I assume that you have at least libpcap installed, since wireshark works with it. You might use pcap_open_offline() and pcap_dispatch() in a small c program that dumps the packages one by one to stdout (and use BCD coding so you can read that line by line from perl).
information about the pcap library can be found in wikipedia http://en.wikipedia.org/wiki/Pcap and from there in http://www.tcpdump.org/pcap3_man.html
Just a guess: if you download the libpcap sources, you also might find information about the data format of the pcap files there
| [reply] |
I don't know whether this will be applicable to your case, but I've just been analysing some pcap files, and I found the easiest method to be to use Wireshark to export the files as PDML (XML packet detail) and use an XML module to read these. This has the benefit of including all the packet analysis data that Wireshark generates, although PSML may be better if you don't need this.
--
"Any sufficiently analyzed magic is indistinguishable from science" - Agatha Heterodyne
| [reply] |
hi guys, thanks for the replies
I will try your suggestions.. but i am guessing raw inspection of pcap file by just pure perl is not recommended(hard to do? stupid to do? impossible to do? counterproductive to do? all of the above?)
| [reply] |
None of the above. It is just more convenient to either use a library (that is already nice, shiny and debugged) or some already preprocessed data (which the PDML mykl talked about probably is. Also might be safer to parse because of added redundancy. And there are lots of XML parsers ready to use).
Parsing binary data is not really hard, but the program tends to be a bit more unreadable and cryptic than a text parser because you have to use constants like '\x02'
| [reply] |