WinPCap - Packet.dll UDF

[f1iqf]

@ptrex and all,

Please note that my UDF is not actualy an ethereal/wireshark UDF but a Winpcap UDF. It does NOT do any protocol analysis by itself, it just captures and sends raw packets on your network according to some filters. You have to perform the analysis (source/destination/protocol... etc) by yourself. I included a basic demo script which is doing so partialy (for the example) but does only support some basics for protocols IP, ICMP, UDP, TCP and ARP.

In the latest versions I included some utility function to extract (or set) a value from/into the binary string and compute Checksums for the most commons protocols. You can always convert to a regular string the binary data by using a StringToBinary() call.

Hope that helps.

Best regards,

Nicolas

@f1iqf

I tested some of your examples posted on your website.

I was able to :

- List the devices

- Capture some HTTP packets

- Create a PCAP file

- Read a PCAP file

The data coming out of the PCAP file doesn't tell me a lot ?

When I open the PCAP file using Ethereal I does read it well !!

But can I find the data structure I see in here compared to what I see in the read PCAP function.

The Ethereal output is Time - Source - Destination - Protocol - Info Data

Output if the Function is Time - Lenght - Packet - Data ?

Can you give an example on how to read the output comparable to what I see in Etherial ?

PS : Good UDF so far !!

Edit : nevermind my question. I figured out how to read the data.

Thanks again.

Thanks

ptrex

[ptrex]

@f1iqf

You have to perform the analysis (source/destination/protocol... etc) by yourself.

That is what I had figured out myself !!

Thanks for sharing this wonderfull UDF

Regards,

ptrex

[boomingranny]

Hi,

your Winpcap.au3 is amazing, i have been using it for several days now.

I appriciate the time you have put into this, and that you have shared it.

I have one problem however,

I am recieving and processing tcp packets,

sometimes (i suspect when there is heavy traffic) i will get only the first 60 bytes of a TCP packet. Its alwas the first 60 bytes, and i know its incomplete because it doesn't end in a null. (all the complete packets end with a null from my analysis so far)

i suspect the problem might be somewhere in _PcapGetPacket but my debugging for the last day has found nothing. the project i am using this for relys on all packets being parsed, so this has brought it to a halt. thanks for taking the time to read this.

My TCP/IP knowledge is ok, but i am no expert. could this be packet fragmentation? I have had much larger packets, up to 1514 before they have been fragmented.

I know that the end application is recieving these packets, because it is making use of the data in them.

When the packet is cut short it is always the first 60 bytes (which is mostly header + 6 ascii characters/bytes of useful data)

edit:

ok ignore this post, i am getting the exact same data in Wireshark... prooving its nothing to do with Winpcap.au3

Edited May 28, 2010 by boomingranny

[lsakizada]

Hi,

I know this thread is quiet old, but is it possible to open an existing ".pcap" file for read and replaying it?

Thanks

Edited May 2, 2011 by lsakizada