This article is for those who have spent hours like me to find a good library that can parse raw PCAP files in Java. There are plenty of open source libraries already available for Java but most of them are acting as a wrapper to the libpcap library which makes them hard to use for simple use cases. The library I came across: pkts is a pure Java library which can be easily imported into your project as a Maven dependency. This article introduces the pkts library using a HelloWorld application to parse a PCAP output.
Requirements:
Step 1:
Open the IDE and create a new Maven project with the following proerties.
Group Id: com.javahelps
Artifact Id: PCAP-Parser
Add the following dependencies to the pom.xml.
<dependency>
<groupId>io.pkts</groupId>
<artifactId>pkts-core</artifactId>
<version>3.0.0</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>io.pkts</groupId>
<artifactId>pkts-streams</artifactId>
<version>3.0.0</version>
<type>jar</type>
</dependency>After the changes, the pom.xml should look like the following. Note that I have also defined the Java version in the pom.xml.
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.javahelps</groupId>
<artifactId>PCAP-Parser</artifactId>
<version>0.0.1-SNAPSHOT</version>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>io.pkts</groupId>
<artifactId>pkts-core</artifactId>
<version>3.0.0</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>io.pkts</groupId>
<artifactId>pkts-streams</artifactId>
<version>3.0.0</version>
<type>jar</type>
</dependency>
</dependencies>
</project>Eclipse users, right click on your project and select Maven → Update Project and click OK in the appeared dialog to import the dependencies.
Step 3:
Create a new package com.javahelps.pcapparser in the src/main/java directory.
Step 4:
Create a new class Main.java inside the package created in Step 3.
Step 5:
Create a new Pcap object with the input filename as the argument and call the loop method with a PacketHandler. The PacketHandler object will be called with the packets from the PCAP file and if you want to stop parsing the file, return false in the nextPacket method.
package com.javahelps.pcapparser;
import io.pkts.PacketHandler;
import io.pkts.Pcap;
import io.pkts.buffer.Buffer;
import io.pkts.packet.Packet;
import io.pkts.packet.TCPPacket;
import io.pkts.packet.UDPPacket;
import io.pkts.protocol.Protocol;
import java.io.IOException;
public class Main {
public static void main(String[] args) throws IOException {
final Pcap pcap = Pcap.openStream("tcpdump.pcap");
pcap.loop(new PacketHandler() {
@Override
public boolean nextPacket(Packet packet) throws IOException {
if (packet.hasProtocol(Protocol.TCP)) {
TCPPacket tcpPacket = (TCPPacket) packet.getPacket(Protocol.TCP);
Buffer buffer = tcpPacket.getPayload();
if (buffer != null) {
System.out.println("TCP: " + buffer);
}
} else if (packet.hasProtocol(Protocol.UDP)) {
UDPPacket udpPacket = (UDPPacket) packet.getPacket(Protocol.UDP);
Buffer buffer = udpPacket.getPayload();
if (buffer != null) {
System.out.println("UDP: " + buffer);
}
}
return true;
}
});
}
}That's it. Save all the changes and run the Main.java. According to the above code, it should print the payload of the packets with a prefix TCP or UDP, but you can do more with the received packet depending on your requirement.
The GitHub page of this library says that if you are seeking for more advanced features, you need to have a look at the jPcap or jNetPcap. Therefore, I would recommend you to ensure that this library satisfies all your requirements before using this. If you simply want to parse a PCAP file and then process the packets using your own logic, this is a nifty library that you should give a try.
Find the project @ GitHub.
3 comments
Write commentsRespect! It really helps.
ReplyThis is printing garbage values. Please help.
ReplyHi,
ReplyCan you try this using the pcap file available at https://github.com/slgobinath/pcap-processor/raw/master/samples/cicids_2017.pcap?
EmoticonEmoticon