[Haskell-cafe] Reading pcap
mukesh tiwari
mukeshtiwari.iiitm at gmail.com
Wed Oct 12 17:38:07 CEST 2011
Hello all
I was going through wireshark and read this
pcap<http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=udp_lite_full_coverage_0.pcap>file
in wireshark. I wrote a simple haskell file which reads the pcap file
displays its contents however it looks completely different from wireshark.
When i run this program . it does not produce any thing and when i press ^C
( CTRL - C ) it produce output.
output for given file
^C*0xd4 0xc3 0xb2 0xa1 0x02 0x00 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0xff 0xff 0x00 0x00 0x01 0x00 0x00 0x00 0x0b 0xd4 0x9e 0x43 0x41
0x38 0x01 0x00 0x3c 0x00 0x00 0x00 0x3c 0x00 0x00 0x00 *0x00* *0x04 0x76
0xdd 0xbb 0x3a 0x00 0x04 0x75 0xc7 0x87 0x49 0x08 0x00 0x45 0x00 0x00 0x28
0x1a 0x6a 0x40 0x00 0x40 0x88 0x6f 0x71 0x8b 0x85 0xcc 0xb0 0x8b 0x85 0xcc
0xb7 0x80 0x00 0x04 0xd2 0x00 0x00 0x38 0x45 0x68 0x65 0x6c 0x6c 0x6f 0x20
0x77 0x6f 0x72 0x6c 0x64 0x00 0x00 0x00 0x00 0x00 0x00
The values displayed in wireshark
0000 00 04 76 dd bb 3a 00 04 75 c7 87 49 08 00 45 00 ..v..:.. u..I..E.
0010 00 28 1a 6a 40 00 40 88 6f 71 8b 85 cc b0 8b 85 .(.j at .@. oq......
0020 cc b7 80 00 04 d2 00 00 38 45 68 65 6c 6c 6f 20 ........ 8Ehello
0030 77 6f 72 6c 64 0a 00 00 00 00 00 00 world... ....
import Data.Char
import Data.List
import Text.Printf
import Control.Monad
fileReader :: Handle -> IO ()
fileReader h = do
t <- hIsEOF h
if t then return ()
else do
tmp <- hGetLine h
forM_ tmp ( printf "0x%02x " )
fileReader h
main = do
l <- openBinaryFile "udp_lite_full_coverage_0.pcap" ReadMode
fileReader l
print "end"
I am simply trying to write a haskell script which produce interpretation
of pcap packet same as wireshark ( At least for UDP packet ) . Could some
one please tell me a guide map to approach for this . A general guide line
for this project like What to read which could be helpful for this project
, which haskell library or any thing which you think is useful .
Regards
Mukesh Tiwari
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20111012/e5927141/attachment.htm>
More information about the Haskell-Cafe
mailing list