Search code examples
javanetwork-protocolspcaparpjnetpcap

jNetPcap - Analysing ARP packets from a PCAP file

I'm trying to obtain information on ARP packets within a PCAP file using the jNetPcap library for Java. What I'm really after is reading the Source and Destination addresses within the Ethernet frame, as well as the Sender MAC and Target MAC within the ARP packet.

So far I've been able to load a PCAP file, loop through all the packets in the packet capture, and display the packet numbers (Frame Number) for those packets which are indeed of the ARP protocol.

How do I obtain the additional information I'm after?

Here's my code so far:

package firstjavapcaptest;

import org.jnetpcap.Pcap;
import org.jnetpcap.packet.PcapPacket;
import org.jnetpcap.packet.PcapPacketHandler;
import org.jnetpcap.protocol.lan.Ethernet;
import org.jnetpcap.protocol.network.Arp;
import org.jnetpcap.protocol.tcpip.Tcp;

public class FirstJavaPcapTest {

    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
        // TODO code application logic here

        final StringBuilder errbuf = new StringBuilder(); // for any error messages
        final String file = "Z:\\test_pcap.pcap";
        Tcp tcp = new Tcp(); // Preallocate a TCP header
        Arp arp = new Arp(); // Preallocate a ARP header
        System.out.printf("Opening file for reading: %s%n", file);  

        Pcap pcap = Pcap.openOffline(file, errbuf);  
        if (pcap == null) {  
            System.err.printf("Error while opening device for capture: " + errbuf.toString());  
            return;  
        }  

        PcapPacketHandler<String> jphArp = new PcapPacketHandler<String>() { 
            public void nextPacket(PcapPacket packet, String user) {
                Ethernet ethh  = new Ethernet();
                if (packet.hasHeader(arp)) {
                    System.out.println("[" + packet.getFrameNumber() + "]");
                }
            }
        };

        try {  
            pcap.loop(-1, jphArp, "");
        } finally {  
            pcap.close();  
        }
    }

}
Solution

  • Which version of jnetpcap are you using? I presume 1.3. The following is from wikipedia article for the offsets in the ARP protocol:

    ... 8 Sender hardware address (SHA) (first 2 bytes) 10 (next 2 bytes) 12 (last 2 bytes) 14 Sender protocol address (SPA) (first 2 bytes) 16 (last 2 bytes) 18 Target hardware address (THA) (first 2 bytes) 20 (next 2 bytes) 22 (last 2 bytes) 24 Target protocol address (TPA) (first 2 bytes) 26 (last 2 bytes)

    And the following are the Arp class functions from the jnetpcap javadocs:

    byte[]  sha()            Sha.
int     shaLength()      Sha length.
byte[]  spa()            Spa.
int     spaLength()      Spa length.
int     spaOffset()      Spa offset.
byte[]  tha()            Tha.
int     thaLength()      Tha length.
int     thaOffset()      Tha offset.
byte[]  tpa()            Tpa.
int     tpaLength()      Tpa length.
int     tpaOffset()      Tpa offset.`