How to analysis a pcap/pcapng file
I use tcpdump and download the pcap file, but don't know how to analyze the data, I want to filter it by IP address and see how many time the connection is established and the port number? Is there any tool you recommended? I use python mostly, I tried pcapkit,dpkt,pcaper. Can dpkt extract specific information? Thanks
See also questions close to this topic
TCP Server sends [ACK] followed by [PSH,ACK]
I am working on a high-performance TCP server, and I see the server not processing fast enough on and off when I pump high traffic using a TCP client. Upon close inspection, I see spikes in "delta time" on the TCP server. And, I see the server sending an ACK and 0.8 seconds later sending PSH,ACK for the same seqno. I am seeing this pattern multiple times in the pcap. Can experts comment on why the server is sending an ACK followed by a PSH,ACK with a delay in between?
decrypting pcapplusplus SSLApplicationDataLayer with OpenSSL
I have a C++ application that connects to an external TCP server. Single TCP message could have multiple TLS records. I am interesting in analysing the content of a TCP packet as a whole for live debugging purposes. (This is quite easy to do with a recorded PCAP file & Wireshark but the point of this exercise is to do it live).
I have a thread that creates and maintains the TLS/TCP connection with the server using OpenSSL. I have access to
SSL * sslobject that created the connection as well as the client random and session master key. In another thread I am setting up
pcapplusplusdevice that filters on TLS packets. PCAP++ makes it easy to retrieve the encrypted payload. However I can't figure out what OpenSSL API could help me decrypt individual ApplicationDataLayer record.
Cypher here is fixed:
AES 128 bit
There is a test in OpenSSL code base that looked promising but it is still coupled to internal
ssl3_record_stobject which makes it a non-trivial example. Is there OpenSSL api method or an example that just takes a pointer to the buffer with master key as an argument and decrypts the message?
Also one another thing that I am not sure about is the relationship between the session master key and AES key/IV. Session master key is 48 bytes while the IV is 16 and AES key is 32. Is there OpenSSL api given the SSL session can give me the derived key & iv that I could use do decrypt the payload directly?
Any advise on the approach itself or other direction I could take would be very useful
Printing HTTP header on terminal
I am currently creating a packet sniffer using python and pcap. After following this code: https://www.binarytides.com/code-a-packet-sniffer-in-python-with-pcapy-extension/
I am able to parse IP and TCP header to get the values such as source address, port number, etc. I only need HTTP request/response so I filtered out to only keep the ones that have the port number 80.
However, I am really confused on how to print out the actual values of HTTP header. Where and how am I supposed to get the image below to appear on my MacOS terminal?
Thanks in advance.
Is there a way to create a custom Boost.Asio async operation?
Currently I'm working on a packet sniffer using
libpcaplibrary, and I want it to work under Boost.Asio
io_contextand to sniff on packets asynchronously.
So is there a way to create a custom function (like
async_sniff(...)) that waits for a packet and launches an assigned handler to process a packet?
Run libpcap without sudo/root
I am using libpcap to sniff packets and also to create raw packets in C++ in Ubuntu 18.04. These features require admin(sudo) permission. I am checking for a way to remove the dependency.
When I run my code without sudo, I get the following error:
pcap_open_live(): You don't have permission to capture on that device (socket: Operation not permitted)
I build my application using cmake and make and I have the executable
test, which I run as
I have tried
setcap cap_net_raw,cap_net_admin=eip ./test, but without sudo, I am unable to capture packets, with the same permission error as above.
Please help on this issue.
Find out RTP maximum size
How can I find out what is the max size of rtp/rtsp? is that depend only on MTU ? there is no way that rtp/rtsp will be bigger than MTU ?
I have change the MTU with
ifconfig eth1 mtu 1000 upbut still I got RTSP packet with 1440 length