Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create pcap file "per flow" #10

Open
mikewalshchicago opened this issue Apr 6, 2020 · 1 comment
Open

create pcap file "per flow" #10

mikewalshchicago opened this issue Apr 6, 2020 · 1 comment
Labels
enhancement New feature or request question Further information is requested

Comments

@mikewalshchicago
Copy link

I would like to have a pcap file created for each src-ip:port/dst-ip:port combination, or just ip address at a minimum, for all tcp and udp packets. I am not a c++ developer but I was able to make this work in principle with a test program. here's the relevant part of the code:

` if (ip->ip_p == 6 /* tcp protocol number */) {
//printf("\ntcp!\n");

        char srcname[100];
        strcpy(srcname, inet_ntoa(ip->ip_src));
        char dstname[100];
        strcpy(dstname, inet_ntoa(ip->ip_dst));
        
        
        int &stored_val = map[dstname];
        
        
        oss << "/" << odest << "/"<< dstname << "-" << stored_val << ".pcap";
        pfile = oss.str();

        if (GetFileSize(pfile) >= 0) {
            dumpfile= pcap_dump_open_append(fp, pfile.c_str());
        }
        else {
            dumpfile= pcap_dump_open(fp, pfile.c_str());
            
        }
        pcap_dump((unsigned char *) dumpfile, header, pkt_data);
        
        
    }

    else if (ip->ip_p == 17 /* tcp protocol number */) {
        //printf("\nudp!\n");
        

        char srcname[100];
        strcpy(srcname, inet_ntoa(ip->ip_src));
        char dstname[100];
        strcpy(dstname, inet_ntoa(ip->ip_dst));
        
        
        int &stored_val = map[dstname];
        
        oss << "/" << odest << "/"<< dstname << "-" << stored_val << ".pcap";
        pfile = oss.str();

        if (GetFileSize(pfile) >= 0) {
            dumpfile= pcap_dump_open_append(fp, pfile.c_str());
        }
        else {
            dumpfile= pcap_dump_open(fp, pfile.c_str());
            
        }
        `

My program loses a lot of packets under load however, hence why I looked to yours for some insipiration on how to optimize. This is all still quite a bit over my head though. Do you think it would be possible to add a feature that would write to a file based on the ip:port information it receives in the header?
@jmakov jmakov added the enhancement New feature or request label Apr 6, 2020
@jmakov
Copy link
Owner

jmakov commented Apr 6, 2020

A couple of quick ideas:

  1. use linux pipes to filter to multiple ngrep commands - each for src-ip:port/dst-ip:port combination
  2. perhaps you can first check out a free solution that works for the majority - https://www.ntop.org/products/traffic-recording-replay/n2disk/

Other than this I would have to investigate. Please close the issue if that answers your question.

@jmakov jmakov added the question Further information is requested label Apr 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmakov @mikewalshchicago