20101220

SavageLook.com » Offline packet capture analysis with C/C++ & libpcap

SavageLook.com » Offline packet capture analysis with C/C++ & libpcap:December 20, 2010 at 10:40 am

While a good exercise in programmatically using libpcap and the linux packet handling functions, the same can be accomplished with existing CLI tools:

tcpdump -n -s 0 -w http.pcap tcp and port 80

The file can then be read with any pcap-compatible tool, including wireshark or tcpdump itself again:
tcpdump -r http.pcap

While we’re at it, I’ve combined tcpdump with netcat to be able to capture packets on a device without much storage space, and forward it real-time to a better-equipped host:

On the remote host:
nc -l -p 9988 > http.pcap

And on the host to sniff:
tcpdump -n -s 0 -w – tcp and port 80 | nc remotehost:9988