Home Community Discussion Forums Most Active Software Boards LabVIEW Topic

LabVIEW

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Parsing PCAPs in LabVIEW

Parsing PCAPs in LabVIEW

‎07-03-2023 09:08 AM

Not too long ago I wrote a very simple parser to read the data packets out of a PCAP created by wireshark.  It was simple, but it worked.  But then someone gave me a PCAP created by TSHARK and my parser couldn't do anything with it.  I searched the internet for TSHARK data structure and it's not that different from Wireshark - however there's a decent amount of PC meta data in the header which is not specified in any document I've read and I can't find any common values in the header that would suggest it know the next X characters are meta data.  And I also realized that I was just parsing and assuming the PCAPs given to me were all UDP - but what if there's other traffic in that PCAP. So my simple parser suddenly felt very lacking.  Instead of sinking a ton of work into something created in other languages, I was wondering if anyone had a DLL suggestion that can parse PCAPs - can be instructed to just spit out UDP, and spits out ALL the data packets as either string or U8 array.  Really hoping here.  Would be extremely helpful.

0 Kudos
Message 1 of 6
(1,571 Views)
Reply

Re: Parsing PCAPs in LabVIEW

‎07-03-2023 10:01 AM

Have you tried accessing the TSHARK Files in Wireshark? Any Difference?

What is the Data Parsing method you have tried for reading WIRESHARK PCAP Files.?

Also can you share the TSHARK  PCAP files here?

 

----------------------------------------------------------------------------------------------------------------
Palanivel Thiruvenkadam | பழனிவேல் திருவெங்கடம்
LabVIEW™ Champion |Certified LabVIEW™ Architect |Certified TestStand Developer

Kidlin's Law -If you can write the problem down clearly then the matter is half solved.
-----------------------------------------------------------------------------------------------------------------
0 Kudos
Message 2 of 6
(1,550 Views)
Reply

Re: Parsing PCAPs in LabVIEW

‎07-03-2023 12:58 PM - edited ‎07-03-2023 12:59 PM

@PalanivelThiruvenkadam wrote:

Have you tried accessing the TSHARK Files in Wireshark? Any Difference?

 

Yes.  Looks exactly the same in terms of viewing in wireshark.

 

@PalanivelThiruvenkadam wrote:

What is the Data Parsing method you have tried for reading WIRESHARK PCAP Files.?

 

It was a custom one I made.  Following Wireshark PCAP header guidelines that you can find on the internet, I made a parser that was pretty accurate when it came to UDP packets (I only read UDP).

 

@PalanivelThiruvenkadam wrote:

Also can you share the TSHARK  PCAP files here?

 

I've posted a couple images and I'll detail what's going on.

Circled in red is the "Magic phrase" that describes some details about the header and endianess of the data.  According to the internet, this should be the very first thing in the header for both TShark and Wireshark.  As you can see, it is not.  But Wireshark is still able to pull in the TShark PCAP and read it just fine.

DailyDose_0-1688406978692.png

You will also notice in the following image, circled in red, is network/PC meta data (this data is within the header). You'll notice this data is not present in the Wireshark PCAP.  I've looked through the internet for a TShark explanation and I am coming up dry.  So, at this point... just give me a pre-existing PCAP reader.

DailyDose_0-1688407161833.png

 

 

0 Kudos
Message 3 of 6
(1,517 Views)
Reply

Re: Parsing PCAPs in LabVIEW

‎07-03-2023 05:19 PM

Do you think anything in this link could be of use to you?

Bill
CLD
(Mid-Level minion.)
My support system ensures that I don't look totally incompetent.
Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.
Humble author of the CLAD Nugget.
0 Kudos
Message 4 of 6
(1,499 Views)
Reply

Re: Parsing PCAPs in LabVIEW

‎07-03-2023 05:56 PM

I had been using those commands to do the TShark stuff... but while I was reading, I noticed the -R/-r commands and the details it gave about that.  Which prompted me to go to Wireshark forums and ask them.  So we'll see what they say about those commands and if they can be helpful.

Message 5 of 6
(1,491 Views)
Reply

Re: Parsing PCAPs in LabVIEW

‎07-04-2023 03:05 AM

@DailyDose wrote:

I had been using those commands to do the TShark stuff... but while I was reading, I noticed the -R/-r commands and the details it gave about that.  Which prompted me to go to Wireshark forums and ask them.  So we'll see what they say about those commands and if they can be helpful.

Unfortunately I don't know very much about tshark.  Good luck!  🙂

Bill
CLD
(Mid-Level minion.)
My support system ensures that I don't look totally incompetent.
Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.
Humble author of the CLAD Nugget.
0 Kudos
Message 6 of 6
(1,472 Views)
Reply