Parse PCAP files in Java

This article is for those who have spent hours like me to find a good library that can parse raw PCAP files in Java. There are plenty of open source libraries already available for Java but most of them are acting as a wrapper to the libpcap library which makes them hard to use for simple use cases. The library I came across: pkts is a pure Java library which can be easily imported into your project as a Maven dependency. This article introduces the pkts library using a HelloWorld application to parse a PCAP output.

Requirements:
  • Java IDE with Maven support (Eclipse IDE for Java EE is used here)
  • The PCAP file you want to parse
Step 1:
Open the IDE and create  a new Maven project with the following proerties.
Group Id: com.javahelps
Artifact Id: PCAP-Parser

Parse PCAP file in Java

Step 2:
Add the following dependencies to the pom.xml.
<dependency>
    <groupId>io.pkts</groupId>
    <artifactId>pkts-core</artifactId>
    <version>3.0.0</version>
    <type>jar</type>
</dependency>

<dependency>
    <groupId>io.pkts</groupId>
    <artifactId>pkts-streams</artifactId>
    <version>3.0.0</version>
    <type>jar</type>
</dependency>
After the changes, the pom.xml should look like the following. Note that I have also defined the Java version in the pom.xml.
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.javahelps</groupId>
    <artifactId>PCAP-Parser</artifactId>
    <version>0.0.1-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
    </properties>

    <dependencies>
        <dependency>
            <groupId>io.pkts</groupId>
            <artifactId>pkts-core</artifactId>
            <version>3.0.0</version>
            <type>jar</type>
        </dependency>

        <dependency>
            <groupId>io.pkts</groupId>
            <artifactId>pkts-streams</artifactId>
            <version>3.0.0</version>
            <type>jar</type>
        </dependency>
    </dependencies>
</project>
Eclipse users, right click on your project and select Maven → Update Project and click OK in the appeared dialog to import the dependencies.

Step 3:
Create a new package com.javahelps.pcapparser in the src/main/java directory.

Step 4:
Create a new class Main.java inside the package created in Step 3.

Step 5:
Create a new Pcap object with the input filename as the argument and call the loop method with a PacketHandler. The PacketHandler object will be called with the packets from the PCAP file and if you want to stop parsing the file, return false in the nextPacket method.
package com.javahelps.pcapparser;

import io.pkts.PacketHandler;
import io.pkts.Pcap;
import io.pkts.buffer.Buffer;
import io.pkts.packet.Packet;
import io.pkts.packet.TCPPacket;
import io.pkts.packet.UDPPacket;
import io.pkts.protocol.Protocol;

import java.io.IOException;

public class Main {

    public static void main(String[] args) throws IOException {

        final Pcap pcap = Pcap.openStream("tcpdump.pcap");

        pcap.loop(new PacketHandler() {
            @Override
            public boolean nextPacket(Packet packet) throws IOException {

                if (packet.hasProtocol(Protocol.TCP)) {

                    TCPPacket tcpPacket = (TCPPacket) packet.getPacket(Protocol.TCP);
                    Buffer buffer = tcpPacket.getPayload();
                    if (buffer != null) {
                        System.out.println("TCP: " + buffer);
                    }
                } else if (packet.hasProtocol(Protocol.UDP)) {

                    UDPPacket udpPacket = (UDPPacket) packet.getPacket(Protocol.UDP);
                    Buffer buffer = udpPacket.getPayload();
                    if (buffer != null) {
                        System.out.println("UDP: " + buffer);
                    }
                }
                return true;
            }
        });
    }
}

That's it. Save all the changes and run the Main.java. According to the above code, it should print the payload of the packets with a prefix TCP or UDP, but you can do more with the received packet depending on your requirement.

Parse PCAP file in Java

The GitHub page of this library says that if you are seeking for more advanced features, you need to have a look at the jPcap or jNetPcap. Therefore, I would recommend you to ensure that this library satisfies all your requirements before using this. If you simply want to parse a PCAP file and then process the packets using your own logic, this is a nifty library that you should give a try.

Find the project @ GitHub.
Previous
Next Post »

Contact Form

Name

Email *

Message *