Anyone had any experience with *.pcap manipulation libs?

Posted by zxcvbnm on Stack Overflow See other posts from Stack Overflow or by zxcvbnm
Published on 2010-04-03T00:16:57Z Indexed on 2010/04/03 0:23 UTC
Read the original article Hit count: 782

Filed under:

trace

|

wireshark

|

pcap

|

bugs

I'm using the SharpPcap + PacketDotNet libraries to process some .pcap files and came across a bug in the way the timestamps are calculated.

Take this Timeval property, which is something along these lines:

PosixTimeval Timeval
{
    DateTime Date;
    ulong Seconds;
    ulong MicroSeconds;
}

The problem is as follows: Suppose you have a trace open in Wireshark with one of the packets with a timestamp of "0.002". Once you open it within one of your programs, it retrieves the packet and its Timeval is setup such that Seconds = 0 and MicroSeconds = 002 = 2. This is done under the hood, so there is no way to avoid it as far as I can tell.

My question is if that problem is common to other libraries (and maybe all of them?) who manipulate the pcap file format, which I think are built around the same collection of c/c++ functions, or if this is a problem only with the ones I'm using.

© Stack Overflow or respective owner

Related posts about trace

Learn Who Started that Trace with the Default Trace

as seen on SQL Blog - Search for 'SQL Blog'
This is not Extended Event related but it came from a question on Twitter about how to tell who and from what machine a server side trace was created, and there is no way to explain this in 140 characters so here’s a blog post. This information is tracked in the Default Trace and can be found… >>> More
Autoconf/Automake "configure.ac:2: option `-Wall' not recognized"

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello I'm trying to start with autoconf / automake for a new project. To get started, I'm reading "Using GNU Autotools" and trying to build the Hello-World-Tutorial. The required files from page 96 (real Page=105 because it's a LaTeX-Presentation) configure.ac, Makefile.am and src/Makefile.am look… >>> More
How can I filter the WCF Trace?

as seen on Stack Overflow - Search for 'Stack Overflow'
I need to get the following information during tracing: 1. I need to know how long an operation was executed. 2. I need to know if the operation(method in the service) is executed successfully. 3. I need to know if there's an error. I know that we can see all of that using the Service Trace Viewer… >>> More
OpenGL FrameBuffer Objects weird behavior

as seen on Stack Overflow - Search for 'Stack Overflow'
My algorithm is this: Render the scene to a FBO with shadow mapping from multiple locations Render the scene to the screen with shadow mapping ...black magic that I still have to imlement... Combine the samples from step 1 with the image from step 2 I'm trying to debug steps 1 and 2 and am coming… >>> More
Ubuntu 9.10 RSA authentication: ssh fails, filezilla runs fine

as seen on Server Fault - Search for 'Server Fault'
This is quite a mistery for me. I usually use passwordless RSA authentication to login into my remote *nix servers with ssh and sftp. Never had any problem until now. I cannot connect to an Ubuntu 9.10 machine: user@myclient$ ssh -i .ssh/Ganymede_key [email protected] [...] debug1: Host… >>> More

Related posts about wireshark

wireshark http POST

as seen on Server Fault - Search for 'Server Fault'
Hi I would like to have a http POST request method CAPTURE filter I know it is easy to do it by display filter http.request.method==POST but I need tcpdump compatible I wrote tcp dst port 80 and (tcp[13] = 0x18) But it is not perfect... tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) 2):4] =… >>> More
How to filter http traffic in Wireshark?

as seen on Server Fault - Search for 'Server Fault'
I suspect my server has a huge load of http requests from its clients. I want to measure the volume of http traffic. How can I do it with Wireshark? Or probably there is an alternative solution using another tool? This is how a single http request/response traffic looks in Wireshark. The ping is… >>> More
Wireshark is not capturing traffic through http://localhost:8888

as seen on Super User - Search for 'Super User'
Currently, my wireshark can capture traffic from http://localhost (traffic that is on port 80) but it won't capture traffic on localhost:8888 Is there any extra configuration/software that I need for wireshark to capture traffic of localhost on this port? I'm running Ubuntu 9.10 >>> More
Multi language support in wireshark

as seen on Super User - Search for 'Super User'
Do we have multiple language support with Wireshark. We are using Windows Xp SP2 and Ubuntu Linux environment. Actually we have a plugin which is UDP based and we have a requirement to Analyse the Information in Packet List Pane and Packet Details Pane to be viewed in other languages like French… >>> More
Saving Wireshark capture settings for future use

as seen on Server Fault - Search for 'Server Fault'
Is there any way to save Wireshark capture options? So it can be reuse after restart Wireshark. Also, if the saved file is in plain text, it's possible to use scripts generating bunch of capture settings, such with different filter setting. Does anyone know? Thanks. >>> More