Skip to content

gu1trh2ro/PCAP-Programming

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 
sniff_improved.c
sniff_improved.c
 
 

Repository files navigation

PCAP Programming: TCP Packet Sniffer

A small packet-analysis project written in C with libpcap. It captures Ethernet/IPv4/TCP traffic on a selected interface, parses protocol header fields, and prints readable payload snippets for plain HTTP traffic.

This repository documents hands-on practice with network visibility, protocol parsing, and the boundary between observable traffic and encrypted traffic.

Features

  • Applies a BPF tcp capture filter through libpcap.
  • Parses source and destination MAC addresses, IPv4 addresses, and TCP ports.
  • Calculates IPv4 and TCP header lengths before locating payload data.
  • Recognizes common plain HTTP request methods and HTTP responses.
  • Bounds output by the captured packet length to avoid reading truncated data.

Environment

  • Linux with a network interface available for capture
  • GCC or Clang
  • libpcap-dev on Debian/Ubuntu systems
sudo apt-get install libpcap-dev
gcc -Wall -Wextra -std=c11 -o sniff_improved sniff_improved.c -lpcap

Run

Capture only traffic from a network/interface you are authorized to observe.

sudo ./sniff_improved enp0s3

For a plain HTTP test in a lab environment:

curl http://neverssl.com/

Example output fields:

====== TCP Packet ======
Src MAC: ...
Dst MAC: ...
Src IP: ...
Dst IP: ...
Src Port: ...
Dst Port: ...
[HTTP REQUEST]
GET / HTTP/1.1

Parsing Flow

Ethernet header
  -> IPv4 header (IHL determines header length)
    -> TCP header (data offset determines header length)
      -> Captured application payload

Scope And Limitations

  • This project inspects Ethernet, IPv4, and TCP packets only.
  • HTTP classification works on plaintext payload data; it does not decrypt TLS.
  • TCP stream reassembly is not implemented, so requests split across segments may not be classified as HTTP.
  • The tool is intended for learning and authorized security testing.

Security Relevance

Packet parsing is a foundation for traffic triage and network-based threat analysis. This implementation focuses on verifying header boundaries before examining payload data and on documenting what cannot be inferred once traffic is encrypted.

Next Steps

  • Save captures to .pcap for offline investigation.
  • Add DNS and TLS ClientHello metadata parsing.
  • Implement flow tracking and basic TCP stream reassembly.

About

TCP packet sniffer for Ethernet, IPv4, TCP and plaintext HTTP analysis using C and libpcap

Topics

c tcp libpcap network-security packet-analysis

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages