How to parse epb.data from PcapBlockOwned::NG(Block::EnhancedPacket(epb))?

[xudesheng]

I guess this needs to parse a IP packet data but I'm new to this domain. I want to grasp source ip, destination IP, port and protocol from there. Is it possible to enhance it?

Thanks and appreciate your great work.

[chifflier]

Hi, The pcap format can make it difficult to access data. The realformat of the EPB data depends on the linktype of the interface associated to this packet. So, you have to store interface description blocks (IDB) in the order they are seen (this is the index), and get link type for each EPB.

Once you have the linktype, using the data feature of pcap-parser will provide you the get_packetdata function. This function tries to parse the content: not all linktypes are supported, but the most common ones are, and it is quite easy to add one if required. It will return a PacketData structure, describing the network data (layer 2, 3, or 4) or if unsupported.

For a complete (and maybe more complex) example, see https://github.com/rusticata/pcap-analyzer/blob/master/libpcap-tools/src/data_engine.rs#L82-L207 BTW, if you only want to extract data from pcap, maybe using libpcap-tools is a better abstraction for you. Using pcap-parser is more useful when you want to deal with low-level pcap structures.