Packet is stored wrong in .pcap file

1
votes

I am trying to save sample packet to .pcap file, using pcap_dump() and other functions from pcap.h library. When I open it in Wireshark, the numbers are just different from those I'm saving in program. Here is my code:

void create_pcap_file() {

string udp = "ff ff ff ff ff ff 00 21 85 11 29 1b 08 00 45 00 00 1c 0c 12 40 00 80 11 00 00 93 af 6a 8d ff ff ff ff 44 5c 44 5c 00 08 78 e9 ";
u_char* packet = (u_char*)malloc(udp.size() * sizeof(u_char*));
for (int i = 0; i < udp.size(); i++) {
    packet[i] = (u_char) udp[i];
}

pcap_dumper_t * file = pcap_dump_open(pcap_open_dead(DLT_EN10MB, 65535), "dumper_item1.pcap");
pcap_pkthdr header;
header.caplen = (bpf_u_int32)42; //size of an UDP/IP packet without any data
header.len = (bpf_u_int32)42;
header.ts.tv_sec = time(NULL);
header.ts.tv_usec = 0;
pcap_dump((u_char*)file, &header, packet);
}

Wireshark shows this: enter image description here

Does anyone know why this happen?

1
c++wiresharkpcap
You gave it a string containing hex digits (0x66 is the code for 'f'). You probably meant to give it the sequence of bytes the string represents. You need to convert each pair of hex digits to one unsigned char.Alan Stokes

1 Answers

3
votes

As Alan Stokes notes in his answer (which he should have given as an answer, not just a comment), pcap files are binary files, not text files, so the contents should be raw hex data, not a string of text that looks like a hex data dump.

What you want is:

void create_pcap_file() {

u_char packet[] = {
    0xff, 0xff, 0xff, 0xff, 0xff, 0xff,  // Ethernet destination address
    0x00, 0x21, 0x85, 0x11, 0x29, 0x1b,  // Ethernet source address
    0x08, 0x00,                          // Ethernet type (0x0800 = IPv4)
    0x45,                                // IPv4 version/IHL
    0x00,                                // IPv4 Type of Service
    0x00, 0x1c,                          // IPv4 total length (0x001c = 28)
    0x0c, 0x12,                          // IPv4 identification (0x0c12)
    0x40, 0x00,                          // IPv4 flags and fragment offset
    0x80,                                // IPv4 time-to-live (0x80 = 128)
    0x11,                                // IPv4 protocol (0x11 = 17 = UDP)
    0x00, 0x00,                          // IPv4 header checksum (not valid)
    0x93, 0xaf, 0x6a, 0x8d,              // IPv4 source address (147.175.106.141)
    0xff, 0xff, 0xff, 0xff,              // IPv4 destination address (255.255.255.255)
    0x44, 0x5c,                          // UDP source port (0x445C = 17500)
    0x44, 0x5c,                          // UDP destination port (0x445C = 17500)
    0x00, 0x08,                          // UDP length (0x0008 = 8)
    0x78, 0xe9                           // UDP checksum (0x78e9)
};

pcap_dumper_t * file = pcap_dump_open(pcap_open_dead(DLT_EN10MB, 65535), "dumper_item1.pcap");
pcap_pkthdr header;
header.caplen = (bpf_u_int32)sizeof packet; //size of an UDP/IP packet without any data
header.len = (bpf_u_int32)sizeof packet;
header.ts.tv_sec = time(NULL);
header.ts.tv_usec = 0;
pcap_dump((u_char*)file, &header, packet);
}