I'm trying to read the contents of a pcap file. Here is the code I have:
#include <iostream>
#include <pcap.h>
using namespace std;
int main()
{
int num, inum,i = 0;
pcap_if_t *alldevs;
pcap_t *adhandle;
struct bpf_program fcode;
bpf_u_int32 net, mask;
char *dev;
string file = "C:\\Users\\kloud135\\Desktop\\dataset.pcap";
char errbuff[PCAP_ERRBUF_SIZE];
pcap_t * pcap = pcap_open_offline(file.c_str(), errbuff);
struct pcap_pkthdr *header;
const u_char *data;
dev = pcap_lookupdev(errbuff);
if (pcap_lookupnet( dev, &net, &mask, errbuff ) == -1)
{
fprintf(stderr, "Can't get netmask for device %s\n", dev);
net = 0;
mask = 0;
}
u_int packetCount = 0;
while( int returnValue = pcap_next_ex( pcap , &header, &data) >= 0)
{
cout << "test";
if (pcap_compile(pcap , &fcode, "ip and tcp", 1, net) < 0)
{
fprintf( stderr, "\nC++ is unable to compile the packet filter. Please check the syntax\n");
pcap_freealldevs(alldevs);
return -1;
}
if ( pcap_setfilter( pcap, &fcode) < 0)
{
fprintf(stderr, "\nThere is an error in setting the filter.\n");
pcap_freealldevs(alldevs);
return -1;
}
printf("Packet number %i\n", ++packetCount);
printf("Packet size: %d bytes\n", header->len);
if ( header->len != header->caplen)
printf("Warning! Packet size different from capture size: %ld bytes\n", header->len);
printf("Epoch time: %d:%d seconds\n\n\n", header->ts.tv_sec, header->ts.tv_usec);
}
cin >> num;
return 0;
}
To be honest, I got most of this code from YouTube and don't understand everything that it's doing. I have been looking at
http://www.tcpdump.org/manpages/pcap.3pcap.html for help on the pcap functions. Here's what I've found in troubleshooting:
The program works perfectly when I use a small sample pcap file downloaded from the internet, and also when I generate my own pcap file with Wireshark.
When running the above code as is, I receive a runtime error which I have determined is caused by the while loop condition:
pcap_next_ex( pcap , &header, &data)
The file dataset.pcap that I'm trying to read is about 8GB, as opposed to the <1MB files I tested that the program works on. This size difference is the only thing I might guess is the problem, but again I don't know much about how the pcap library works. I need to do some analysis on dataset.pcap for a class I'm taking, but I can't figure out how to even open the file to see the packets inside. Thanks in advance for any assistance.