Libpcap can be used to parse pcapng file, but only provides features compatible to pcap file (Please refer pcapng wiki).
PcapPlusPlus is a better choice and it can parse more information about the file and packet (e.g., the comment field of every packet). The following is a simple program which prints the metadata of pcapng file and the first 10 packets’ comments:
#include <iostream>
#include <PcapFileDevice.h>
int
main()
{
std::cout << pcap_lib_version() << '\n';
pcpp::PcapNgFileReaderDevice input_file("/Users/nanxiao/Downloads/capture.pcapng");
if (input_file.open()) {
std::cout << "Open successfully\n";
} else {
std::cerr << "Open failed\n";
return 1;
}
std::cout << input_file.getOS() << '\n';
std::cout << input_file.getHardware() << '\n';
std::cout << input_file.getCaptureApplication() << '\n';
std::cout << input_file.getCaptureFileComment() << '\n';
pcpp::RawPacket packet;
std::string comment;
for (size_t i = 1; i < 10; i++)
{
if (input_file.getNextPacket(packet, comment)) {
std::cout << i << ":" << comment << '\n';
} else {
std::cerr << "Get packet failed\n";
return 1;
}
}
}
P.S., the code can be downloaded here.
Hi,
Please point me to an example that uses libpcap to parse a pcapng file. I am not able to find such an example.
Thank you.
libpcap doesn’t differentiate pcapng or pcap, so you just operate on pcapng like pcap: pcap_open_offline, pcap_next_ex, … etc.