Filtering packets in pcap dump file

0
votes

I'm writing network analyzer and I need to filter packets saved in file, I have written some code to filter http packets but I'm not sure if it work as it should because when I use my code on a pcap dump the result is 5 packets but in wireshark writing http in filter gives me 2 packets and if I use: 

tcpdump port http -r trace-1.pcap

it gives me 11 packets.

Well, 3 different results, that's a little confusing.

The filter and the packet processing in me code is:

...
if (pcap_compile(handle, &fcode, "tcp port 80", 1, netmask) < 0)
...
while ((packet = pcap_next(handle,&header))) {
    u_char *pkt_ptr = (u_char *)packet; 

    //parse the first (ethernet) header, grabbing the type field
    int ether_type = ((int)(pkt_ptr[12]) << 8) | (int)pkt_ptr[13];
    int ether_offset = 0;

    if (ether_type == ETHER_TYPE_IP) // ethernet II
        ether_offset = 14;
    else if (ether_type == ETHER_TYPE_8021Q) // 802
        ether_offset = 18;
    else
        fprintf(stderr, "Unknown ethernet type, %04X, skipping...\n", ether_type);

    //parse the IP header
    pkt_ptr += ether_offset;  //skip past the Ethernet II header
    struct ip_header *ip_hdr = (struct ip_header *)pkt_ptr; 
    int packet_length = ntohs(ip_hdr->tlen);

    printf("\n%d - packet length: %d, and the capture lenght: %d\n", cnt++,packet_length, header.caplen);

}

My question is why there are 3 different result when filtering the http? And/Or if I'm filtering it wrong then how can I do it right, also is there a way to filter http(or ssh, ftp, telnet ...) packets using something else than the port numbers?

Thanks

1
cpcap
Did you compare the difference or the result? Or could you attach the pcap file link, or it's hard to tell the cause. - Sam Liao

1 Answers

0
votes

So I have figured it out. It took a little search and understanding but I did it.

Wireshark filter set to http filter packets that have set in tcp port 80 and also flags set to PSH, ACK. After realizing this, the tcpdump command parameters which result in the same numbers of packets was easy to write.

So now the wireshark and tcpdump gives the same results

What about my code? well I figured that I actually had an error in my question, the filter

if (pcap_compile(handle, &fcode, "tcp port 80", 1, netmask) < 0)

indeed gives 11 packets (src and dst port set to 80 no matter what tcp flags are)

Now to filter the desired packets is a question of good understanding the filter syntax or setting to filter only port 80 (21,22, ...) and then in callback function or in while loop get the tcp header and from there get the flags and use mask to see if it is the correct packet (PSH, ACK, SYN ...) the flags number are for example here