Saturday, September 23, 2006

Pcapper: cool non-C based PCAP

Jeff Dell from Activeworx pointed out that Pcapper is a great cross-platform way to decode captures from tcpdump and friends in response to my question on my work blog.

franz-g4:~/dev/scada-nasl/dnp3 mdfranz$ -v dnp.1

asctime 2006-09-19 11:53:36.711335
caplen 54
destination 00:c0:4f:0c:7b:1d
ether_type 8
pktlen 54
source 00:0c:29:cf:38:82
tv_sec 1158684816
tv_usec 711335
IP datagram:
checksum 0
flags 2
fragment_offset 0
header_length 5
id 18544
protocol 6
tos 0
total_len 40
ttl 128
version 4
TCP datagram:
ack 1
ack_number 3660227963
checksum 54275
data_offset 5
destination_port 20000
fin 0
flags 16
psh 0
rst 0
sequence_number 2451677669
source_port 3016
syn 0
unused 320
urg 0
urgent_pointer 0
window 17469
Dump source has length: 0

Run time 0.903 seconds
Processed 108 packets
Processed 10376 bytes
Processing speed 119 packets per second
Processing speed 11 kbytes per second

End of program

Works on OSX, haven't tried it on anything else. Next is to use the lib in a new protocol reverse engineering tool I started just today.

Stay tuned.

1 comment:

Anonymous said...

If you are interrested in having a C# based PCAP parser I suggest you take a look at Network Miner. It is an open source tool which can analyse network traffic based on either PCAP file parsing or passive sniffing (through WinPcap or Raw Sockets). It also uses OS fingerprint databases from p0f and Ettercap to guess hosts operating systems.