What is pcap format?
An evaluation of tcpdump, wireshark and packet capture
My Spanish telemedicine project
I had to construct a VP8 format video of two streams corresponding to a video call between two people some 6 years ago.
I had the network capture of the video call, and it was my job to reconstruct the video. I ran the capture through wireshark and could find the VP8 packets but getting the video from it was a really big challenge which I eventually solved using gstreamer plugins.
Getting gstreamer to compile with all the right plugins for the pipeline was difficult and boring it lead to a beautiful end result of being able to watch the video of the capture. This project took some 4 months but all is well that ends well in tech.
What is pcap?
I was given a network capture file or a pcap file. A pcap file has an offline network capture. You invoke tcpdump like this.
# tcpdump -r foo.pcap
instead of
# tcpdump -ni eth0
So what happens is that the data from some other network far away and some other point in time is frozen in the network capture and we can read them in the present as though there was a time machine.
How does tcpdump work?
Basically wireshark, tcpdump, tshark and friends work on the underlying pcap or libpcap facility exported by the Linux kernel. Just so you are wondering wireshark is graphical and works really well on Windows machines also to capture network packets.
This is also called as BPF or Berkeley Packet Filter. The idea is we can read network packets just like we read poetry or English language text.
The tools help us to filter out unwanted noise and lets us focus on the particular traffic or protocol or endpoints we care about.
The filtering is used to narrow down on only the traffic we are interested in. The network is a very busy place with all sorts of conversations. We are going to pickup the conversations that interest us.
In order to do that , the BPF syntax defines a very detailed grammar that helps us zero in on what we need and ignore the rest.
How to use it?
The libpcap in Linux is pretty comprehensive and you can use it in various ways. I prefer to simply run tcpdump and that will take care of the traffic we care about. We could be scanning for any protocol of choice.
- sdp
- https
- rtp
- dns
- cifs
We could be looking for any network protocol whose headers are known. Already wireshark and tcpdump prints the headers out for us with appropriate switches..
It is in these situations that a graphical interface goes a really long way even in Linux.
By collapsing the capture we can click at the + sign to expand the header fields and it is really trivial to figure out what is going on in your network.
Even as a tool for surveillance and intrusion detection this might be a solid approach to figure out who is using our network and for what purpose.
Grammar
The syntax used by pcap is very simple. It is documented in the pcap-filter man page.
Some samples.
# tcpdump -r cap.txt host 2.3.4.5# tcpdump -i wlan0 icmp# tcpdump -i eth0 tcp port 80# tcpdump ahYou can do a lot of and, not, or conditions to narrow down on traffic of interest and block out the rest.
Wireshark and tshark
The tool I use is tcpdump. It has no graphics. tshark is also similar. Wireshark is what you use on graphical displays. But wireshark also expects you to come up with a filter syntax.
If you look at a handful of wireshark captures of your network you will never look at Linux the same way again. You will get a rich overview of what is going on under the hood of the Internet network of networks.
Conclusion
The ability to figure out networking is key for Linux survival. Yesterday we saw editing with Vim. You need to be a master of networking, editing and command line tools if you are to survive on Linux for long and become a Guru.
