Hi Roy,
On Tue, Apr 06, 2010 at 09:56:37PM -0400, Roy Smith wrote:
> I've got an application which listens for UDP (SNMP) data. We want
> to add a logging feature where every UDP packet that's received is
> stored for future analysis. The obvious file format is pcap. It's
> simple and lets us take advantage of lots of existing pcap-aware
> tools. The problem is we don't have all the data to write out the
> normal packet contents that would be in a pcap file.
>
> The UDP header is trivial to reconstruct (we'd probably set the UDP
> checksum to 0xFFFF for simplicity). We don't have enough
> information to properly re-construct the IPv4 (or IPv6) header, but
> we could invent a plausible one (pretend nothing was ever
> fragmented, etc).
>
> The ethernet header is another story. About the best we can do is
> generate a well-formed (if meaningless) DIX frame header with the
> destination and source MAC addresses all zeros, the ether type
> 0x0800 or 0x0806, and either leave the CRC all zeros or go to the
> trouble to compute a real checksum. Of course, there's nothing that
> says the packet came in over ethernet at all, but it's a convenient
> fiction.
>
> Does this seem like a plausible strategy? Or am I heading off into
> the weeds?
If you don't have layer 2 information for the packets you wish to save
then the easiest thing is probably to use DLT_RAW as the datalink type.
DLT_RAW packets begin with an IP header, i.e. no layer 2 header. You do
need to come up with a fake IP header, though.
Here's a starting point:
pcap_t *pd;
pcap_dumper_t *pdumper;
pd = pcap_open_dead(DLT_RAW, 65535 /* snaplen */);
/* Create the output file. */
pdumper = pcap_dump_open(pd, "/tmp/capture.pcap");
while (1) {
/*
* Create fake IP header and put UDP header
* and payload in place
*/
...
/* write packet to savefile */
pcap_dump(pdumper, xxxx, yyyy);
}
pcap_close(pd);
pcap_dump_close(pdumper);
Hope this helps.
Cheers,
Eloy Paris.-
netexpect.org
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
