Carnivore Forum - Using Pcap capture files

YaBB Newbies

Posts: 10

Using Pcap capture files
04/27/10 at 14:36:45

As the topic mentions I would like to use a pcap capture file as the source log file instead of the capture format the library currently uses. I can't find a way to do this in the source as of now, but I think it would be possible with some modifications.

By f.ex using jpcap library to parse the file could be a possible way of dooing this.
Is there a point in the code I can "hook into" and instead of displaying packets from the carnivore capture interface I instead inject my packets from the pcap?

I have extensive java experience so any advice or directions would be great. And if there is a way of "dumping" what carnivore captures that would also be great to learn about.

Back to top

IP Logged

RSG

YaBB Administrator

Posts: 26

Re: Using Pcap capture files
Reply #1 - 04/27/10 at 23:49:02

greetings. some options for you.

option 1) you could make something that converts pcap capture files to carnivore capture files. but come to think of it, that's probably too complicated and a bad idea. (plus since java is very finicky about deserialization i think carnivore might reject your newly converted file when it tries to load it.) if you want to try this route, basically you need to instantiate a bunch of CarnivorePacket objects using the relevant values from your packets in your pcap file, wrap each one as a TimestampedObject, then put them all into a Stack. then serialize this Stack<TimestampedObject> using the normal java method for serializing to disk. but yeah, that's messy. and as i said it probably will be impossible for carnivore to deserialize (i forget exactly why, but it's something about how java always checks to make sure something is deserialized *only* by the exact class that serialized it. something like that..).

option 2) just hook into the carnivore playback thread, injecting your own packets from your own capture file. You'll want to look at OfflineCache, which extends java.util.Stack<TimestampedObject>. so if you build your own custom Stack<TimestampedObject> object as mentioned in option 1, i don't see any reason why you can't just call OfflineCache.addAll(myCustomStackOfTimestampedObjects). you could hook in via OfflineCache.startPlayback() or perhaps OfflineCache.load().

option 3) alternately you could just skip the OfflineCache entirely and call PacketCacheThread.addPacket(CarnivorePacket p) directly, which flushes the packets directly out. however the disadvantage here is that you'd have to custom build a timer thread that injects your packets at the right time based on their timestamp. that's what the OfflineCache does.

hope that helps. and yes, it was dumb of me to make the carnivore files serialized objects. :) but sometimes you gotta cut corners. in a perfect world they would be xml or something.

Back to top

Admin

Email | WWW | AIM

IP Logged

sprayGenius

YaBB Newbies

Posts: 10

Re: Using Pcap capture files
Reply #2 - 04/28/10 at 06:59:22

I see you use the jpcap library from sourceforge. I'm trying to use this to extract the header in bytes and parse each field. I thought the instead of reading the carnivore logfile I would just add a pcap parser there instead.

Source so far:

import net.sourceforge.jpcap.*;

import net.sourceforge.jpcap.capture.*;
import net.sourceforge.jpcap.net.*;
import net.sourceforge.jpcap.util.FileUtility;
import net.sourceforge.jpcap.util.HexHelper;
import net.sourceforge.jpcap.*;

import net.sourceforge.jpcap.capture.*;
import net.sourceforge.jpcap.net.*;
import net.sourceforge.jpcap.util.FileUtility;
import net.sourceforge.jpcap.util.HexHelper;

private static final int INFINITE = -1;
private static final int PACKET_COUNT = INFINITE;

// BPF filter for capturing any packet
private static final String FILTER = "";

private PacketCapture pcap;
PacketHandler ph;
RawPacketHandler rph;

String fileName = "testDump.pcap";

void setup(){
size(300,300, OPENGL);
background(255);
if(isOnline) { //online mode
CarnivoreP5 c = new CarnivoreP5(this);
c.setShouldSkipUDP(true); //Skip UDP packets

} else { //offline mode
//packets = loadStrings(log_file); // Need CarnivorePE "minivore" log file in "data" folder
pcap = new PacketCapture();
try {
// open devices for capturing (requires root)
String filepath = dataPath("") + fileName;
pcap.openOffline(filepath);//pcap filename

// add a BPF filter (see tcpdump documentation)
pcap.setFilter(FILTER, true);

// create a handler

// packet
ph = new PacketHandler("offline");
pcap.addPacketListener(ph);

// raw
//rph = new RawPacketHandler("offline");
//pcap.addRawPacketListener(rph);

// capture packets
pcap.capture(PACKET_COUNT);

} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}

class RawPacketHandler implements RawPacketListener
{
private int counter = 0;

public RawPacketHandler(String name) {
this.name = name;
}

public void rawPacketArrived(RawPacket rawPacket) {
counter++;
System.err.println(rawPacket);
}

