Typedef struct pcap_packet_s pcap_packet_t įprintf(stderr, "Error occurred writing pcap_header.\n") } _attribute_((packed)) pcap_packet_hdr_t U_int32_t orig_len /* actual length of packet */
U_int32_t capt_len /* number of octets of packet saved in file */ U_int32_t ts_usec /* timestamp microseconds */ Its not my best work but it did the trick, and hopefully can help anyone in the future who needs to modify a PCAP file. With these articles I was able to piece together a solution to modifying the time stamps and re-build a valid PCAP file viewable in Wireshark. Thanks to some great wiki articles and references that I used: What happens behind the scenes is the reading of the pcap file using some wrapper function that simply does a file open and read based on certain offsets, which happens to work great! During compilation you simply have to refer to the library which allows this modification of pcap’s in “offline” mode. Luckily I found the pcap API that provide a set of functions to modify the pcap in an offline mode. My initial thought was to just get a hex editor and modify the packet, until I realized there were 20,000 packets in this pcap file, and the pcap was over 60 megabytes of packet data. Each packet needed to have its timestamp essentially one millisecond after the other. A while back I needed to update a pcap file with about 20,000 packets in it.
0 kommentar(er)
