\n\n", header->ts.tv_sec, header->ts.tv_usec);


}
cin >> num;

return 0;
}

To be honest, I got most of this code from YouTube and don't understand everything that it's doing. I have been looking at http://www.tcpdump.org/manpages/pcap.3pcap.html for help on the pcap functions. Here's what I've found in troubleshooting:

The program works perfectly when I use a small sample pcap file downloaded from the internet, and also when I generate my own pcap file with Wireshark.

When running the above code as is, I receive a runtime error which I have determined is caused by the while loop condition:

pcap_next_ex( pcap , &header, &data)

The file dataset.pcap that I'm trying to read is about 8GB, as opposed to the <1MB files I tested that the program works on. This size difference is the only thing I might guess is the problem, but again I don't know much about how the pcap library works. I need to do some analysis on dataset.pcap for a class I'm taking, but I can't figure out how to even open the file to see the packets inside. Thanks in advance for any assistance.
Sounds interesting.

I don't have pcap.h and know nothing about it but googled "c++ open file size limit" and found where someone said "The maximum file sizes are determined by the compiler and the OS" which I agree with.

The only thing I see that might not be formatted correctly is the last if doesn't have {} but I can't see how a printf could cause any problems.

Assuming your using a new compiler and OS, The one thing I would investigate looks like a 32 bit value and I'm thinking you want 64 bit.
bpf_u_int32 net, mask;
Thanks for the tips. I'll check the braces (pretty sure they're ok) and the compiler options and the 32/64 bit when I get to work in the morning.
I'd try a 1.5Gb and 3.5Gb file just to confirm were on the right track.

Might also get some output
std::cout << "size of : " << sizeof net << '\n';

Put some cout statements before and in your while loop and if statements to see if you can narrow down the line when it dies. For example if it loops a thousand times or fails on the first loop.
Unfortunately I don't have any other pcap files that large. The biggest sample file I can find on the internet is about 350 mb, and generating my own takes far too long (~3 minutes gave ~500 kb of data).

I tested with cout's and determined it's crashing upon evaluating the condition in the while loop (the very first time). I tried putting the line

pcap_next_ex( pcap , &header, &data)

directly before the while loop, and it then crashed on this line. I believe pcap_next_ex is supposed to read the next packet in the dataset, and so this makes me think something isn't set right for it to begin reading. I get plenty of output from the printf's when using smaller files.

I didn't see anything in the compiler options for maximum file size.
I failed to mention, it could also be a problem with the file.

Is it like Text where you could delete 1/2 of it ?

Perhaps you could tell me where to get the pcap.h and the file your working with.
Last edited on
I found
https://www.winpcap.org/docs/docs_41b5/html/group__wpcap.html

which states "This compatibility means that one can develop portable network tools that will run on the Win32 OS family".

Then I went http://windowsitpro.com/systems-management/what-are-maximum-volume-sizes-and-maximum-file-sizes-various-windows-file-systems

Which says the max file size for fat and fat32 is 4GB. NTFS which you probably have should be ok but if it's a older computer check the disk drive formatting.


Topic archived. No new replies allowed.