tcpdump mailing list archives
Re: Protocol headers-only capture?
From: Guy Harris <guy () alum mit edu>
Date: Wed, 17 Dec 2008 11:53:37 -0800
On Dec 17, 2008, at 11:10 AM, Dustin Spicuzza wrote:
Is there currently a way to save protocol headers (and by this, I meanARP/IP/TCP/UDP/ICMP headers) to a file *without* the remaining payload?
There's no way to do *exactly* that.You can, however, specify a snapshot length with "-s" that would save an amount of packet data that would include the headers and only a limited amount of remaining payload (assuming packets don't have a large number of IP or TCP options).
If not, I could be motivated to write a patch to do this (it doesn'tseem like it would be that hard?) if someone just points me to the rightarea of code where it should go. :)
You'd set "callback" to your packet-writing routine in main(), and then have your callback routine:
look at the link-layer header, if any, and determine whether the packet is ARP, IPv4, IPv6, or other;
for ARP, just write out the headers (whatever qualifies as "header" rather than "payload");
for IPv4, parse the IPv4 header and options and determine whether the packet is TCP, UDP, ICMP, or other;
for IPv6, parse the IPv6 header and extension headers and determine whether the packet is TCP, UDP, ICMP, or other;
for TCP, parse the TCP header and options and write out the data up to the end of the options;
for UDP, write out the data up to the end of the UDP header; for ICMP, write out the data up to the end of the ICMP header;for other-atop-IP, just write out the data up to the end of the IP header;
for other-atop-the-link-layer, write out whatever would be appropriate.When you do that, set the "caplen" member of the pcap_pkthdr to the total amount of packet data you write out before dumping the packet with pcap_dump().
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Matthew Luckie (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Matthew Luckie (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 22)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 22)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)