> I mentioned really briefly that tcpdump lets you save pcap files. This is awesome because literally every network analysis tool in the universe understands pcap files. pcap files are like freshly baked chocolate chip cookies. Everybody loves them.
OMG, yes, very well put. When I get a bug report with a pcap file I'm happy because I know I'll be able to see exactly what happened.
Speaking of which: for one of my libraries, I want to make a diagnostic tool that replays an interaction. My library mostly operates at the TCP level (also some UDP), so I need to reconstruct the TCP flows in my tool to feed to my library. Either I need an easy-to-use Rust library to do that directly from pcap files [1] or some format that represents bytes moving over the flow (like sets of lines with a timestamp, flow id, and pretty hexdump of the bytes) with a tool that produces it from pcap. This seems like something that should exist? Wireshark's "Analyze > Follow > TCP Stream"’s "Save As…", "entire stream", "hex dump" is kind of what I want, but it doesn't have timestamps, and it doesn't have a way to put everything (multiple flows, UDP packets also) in one file. Seems like there should be something under "Export Packet Dissections" [2] but I haven't found quite the right thing there either.
[1] https://crates.io/crates/pnet looks promising but it wasn't as obvious as I hoped how to plug it in for what I want.
Does that help? I don't want to replay the packets on a network. Instead, I want to feed them to my library without having to deal with reconstructing the TCP stream from the packets myself. I don't see anything for that in that suite.
tcpflow (mentioned in another thread here) seems much closer in that it does reconstruct TCP flows from pcap, but it doesn't timestamp stuff (it'd be nice to have an idea if some client->server data or some server->client data came first as well as just relate to timeouts), and I'd prefer to put everything in one file (both directions of TCP data, UDP packets).
Maybe I "just" need to figure out that Rust library I mentioned in the grandparent, and maybe create my own intermediate format that has just the data I want for my library. (I can discard TCP retransmissiony stuff, MACs, etc. to focus on what a library sees through the kernel socket interfaces.)
tcpflow stores all captured data in files that have names of the form:
[timestampT]sourceip.sourceport-destip.destport[--VLAN][cNNNN]
where: timestamp is an optional timestamp of the time that the first packet was seen
OMG, yes, very well put. When I get a bug report with a pcap file I'm happy because I know I'll be able to see exactly what happened.
Speaking of which: for one of my libraries, I want to make a diagnostic tool that replays an interaction. My library mostly operates at the TCP level (also some UDP), so I need to reconstruct the TCP flows in my tool to feed to my library. Either I need an easy-to-use Rust library to do that directly from pcap files [1] or some format that represents bytes moving over the flow (like sets of lines with a timestamp, flow id, and pretty hexdump of the bytes) with a tool that produces it from pcap. This seems like something that should exist? Wireshark's "Analyze > Follow > TCP Stream"’s "Save As…", "entire stream", "hex dump" is kind of what I want, but it doesn't have timestamps, and it doesn't have a way to put everything (multiple flows, UDP packets also) in one file. Seems like there should be something under "Export Packet Dissections" [2] but I haven't found quite the right thing there either.
[1] https://crates.io/crates/pnet looks promising but it wasn't as obvious as I hoped how to plug it in for what I want.
[2] https://www.wireshark.org/docs/wsug_html_chunked/ChIOExportS...