load a .pcap file

SeanJ · ‎04-07-2015

Hi All,

I want to load a wireshark trace, process it and dump out the required details. I was using wireshark to do this but since I discovered sequencing issues that wireshark cannot handle, I though the easiest way to do this would be to use labVIEW.

I was looking through the example on winpcap but it doesn't show how to load a file.

Rather than reinvent the wheel, does anyone know if there is a way to load pcap files into LabVIEW?

Ciao,

Seán

R.Peters · ‎04-07-2015

Basically you will have to edit the CPP source code and add a new function lvwpcap_open_capturefile() or something similar which works similar to lvwpcap_open_interface() but instead of calling in there pcap_open_live() it would call pcap_open_offline() from the pcap library. Then create a new DLL from that and write a wrapper VI to call this new function.

SeanJ · ‎04-07-2015

Thanks RPE,

However, as far as I can see, the source files are not included:

http://www.ni.com/example/27660/en/

Rgds,

S

R.Peters · ‎04-07-2015

Well, the lvwpcap.cpp is. That is the important one. You'll have to decide what C compiler you're gonna use and create the according DLL project for it.

SeanJ · ‎04-07-2015

Oops! Just found lvwpcap.cpp

I'll try your recommendation later when I get a chance.

In the meantime, I was trying to parse a pcap file

The first 46bytes apepars similar to that shown below:

AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA 1231 3C0A ABCD

I have blanked the first 40 bytes, (time stamp ?). Following this, (bytes 41-43), what I expected to be the MAC address :

Actual MAC address: 1231 3C0D ABCD

(ABCD inserted for security)

However, the Actual MAC address is 1231 3C0D ABCD which is strange and something I cannot explain. I didn't glean much from the manual either.

The good news is the data payload matches, (at least on the first packet I tried). This means I should be able to strip out the interesting packets and create a new pcap file.

Still don't understand why the MAC addresses do not match but this is probably a winpcap question...

rolfk · ‎04-07-2015

If you read a binary file you shouldn't use the Read Text File node but rather the Read Binary File node. And if you use the Read Text File node anyways you should at least disable "convert end of line" mode on it!

Rolf Kalbermatter My Blog

DEMO, Electronic and Mechanical Support department, room 36.LB00.390

SeanJ · ‎04-07-2015

Doh!

Thanks rolfk, mystery solved. Now reading 1231 3C0D ABCD

Rgds,

Seán

D.Taylor92 · ‎03-28-2016

Did you have any success at all loading a .pcap file into Labview using the .cpp method ? I'm currently looking at doing the same using recorded LIDAR data in .pcap format but haven't had any luck myself.

mikeporter · ‎03-28-2016

You migth want to check this out:

http://www.kroosec.com/2012/10/a-look-at-pcap-file-format.html

It appears to be pretty much step-by-step instructions on how to parse these files.

Mike...

Certified Professional Instructor
Certified LabVIEW Architect
LabVIEW Champion

"... after all, He's not a tame lion..."

For help with grief and grieving.

Muniraju · ‎06-06-2016

Dear sir,

If Have Edited lvwpcap.cpp file for offline data capure..plz attach to us so that it will be great help to us...

Thanks & regargs,

Muniraju

LabVIEW

load a .pcap file

load a .pcap file

Re: load a .pcap file

Re: load a .pcap file

Re: load a .pcap file

Re: load a .pcap file

Re: load a .pcap file

Re: load a .pcap file

Re: load a .pcap file

Re: load a .pcap file

Re: load a .pcap file