Home page logo
/

tcpdump mailing list archives

Re: Writing pcap files with fake headers?
From: Eloy Paris <peloy () chapus net>
Date: Wed, 7 Apr 2010 00:15:17 -0400

Hi Roy,

On Tue, Apr 06, 2010 at 09:56:37PM -0400, Roy Smith wrote:

I've got an application which listens for UDP (SNMP) data.  We want
to add a logging feature where every UDP packet that's received is
stored for future analysis.  The obvious file format is pcap.  It's
simple and lets us take advantage of lots of existing pcap-aware
tools.  The problem is we don't have all the data to write out the
normal packet contents that would be in a pcap file.

The UDP header is trivial to reconstruct (we'd probably set the UDP
checksum to 0xFFFF for simplicity).  We don't have enough
information to properly re-construct the IPv4 (or IPv6) header, but
we could invent a plausible one (pretend nothing was ever
fragmented, etc).

The ethernet header is another story.  About the best we can do is
generate a well-formed (if meaningless) DIX frame header with the
destination and source MAC addresses all zeros, the ether type
0x0800 or 0x0806, and either leave the CRC all zeros or go to the
trouble to compute a real checksum.  Of course, there's nothing that
says the packet came in over ethernet at all, but it's a convenient
fiction.

Does this seem like a plausible strategy?  Or am I heading off into
the weeds?

If you don't have layer 2 information for the packets you wish to save
then the easiest thing is probably to use DLT_RAW as the datalink type.
DLT_RAW packets begin with an IP header, i.e. no layer 2 header. You do
need to come up with a fake IP header, though.

Here's a starting point:

    pcap_t *pd;
    pcap_dumper_t *pdumper;

    pd = pcap_open_dead(DLT_RAW, 65535 /* snaplen */);

    /* Create the output file. */
    pdumper = pcap_dump_open(pd, "/tmp/capture.pcap");

    while (1) {
        /*
         * Create fake IP header and put UDP header
         * and payload in place
         */
        ...

        /* write packet to savefile */
        pcap_dump(pdumper, xxxx, yyyy);
    }

    pcap_close(pd);
    pcap_dump_close(pdumper);

Hope this helps.

Cheers,

Eloy Paris.-
netexpect.org
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault