tcpdump « apocryph.org

28Jan/070

MungeCap, a quick and dirty capture file merging/filtering tool

Lately I’ve been playing with wireless network monitoring, using kismet. Kismet produces dumps of all wireless traffic in libpcap-compatible packet captures, which is the same format used by Wireshark, tcpdump, and any other packet capture tool worth its salt.

The problem is that after a week of capturing, I have several gigabytes of capture files, though most of the captured packets are 802.11 beacons that have no information in them. Wireshark eats shit and dies on a 500MB capture file, so a 2GB one is out of the question. What to do?

Wireshark ships with some capture file munging tools, editcap and mergecap, but neither of them do exactly what I want, which is to take as input one or more capture files, apply an optional filter, and write the results to an output capture file, preserving the chronological order of the input packets.

mergecap merges files, but doesn’t let you apply a filter.

Thus, I give you mungecap, my lovingly hand-crafted solution to the problem. It uses libpcap (which is to say, winpcap if you’re on Windows), and is written in ANSI C++, so it should work fine on any platform for which there’s a sane C++ compiler and a libpcap port available.

Pull the latest from my SVN repository. There’s a Visual C++ 2005 project there, but you’ll have to tweak the include and lib paths to reflect the location of the WinPcap dev pack on your machine. Obviously UNIX users are on their own; have fun fucking with a makefile, trying to remember if you have to use spaces or tabs.

Remember, kids, intercepting the wireless traffic of others, though entertaining in a dysfunctional power-trip sort of way, is probably a violation of federal wiretap law, and thus you really shouldn’t be caught doing it.

UPDATE: I forgot to mention, due to the viral nature of the GPL, this software is released subject to the terms of the GPL, blah blah blah, no warranty including merchantability or suitability to a particular purpose, blah blah blah, will fuck up your computer and its not my fault, blah blah.

Tagged as: libpcap, Migrated from Drupal, mungecap, projects, tcpdump, tech diary, winpcap, wireshark No Comments

Recent twitter activity

only good thing about turning 30: all my family here to help console me.
Attention Census workers: GET OFF MY LAWN! That is all.
The libertarian movement has no greater recruiting tool than the Virginia DMV
5 of 9 supremes think 2A is incorporated against the states. yay! Dick Daley, go fuck yourself.
Pizza and whiskey have never tasted so good as they will tonight...
discovering just what happens when you consume too much sorbitol. hint: nothing good
I'm at Clyde's of Reston (11905 Market St, Reston). http://4sq.com/65fETG
software engineering: designing awesome software, discovering your tools won't let you build it, then building mediocre new software instead
reg-free COM with .net com interop: such a pain in the ass, you'll probably give up and use the registry instead http://bit.ly/9Y4NDS
Yay, I found a bug in the Visual C++ 2010 compiler http://bit.ly/cXtK9p

apocryph.org Notes to my future self

MungeCap, a quick and dirty capture file merging/filtering tool

Recent twitter activity

Delicious Bookmarks

Recent Posts

Meta

Current Location