search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.85k stars 896 forks source link

How to save specific application packets as a new pcap file. #1850

Closed Yzy-zzz closed 1 year ago

Yzy-zzz commented 1 year ago

After we execute the ndpiReader.c, we know there will be some detected results on the screen. As for some specific application protocols (such as YOUTUBE or WHATSAPP ...), I want to know how to save these special packets into a new pcap file. Thanks for help !!!!! :)

IvanNardi commented 1 year ago

There is no easy way. As a partial workaround, you can change ndpiReader and write something like that (take a look at pcap_dump_* functions in libpcap):

--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -1913,6 +1913,10 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept
       malloc_size_stats = 0;

       if(enable_protocol_guess) ndpi_thread_info[thread_id].workflow->stats.guessed_flow_protocols++;
+
+      if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_WHATSAPP) {
+        pcap_dump(...);
+      }
     }

This way you save only the interesting packets after the classification. The previous ones (example: TCP handshake) are obvisuoly "gone" and you can't save them anymore.

Generally speaking, dumping the entire flow is definitely an hard task (especially, if you want an "automatic" system)

If you want to dump them manually (example: you are interested only in few flows) you can open the trace with Wireshark and export the interesting flows (selecting them one-by-one by hand) from it

Yzy-zzz commented 1 year ago

Thanks for advice! I'm going to have a try~~