String name;
}

class PacketHandler implements PacketListener{
private int counter = 0;

public PacketHandler(String name) {
this.name = name;
}

public void packetArrived(Packet packet) {
counter++;
String type = packet.getClass().getName();
System.out.println(name + ": Packet(" + counter +
") is of type " + type + ".");
// System.out.println("Packet data: " + packet.toColoredString(true));
//IPPacket ip = new IPPacket();

//TCPPacket tcp = new TCPPacket(packet.getHeader().length, packet.getHeader());
// System.out.println("IPPacket data: destination: " + ip.getDestinationAddress() + ", source: "+ip.getSourceAddress());
//System.out.println("IPPacket data: destination: " + tcp.getDestinationAddress() + ", source: "+tcp.getSourceAddress());
System.err.println(HexHelper.toString(packet.getData()));

if(packet instanceof TCPPacket) {
TCPPacket tcpPacket = (TCPPacket)packet;
byte[] data = tcpPacket.getTCPData();

String srcHost = tcpPacket.getSourceAddress();
String dstHost = tcpPacket.getDestinationAddress();
String isoData = null;
try {
isoData = new String(data, "ISO-8859-1");
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

System.out.println(srcHost+" -> " + dstHost + ": " + isoData);
}

}

String name;
}

Back to top

IP Logged

sprayGenius

YaBB Newbies

Posts: 10

Re: Using Pcap capture files
Reply #3 - 04/28/10 at 07:02:48

A few more notes. I used the example 3 on your page for normal setup.
This should print all the packets and the byte headers and source and destination ip. I do think there can be problems displaying it in a timely manner, but this might be what you meant. I'm not sure how I can hook into the carnivore thread though. Is there any custom delay for displaying packets when you load from the carnivore log file?

Back to top

IP Logged

RSG YaBB Administrator Posts: 26	Re: Using Pcap capture files Reply #4 - 04/28/10 at 08:05:45 can you describe exactly what your goal is, because i think we're talking across purposes. the code you posted makes it appear like you are trying to launch your own pcap sniffer instance within carnivore?? is your ultimate goal to parse packet headers at the byte level? or is your ultimate goal to playback a pcap log file?
Back to top	Admin Email \| WWW \| AIM IP Logged

sprayGenius

YaBB Newbies

Posts: 10

Re: Using Pcap capture files
Reply #5 - 04/28/10 at 08:23:50

I may not have described my goal well enough.
I want to do a pcap capture externally with the libpcap fileformat. Then i want to use carnivore methods of displaying network data with my external pcap file.
The reason I want to use an external file is
1) I can't see a way of saving packets captured from carnivore
2) I need to be sure how many packets are lost and I need to be able to manually analyze the packets. I don't know enough of how carnivore processes the packets and how they are handled.
3) I need access to Sequence Numbers, Acknowledgement numbers, Flags, ID and other fields within the tcp header and ip header. I have manually extracted the flags from the byte headers by using the methods withing jpcap. I tried to call the library from processig, but I got errors telling me it conflicted with carnivore packet library. i assume you have extended the jpcap library in some way?

I'm also going to add other data sources and include it with the processing nodes. I want to make the nodes to be selectable so I can display more network information.

Hope this is a better explenation. :)

Back to top

IP Logged

RSG

YaBB Administrator

Posts: 26

Re: Using Pcap capture files
Reply #6 - 04/28/10 at 09:27:32

gotcha. okay a few different answers

for question 1: you can capture and save packets using the standalone CarnivorePE application (not the carnivore processing library). start recording, stop recording, save a .cpe file. should be pretty easy. then you can load that .cpe file into processing.

question 2 there have been some questions about this. as far as i know the lost packet problem was fixed: setting carnivore to unlimited packets per second really *does* mean unlimited. it's only when you put it at 19 or fewer packets per second that you will/might be losing packets. although i might need to roll out a new release with this fix. can't remember.

question 3. ah-ha! yes, the new development version of the carnivore core already does all this. so yer one step ahead of us. sounds like yer building an interesting project. btw, there's a new super secret app under development here codenamed iLAN which sounds like might be similar to yours. iLAN has a lot of nice features like being able to reassemble tcp packet sessions into the original files. i'll need to get off my butt and roll it out :)

so yeah my previous suggests are probably not applicable to what you're trying to do, sorry.

remember the CarnivorePacket currently provides you with a byte[] called data. you can parse this byte by byte if you feel like rolling yer own IP and TCP header parser. it's a bit tricky but definitely doable.

Back to top

Admin

Email | WWW | AIM

IP Logged