Hi,
I am new at UNIX and programing in general and only have a basic knowledge of C++. I am helping out with some research at a college and was given the task to sort through captured packets via IP addresses. I was wondering if anyone could help me with writing a code which filters through pcap files by ip addresses and then records the timestamps. I know a few programs that do this type of thing such as WireShark but they take up too much memory when analyzing gigabytes of data and that is why I am looking to write a relatively simple code which just gets my task done and gathers data for me.
To best assist you, info on:
a) directory structure to begin searching [i.e. /usr/smile]
b) template of filename(s) to review [i.e. abcd????.*]
c) sample of data within files to retrieve
[i.e. 12.10.77.112 blah-blah 06/10/2008
19.5.79.141 hurrah 05/11/2007]
and so on.
If you just want a lean interface to read the pcap files you can take a look at libpcap's
pcap_open_offline() and some related packet analysis: libpcap packet capture tutorial, or you can
simply use tcpdump -r for the most part.
HTH
I was thinking something more along the lines of using a separate text file for the IP addresses and some how use the 'tcpdump -r myfile.pco -w out.pcap ip src "1.2.3.4"' command to make it so that it matches the IPs with the text file. Also I am only interested in the time stamps and don't require the rest of the details of the packets, so it would be helpful if I wrote a code which filters through the clutter and gives me only the time stamps.
Thank You
Hershey,
The bpf language obviates the need for a text file with separate addressing.
You can use the tcpdump -r filename 'bpf expression here' -tttt for your purposes
and excise the packet dump data via sed, awk, etc...