Parse file in Java
Parse file in Java
Library

How to Parse PCAP files in Java?

By Updated:No Comments2 Mins Read

Packet Capture (PCAP) files are a great way to capture and analyze network packets. There are well-known tools like tcpdump or Wireshark to analyze PCAP files. However, things get tricky when it comes to analyzing PCAP files using a programming language: in our case Java. This article introduces a promising library to parse and analyze PCAP files in Java and shows you how to parse PCAP files in Java.

Requirements


Create a New Project

Step 1:
Create a new Maven project in IntelliJ Idea with the group id: com.javahelps.parser and artifact id: pcap-parser.


Step 2:
Add the following dependencies to the pom.xml file. 

<dependency>
    <groupId>io.pkts</groupId>
    <artifactId>pkts-core</artifactId>
    <version>${pkts.version}</version>
</dependency>

<dependency>
    <groupId>io.pkts</groupId>
    <artifactId>pkts-streams</artifactId>
    <version>${pkts.version}</version>
</dependency>

After adding the dependencies, the pom.xml should look like this:

Not all newer versions of libraries guarantee backward compatibility with previous versions. Therefore, I recommend using the same version of the library as in the following pom.xml for your first run. Once you get the code working, search for the artifact ids in the public Maven Repository and use the latest version of the dependencies in your production code. Please note that older versions may have unpatched vulnerabilities and make your code vulnerable to attacks. I will try my best to keep the articles up to date but it is impossible for me to keep track of all libraries used in Java Helps. If you find any breaking changes in newer versions, please comment below.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.javahelps.parser</groupId>
    <artifactId>pcap-parser</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
        <pkts.version>3.0.10</pkts.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>io.pkts</groupId>
            <artifactId>pkts-core</artifactId>
            <version>${pkts.version}</version>
        </dependency>

        <dependency>
            <groupId>io.pkts</groupId>
            <artifactId>pkts-streams</artifactId>
            <version>${pkts.version}</version>
        </dependency>
    </dependencies>
</project>
pom.xml

Download the Sample PCAP File

Download the fuzz-2007-03-14-24230.pcap file from our Git Hub repository and place it in the src/main/resources/ folder. fuzz-2007-03-14-24230.pcap file is originally downloaded from Wireshark Automated Captures and added to our Git Hub project.

Download

Implement the PCAP Parser

Step 4:
Add a new class named TcpUdpPacketHandler in the com.javahelps.parser.pcap package with the following code.

package com.javahelps.parser.pcap;

import io.pkts.PacketHandler;
import io.pkts.buffer.Buffer;
import io.pkts.packet.Packet;
import io.pkts.packet.TCPPacket;
import io.pkts.packet.UDPPacket;
import io.pkts.protocol.Protocol;

import java.io.IOException;

public class TcpUdpPacketHandler implements PacketHandler {

    @Override
    public boolean nextPacket(Packet packet) throws IOException {
        // Check the packet protocol
        if (packet.hasProtocol(Protocol.TCP)) {
            // Cast the packet to subclass
            TCPPacket tcpPacket = (TCPPacket) packet.getPacket(Protocol.TCP);

            // Explore the available methods.
            // This sample code prints the payload, but you can get other attributes as well
            Buffer buffer = tcpPacket.getPayload();
            if (buffer != null) {
                System.out.println("TCP: "   buffer);
            }
        } else if (packet.hasProtocol(Protocol.UDP)) {
            // Cast the packet to subclass
            UDPPacket udpPacket = (UDPPacket) packet.getPacket(Protocol.UDP);

            // Explore the available methods.
            // This sample code prints the payload, but you can get other attributes as well
            Buffer buffer = udpPacket.getPayload();
            if (buffer != null) {
                System.out.println("UDP: "   buffer);
            }
        }

        // Return true if you want to keep receiving next packet.
        // Return false if you want to stop traversal
        return true;
    }

}
TcpUdpPacketHandler.java

Step 5:
Modify the Main class as shown below. The PCAP file added to resources in Step 3 is used in the sample code as the input file to parse.

package com.javahelps.parser.pcap;


import io.pkts.Pcap;

import java.io.IOException;
import java.util.Objects;

public class Main {

    private static final String SAMPLE_FILE = Objects.requireNonNull(Main.class.getResource("/fuzz-2007-03-14-24230.pcap")).getFile();

    public static void main(String[] args) throws IOException {
        // TODO: Replace SAMPLE_FILE by the actual file you want to parse
        Pcap pcap = Pcap.openStream(SAMPLE_FILE);
        pcap.loop(new TcpUdpPacketHandler());
        pcap.close();
    }

}
Main.java

Step 6:
After making all the changes, save them all and run the Main class. The payload of TCP and UDP packets will be printed in the console. Now feel free to change the input file with the actual file you want to parse and explore the APIs of the pkts library.

You can download the complete source code of this project along with all the resources from our Git Hub repository.

pcap-parser

If you find this article useful, please let me know in the comments. Your comments motivate me to write more quality content. You can also comment on any questions or issues you have related to this article and I will try my best to help you fix them. It is also a chance for our readers with the domain expertise to help fix other’s issues.

Share.

Related Posts

Exit mobile version