[Haskell-cafe] Reading pcap

Neil Davies semanticphilosopher at gmail.com
Wed Oct 12 17:49:35 CEST 2011


There is a pcap library  - it is a bit of overkill if all you are trying to do is read pcap files.

I have an (internal - could be made external to the company) library that does this sort of thing and reads using Binary the pcap file and does the appropriate re-ordering of the bytes within the words depending on the pcap endianness

Neil

On 12 Oct 2011, at 16:38, mukesh tiwari wrote:

> Hello all 
> I was going through wireshark and read this pcap file in wireshark. I wrote a simple haskell file which reads the pcap file displays its contents however it looks completely different from wireshark. When i run this program . it does not produce any thing and when i press ^C ( CTRL - C ) it produce output. 
> 
> output for given file 
> ^C0xd4 0xc3 0xb2 0xa1 0x02 0x00 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xff 0x00 0x00 0x01 0x00 0x00 0x00 0x0b 0xd4 0x9e 0x43 0x41 0x38 0x01 0x00 0x3c 0x00 0x00 0x00 0x3c 0x00 0x00 0x00 0x00 0x04 0x76 0xdd 0xbb 0x3a 0x00 0x04 0x75 0xc7 0x87 0x49 0x08 0x00 0x45 0x00 0x00 0x28 0x1a 0x6a 0x40 0x00 0x40 0x88 0x6f 0x71 0x8b 0x85 0xcc 0xb0 0x8b 0x85 0xcc 0xb7 0x80 0x00 0x04 0xd2 0x00 0x00 0x38 0x45 0x68 0x65 0x6c 0x6c 0x6f 0x20 0x77 0x6f 0x72 0x6c 0x64 0x00 0x00 0x00 0x00 0x00 0x00 
> 
> The values displayed in wireshark 
> 0000  00 04 76 dd bb 3a 00 04  75 c7 87 49 08 00 45 00   ..v..:.. u..I..E.
> 0010  00 28 1a 6a 40 00 40 88  6f 71 8b 85 cc b0 8b 85   .(.j at .@. oq......
> 0020  cc b7 80 00 04 d2 00 00  38 45 68 65 6c 6c 6f 20   ........ 8Ehello 
> 0030  77 6f 72 6c 64 0a 00 00  00 00 00 00               world... ....    
> 
> 
> 
> import Data.Char
> import Data.List
> import Text.Printf
> import Control.Monad
> 
> 
> 
> fileReader :: Handle -> IO ()
> fileReader h = do
>         t <- hIsEOF h
>         if t  then return ()
>          else do
>                 tmp <- hGetLine h
>                 forM_  tmp (  printf "0x%02x " )         
>         fileReader h    
> 
> main = do 
>         l <- openBinaryFile "udp_lite_full_coverage_0.pcap" ReadMode
>         fileReader l 
>         print "end"
> 
> I am simply trying to write  a  haskell script which produce interpretation of pcap packet same as wireshark ( At least for UDP packet ) . Could some one please tell me a guide map to approach for this . A general guide line for this project like What to read which  could be helpful for this project , which haskell library or any thing which you think is useful . 
> 
> Regards 
> Mukesh Tiwari
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20111012/2a024071/attachment.htm>


More information about the Haskell-Cafe mailing list