Hi folks,
I have been writing an application using MFC in Visual Studio 2005. The
application uses WinPcap to open a pcap file and modify the protocol headers so
that the packets can be streamed locally on a test network and received by
other applications/devices.
I have been borrowing heavily from the sample code in the WinPcap 4.0.2
Developer’s Pack, and successfully porting that basic functionality from C to
MFC/C++. For example, my GUI currently allows the user to open a pcap file,
change the MAC addresses in the packets, and save the packets to a new file.
I ran into a problem recently. I have been creating pcap files by exporting
proprietary files from a 3 rd party application into pcap format. However, it
appears that the 3 rd -party app, let’s call it “MrSniffer”, changes the caplen
in the packet header to 116 bytes, no matter what it was in the original
(MrSniffer-formatted) file, or what the actual length of the packet is. I am
able to use Wireshark to successfully read and display all packets in their
entirety from the newly-exported pcap file. Also, I am able to use the
command-line executable “readfile” from the 4.0.2 Developer’s Pack to read and
display each packet from the MrSniffer-exported pcap file in its entirety.
It’s when I try to read the file into my MFC application that I run into a
problem. I use the same basic code in the “readfile” executable for my MFC
application to open the file and read the packets, i.e. I am using
pcap_open_offline() to open the file, and pcap_loop() to call a
dispatcher_handler with the following parameters…
dispatcher_handler(u_char *temp1, const struct pcap_pkthdr *header, const
u_char *pkt_data)
…which reads in each packet. The trouble arises when the packets are read into
my application, and it appears that the pcap library functions I am using are
reading the packets based on the caplen of 116 bytes – so any packets larger
than 116 bytes are truncated, and I lose the rest of that data!
What is so strange about this is that I am using the same library as the
Developer’s Pack sample “readfile”, and essentially the same code, but my
application seems to read the caplen, while “readfile” uses the actual packet
length.
Unfortunately, I can’t change “MrSniffer” so that it does not modify the
caplen; my only option appears to be to read the actual packet length from each
packet when dealing with these exported pcaps. I have not been able to find a
way to do this using the exported functions – probably because I am quite new
to WinPcap.
If anyone has any suggestions, I’d greatly appreciate it!
Thanks and Regards –
TimG
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
