Packet capture is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network.Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve network problems and determine whether network security policies are being followed.
Packet Capture Overview
How can it be used
Development Testing & validating & Reverse engineer APP on API
Network Administration Seeing what traffic goes on in background,Looking for malicious traffic on networkData capturing is used to identify security flaws and breaches by determining the point of intrusion.
Troubleshooting Managed through data capturing, troubleshooting detects the occurrence of undesired events over a network and helps solve them. If the network administrator has full access to a network resource, he can access it remotely and troubleshoot any issues.
Security defcon Wall of Sheep.Hackers can also use packet capturing techniques to steal data that is being transmitted over a network, like Stealing credentials.When data is stolen, the network administrator can retrieve the stolen or lost information easily using data capturing techniques.
Forensics forensics for crime investigations.Whenever viruses, worms or other intrusions are detected in computers, the network administrator determines the extent of the problem. After initial analysis, she may block some segments and network traffic in order to save historical information and network data.
What is libpcap
libpcap flow involving data copy from kernel to user space.
#include <stdio.h>
#include <time.h>
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>
void print_packet_info(const u_char \*packet, struct pcap_pkthdr packet_header);
int main(int argc, char \*argv[]) {
char \*device;
char error_buffer[PCAP_ERRBUF_SIZE];
pcap_t *handle;
const u_char *packet;
struct pcap_pkthdr packet_header;
int packet_count_limit = 1;
int timeout_limit = 10000; /*In milliseconds*/
device = pcap_lookupdev(error_buffer);
if (device == NULL) {
printf("Error finding device: %s\n", error_buffer);
return 1;
}
/*Open device for live capture*/
handle = pcap_open_live(
device,
BUFSIZ,
packet_count_limit,
timeout_limit,
error_buffer
);
/*Attempt to capture one packet. If there is no network traffic
and the timeout is reached, it will return NULL*/
packet = pcap_next(handle, &packet_header);
if (packet == NULL) {
printf("No packet found.\n");
return 2;
}
/*Our function to output some info*/
print_packet_info(packet, packet_header);
return 0;
}
void print_packet_info(const u_char \*packet, struct pcap_pkthdr packet_header) {
printf("Packet capture length: %d\n", packet_header.caplen);
printf("Packet total length %d\n", packet_header.len);
}
Debug Tools
#Older versions of tcpdump truncate packets to 68 or 96 bytes.
#If this is the case, use -s to capture full-sized packets:
$ tcpdump -i <interface> -s 65535 -w <some-file>
# A packet capturing tool similar to TcpDump for Solaris
$ snoop -r -o arp11.snoop -q -d nxge0 -c 150000
snoop uses both the network packet filter and streams buffer modules to provide efficient capture of packets from the network. Captured packets can be displayed as they are received, or saved to a file for later inspection.
