search

seladb / PcapPlusPlus

PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use. It provides C++ wrappers for the most popular packet processing engines such as libpcap, Npcap, WinPcap, DPDK, AF_XDP and PF_RING.
https://pcapplusplus.github.io/
The Unlicense
2.68k stars 654 forks source link

How to access file header info? #906

Closed GilbertoTheMighty closed 4 months ago

GilbertoTheMighty commented 2 years ago

Hello. I'm using pcpp::PcapFileReaderDevice reader(filename); I would like to read Magic Number from file header, which represents time format. I could not find anything that allows to access header struct. How to do this?

seladb commented 2 years ago

Do you know if libpcap provides an API to read this magic number? PcapPlusPlus relies on libpcap/WinPcap/Npcap to read .pcap files so if there's no such API there's no way for PcapPlusPlus to fetch this information.

We did add the PCAP_TSTAMP_PRECISION_NANO compilation flag to open files in nanosec precision, but that assumes you know the file's precision...

GilbertoTheMighty commented 2 years ago

I've compiled pcap++ with PCAP_TSTAMP_PRECISION_NANO. Read pcap file, update timespec, write to another file => produces rounded timestamp. 1601234567.000051234 (written time) becomes 1601234567.000051000 in output file acconding to wireshark

GilbertoTheMighty commented 2 years ago

Seems like writePacket does not use this flag

I think this supposed to be pcap_open_dead_with_tstamp_precision

GilbertoTheMighty commented 2 years ago 
#if defined(PCAP_TSTAMP_PRECISION_NANO)
    m_PcapDescriptor = pcap_open_dead_with_tstamp_precision(m_PcapLinkLayerType, PCPP_MAX_PACKET_SIZE, PCAP_TSTAMP_PRECISION_NANO);
#else
    m_PcapDescriptor = pcap_open_dead(m_PcapLinkLayerType, PCPP_MAX_PACKET_SIZE);
#endif
GilbertoTheMighty commented 2 years ago

I've also commented *1000 and /1000 in Common++\header\TimespecTimeval.h

After these changes I was able to produce pcap file with nanoseconds, which are seen in Wireshark

seladb commented 2 years ago

Thanks for debugging the issue! Can you please open a PR with the fix?

seladb commented 2 years ago

@GilbertoTheMighty will you consider opening a PR with the fix?

seladb commented 2 years ago

@GilbertoTheMighty will you consider opening a PR with the fix?

@GilbertoTheMighty I'm not sure if you saw my previous comment. Please let me know if you can open a PR with the fix

egecetin commented 4 months ago

Fixed with #1368.

As a side note, it is possible to directly read pcap file header but since the libpcap doesn't provide an API for it, it requires manual binary reading and parsing of desired offsets which is a bit currently off-topic for this repo. If anyone requires this type of accessing in the future, can check the file header from the standard which described here