pcap-parser User manual¶
Revision date: Apr 03, 2020
In most occurences the ‘/’ character means “over” as a layering specification, e.g. TCP/IPv4 means “TCP over IPv4”.
pcap-parser.exe is a commandline program. We are planning a GUI frontend for the future.
Program Invocation¶
pcap-parser.exe <pcapfile> [<pcapfile>]
<pcapfile> can be a relative or absolute path, incl. just a file name to
a capture file in pcap or pcapng format. Not all variants of the pcap format
are currently supported.
The results are written to stdout. Redirection of stdout is recommended.
List of extracted values¶
PCAPNG¶
These statistics are specific to the PCAPNG input file format.
EPB Blocks
Number of Enhanced Packet Blocks encountered
SPB blocks
Number of Simple Packet Blocks encountered
Eth frames¶
min frame sz
The minimum size (smallest) Ethernet frame encountered.
max frame sz
The maximum size (largest) Ethernet frame encountered.
STP frames
Number of STP frames encountered.
untagged
Number of untagged (no VLAN) Ethernet frames encountered.
single-tagged
Number of single-tagged (VLAN) Ethernet frames encountered.
double-tagged
Number of double-tagged (VLAN) Ethernet frames encountered.
ARP packets
Number of Address Resolution Protocol packets encountered.
RARP packets
Number of Reverse Address Resolution Protocol packets encountered.
IPv4 packets
Number of IPv4 packets encountered.
wrong checks
Number of IPv4 packets with a wrong IPv4 checksum encountered. This is not necessarily a problem as some network cards support offloading this calculation to them. Depending on where exactly the capturing happened (e.g. directly from the Linux kernel), the operating system might not have a need to calculate the checksums.
w/ dont frag
Number of IPv4 packets with the Don’t Fragment flag set encountered.
frags
Number of IPv4 packets which are fragments encountered.
w/ IP opt
Number of IPv4 packets with IPv4 options encountered.
Linux cooked mode¶
min frame sz
The minimum size (smallest) Linux cooked mode frame encountered. The use of the word “frame” does not necessarily imply that these are Ethernet frames as frames in captured in Linux cooked mode are not necessarily Ethernet frames. We have seen this in VPS systems where there were no Ethernet frames captured at all by the guest kernel.
max frame sz
The maximum size (largest) frame encountered.
IPv6 packets
Number of IPv6 packets encountered.
ICMPv4 packets
Number of ICMP packets encountered which are encapsulated. Also grouped by ICMP message type.
ICMPv6 packets
Number of ICMPv6 packets encountered.
IGMP packets
Number of IGMP packets encountered.
IPv6 encap packets
Number of IPv6 packets encountered which are encapsulated.
AH packets
Not implemented yet.
OSPF packets
Not implemented yet.
L2TP packets
Not implemented yet.
SCTP packets
Not implemented yet.
Number of SCTP packets encountered.
Not implemented yet.
FC packets
Number of FibreChannel packets encountered.
Not implemented yet.
UDPLite packets
Number of UDPLite packets encountered.
Not implemented yet.
ROHC packets
Number of ROHC packets encountered.
Not implemented yet.
TCP/IPv4 packets
Number of TCP packets encountered which were layered on top of IPv4.
UDP/IPv4 packets
Number of UDP packets encountered which were layered on top of IPv4.
TCP/IPv6 packets
Number of TCP packets encountered which were layered on top of IPv6.
UDP/IPv6 packets
Number of UDP packets encountered which were layered on top of IPv6.
MAC addresses seen:¶
source:
List of MAC addresses encountered as source addresses in ethernet frames.
dest:
List of MAC addresses encountered as destination addresses in ethernet frames.
ARP statistics:¶
ARP request packets
Number of ARP packets which are address resolution requests.
ARP reply packets
Number of ARP packets which are address resolution replies.
ARP MAC addr <-> IPv4 addr mappings¶
MAC addr | IPv4 addr
------------------+----------------
8c-3a-e3-15-d3-17 | 192.168.178.69
...
All ARP address resolution requests and corresponding replies are analyzed. The resulting mappings are shown in this table.
If the need arises we may later implement some kind of history so changing IP addresses for each MAC address (and vice-versa) can be used as a base for diagnostics or similar goals.
Source IPv4 addresses seen:¶
This is a list of IPv4 addresses encountered as source addresses of IPv4 packets.
Dest IPv4 addresses seen:¶
This is a list of IPv4 addresses encountered as destination addresses of IPv4 packets.
Source IPv4 addresses, only source:¶
This is a list of IPv4 addresses encountered as source addresses of IPv4 packets, but only as source address, never as a destination address.
Dest IPv4 addresses, only dest:¶
This is a list of IPv4 addresses encountered as destination addresses of IPv4 packets, but only as destination address, never as a source address.
