Re: Writing pcap files with fake headers?

[Aaron Turner <synfinatic () gmail com>]

On Tue, Apr 6, 2010 at 6:56 PM, Roy Smith <roy () panix com> wrote:
> I've got an application which listens for UDP (SNMP) data.  We want to add a
> logging feature where every UDP packet that's received is stored for future
> analysis.  The obvious file format is pcap.  It's simple and lets us take
> advantage of lots of existing pcap-aware tools.  The problem is we don't
> have all the data to write out the normal packet contents that would be in a
> pcap file.
>
> The UDP header is trivial to reconstruct (we'd probably set the UDP checksum
> to 0xFFFF for simplicity).  We don't have enough information to properly
> re-construct the IPv4 (or IPv6) header, but we could invent a plausible one
> (pretend nothing was ever fragmented, etc).
>
> The ethernet header is another story.  About the best we can do is generate
> a well-formed (if meaningless) DIX frame header with the destination and
> source MAC addresses all zeros, the ether type 0x0800 or 0x0806, and either
> leave the CRC all zeros or go to the trouble to compute a real checksum.  Of
> course, there's nothing that says the packet came in over ethernet at all,
> but it's a convenient fiction.
>
> Does this seem like a plausible strategy?  Or am I heading off into the
> weeds?

Totally reasonable.  And easier then you think.  You don't need to do
the ethernet CRC and you should set the UDP checksum to 0x0 which is
always valid.


-- 
Aaron Turner
http://synfin.net/         Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.