pcap-parser
pcap-parser copied to clipboard
rusticata
Examples of printing out payload of a packet?
Hi,
Can you provide an example of how to print the payload of a packet when reading in a pcap file? For instance, if wanted to print the DNS or HTTP payload of a packet, how would I go about doing this using pcap-parser?
First, you have to write a loop to read packets from the file. One example is given in the docs, "streaming parser".
Now, in the above example, when you have a block, you need to match it for the type, and depending on the type, call pcap_parser::data::get_packetdata.
A complete example (doing much more than you probably need) of block handling can be found here
Note the pcap format is in fact not easy because of the many possible encapsulations and link-layers, the endianness, etc. This is why I am also working on pcap-analyzer.
I tried writing a quick example, if your file is a legacy pcap file:
let path = "assets/le-nflog.pcap";
let content = fs::read(path).expect("could not read pcap file");
let (rem, header) = parse_pcap_header(&content).expect("parsing failed");
let mut i = rem;
let mut num_blocks = 0;
loop {
match parse_pcap_frame(i) {
Ok((rem, block)) => {
// read block data (linktype is NFLOG)
let res = get_packetdata(block.data, header.network, block.caplen as usize);
let packetdata = res.expect("parsing data failed");
match packetdata {
PacketData::L2(data) => todo!(),
PacketData::L3(ethertype, data) => todo!(),
PacketData::L4(datatype, data) => todo!(),
PacketData::Unsupported(_) => todo!(),
}
num_blocks += 1;
i = rem;
}
Err(ErrMode::Incomplete(_)) => break,
// Err(ErrMode(PcapError::Incomplete(_)) => break,
Err(e) => panic!("Unexpected error: {:?}", e),
}
}
In the match arms, data is what you want. You might simplify some cases if you know you have only layer 3 data.
If your file is using format pcap-ng, you will need to adapt that code. The code in pcap-analyzer show how to abstract this and handle all cases.