Source IPv4 addresses, multicast:¶
Dest IPv4 addresses, multicast:¶
224.0.0.1
224.0.0.22
...
link-local IPv4 addresses:¶
This is a list of all link-local IPv4 addresses encountered, either as source or destination address.
UDP/IPv4 gross traffic¶
This is the gross UDP over IPv4 traffic in bytes. This includes the sizes of the IP Layer and the UDP layer.
UDP/IPv6 gross traffic¶
This is the gross UDP over IPv6 traffic in bytes. This includes the sizes of the IP Layer and the UDP layer.
TCP/IPv4 gross traffic¶
This is the gross TCP over IPv4 traffic in bytes. This includes the sizes of the IP Layer and the TCP layer.
TCP/IPv6 gross traffic¶
This is the gross TCP over IPv6 traffic in bytes. This includes the sizes of the IP Layer and the TCP layer.
TCP source ports:¶
This is a list of TCP ports encountered as source port of TCP packets. Each list element can either be a single number or a range, 2 numbers separated by a ‘-‘ with both number being inclusive.
TCP dest ports:¶
This is a list of TCP ports encountered as destination port of TCP packets. Each list element can either be a single number or a range, 2 numbers separated by a ‘-‘ with both number being inclusive.
UDP source ports:¶
This is a list of UDP ports encountered as source port of UDP packets. Each list element can either be a single number or a range, 2 numbers separated by a ‘-‘ with both number being inclusive.
UDP dest ports:¶
This is a list of UDP ports encountered as destination port of UDP packets. Each list element can either be a single number or a range, 2 numbers separated by a ‘-‘ with both number being inclusive.
TCP/IPv4 per address stats:¶
This section contains multiple tables, for each IPv4 address the TCP packets sent and received together with the gross traffic in each direction and a percentage of all the TCP packets encountered of the respective direction
sorted by TCPPktsSent
sorted by TCPPktsRecv
UDP/IPv4 per address stats:¶
Statistics about UDP packets, per IPv4 address.
ICMPv4 per address stats:¶
Statistics about ICMP packets, per IPv4 address.
IPv4 inter host/address stats:¶
This table shows traffic figures between encountered IPv4 addresses, separetely for TCP, UDP and ICMP.
TCP statistics¶
This section should currently be ignored.
Eth frame size histogram¶
frame size | count
===========+========
...
This table contains the number of ethernet frames encountered for each encountered ethernet frame size, sorted in ascending order.
Frame sizes which did not occur are omitted in the table.
Note that some capturing processes seem to merge frames as we have seen frame sizes well beyond even the ethernet jumbo frame sizes. So even outside of LANs – where jumbo frames are usually not that frequently encountered – capture files can contain large frames.
ICMPv4 stats:¶
This section contains various outputs about ICMPv4 analyzation results.
ICMPv6 stats:¶
This section contains various outputs about ICMPv6 analyzation results.
DNS stats:¶
DNS/UDP/IPv4 packets:
This entry contains the number of DNS packets, using UDP on the transport layer over IPv4.
Additional counters are contained for the various DNS message types.
DNS/UDP/IPv6 packets : 0
This entry contains the number of DNS packets, using UDP on the transport layer over IPv6.
DNS: queried names:¶
name | count
------------------------------------------------------+---------
...
This table is a list of extracted queried names using DNS.
DNS: queried names: TLDs:¶
name | count
---------+-------
...
This table contains the Top Level Domains from the queried names list above with calculated counts.
DNS: queried names: SLDs:¶
name | count
------------------------------------------------------+---------
...
This table contains the Second Level Domains from the queried names list above with calculated counts.
DNS: unresolved names:¶
name | count
------------------------------------------------------+---------
...
This table contains extracted names queried using DNS which couldn’t be resolved.
DNS: IPv4 resolved names:¶
name | addr
------------------------------------------------------+----------------
...
This table contains all pairings of queried names and resolved addresses.
DNS: IPv4 queried record types:¶
type | count
-----+------
...
This table contains the record types queried using DNS and their count. The record types are currently numerical, the table will be made more convenient in the future.
mDNS stats:¶
This section contains information about multicast DNS (mDNS).
SSH stats:¶
Not implemented yet.
Telnet stats:¶
Not implemented yet.
SMTP stats:¶
This section contains extracted information from SMTP connections.
SMTP connections are recognizes only if using standard TCP port 25.
Not completely implemented yet.
DHCP stats:¶
This section contains various information about extracted DHCPv4 sessions.
TFTP stats:¶
This section contains various extracted information from TFTP traffic.
HTTP stats:¶
This section contains various extracted information from HTTP traffic.
RIP stats:¶
This section contains various extracted information from RIPv1 and RIPv2 traffic.
SNMPv1 stats:¶
This section contains various extracted information from SNMPv1 and SNMPv2(c) traffic.
NTP stats:¶
This section contains various extracted information from NTP traffic.
skipped frames/packets stats¶
This section should currently be ignored.