Efficient pcap parser in c/c++

0
votes

I am a newbie on pcap parsing and I would like to ask you for some help about this task (I am using Debian 9):

  • A.pcap is a pcap file that contains the network packet to parse, along with other packets to discard

  • B.so is a library file that contains the binary to parse the packets the task cares about. There are no header files, so I need to use a binary inspection

Both files can be downloaded at this link: https://www.dropbox.com/s/ustehbd8lmejddv/task.zip?dl=0

First thing I try to check and dig inside both files using:

nm -gC B.so
tcpick -C -yP -r A.pcap
tcpdump -qns 0 -A -r A.pcap

Now I should parse only the inbound OrderField packets and retrieve the following fields: 1. OrderStatus 2. OrderLocalID 3. LimitPrice 4. Direction 5. InstrumentID

I believe I am having troubles with tcpick and tcpdump because I can't access to any of those information, I can only see a long list of MAC/IP addresses plus some "random" chars.

Do you have any suggestions? Thank you in advance.

1
c++parsingdebianshared-librariespcap
tshark allows extract the information about packets (by filters) to JSON format (including hex dump of each field). I would think writing parser to Json would be a lot easier - since tshark will do most of the work for you.Artemy Vysotsky
Do you have the protocol specs (C structures) for the OrderField packets' payloads? If not you'll have to reverse engineer the library. You could also try to reverse the protocol from the pcap using something like Netzob.pchaigno
Thank you for your replies. Unfortunately I don't have any further information (I posted and attached everything I have in my hands including the files) so I believe I will have to go for reverse engineering. I will try to have a look on Netzob and tshark but, since I am really new to this field, can you please provide some example or tips on how should I do it? Thank you so much again.Rizz
tshark returns a bunch of IP but not any chards. I am trying Netzob but I am stuck with the installation doc.netzob.org/en/latest/installation/debian.html # dpkg -i netzob_0.3.0-1_i386.deb file doesn't exitRizz
Netzob installedRizz

1 Answers

0
votes

I'm not interviewing the company and have nothing to do with them, but just having fun to reverse engineering this stuff. I just give some idea and hints found from the problem and internet.

  1. You can use libpcap to retrieve every TCP packet from the file, and reconstruct the related inbound transaction to fulfill the requirement of the problem.
  2. The OrderField packet might be related to this https://github.com/fakechris/femas_api/blob/master/traderapidemo/TraderApi4LNX64/USTPFtdcUserApiStruct.h
  3. The compression method is ZeroCompress. Therefore you can directly call the shared library CompressUtil::Zerodecompress to unpack the TCP packet payload
  4. Use the data structure typedef found in the github to extract these 4 necessary fields.

Disclaimer: I might be wrong because I am not able to verify the result.