Re: yet another pcap question

I don't know whether this will be applicable to your case, but I've just been analysing some pcap files, and I found the easiest method to be to use Wireshark to export the files as PDML (XML packet detail) and use an XML module to read these. This has the benefit of including all the packet analysis data that Wireshark generates, although PSML may be better if you don't need this.

"Any sufficiently analyzed magic is indistinguishable from science" - Agatha Heterodyne

Comment on Re: yet another pcap question

Replies are listed 'Best First'.
Re^2: yet another pcap question by Anonymous Monk on Feb 09, 2010 at 15:46 UTC
hi guys, thanks for the replies I will try your suggestions.. but i am guessing raw inspection of pcap file by just pure perl is not recommended(hard to do? stupid to do? impossible to do? counterproductive to do? all of the above?)	[reply]
Re^3: yet another pcap question by jethro (Monsignor) on Feb 09, 2010 at 22:35 UTC
None of the above. It is just more convenient to either use a library (that is already nice, shiny and debugged) or some already preprocessed data (which the PDML mykl talked about probably is. Also might be safer to parse because of added redundancy. And there are lots of XML parsers ready to use). Parsing binary data is not really hard, but the program tends to be a bit more unreadable and cryptic than a text parser because you have to use constants like '\x02'	[reply]