Jump to content
Sign in to follow this  

WinPCap - Packet.dll UDF

Recommended Posts

@ptrex and all,

Please note that my UDF is not actualy an ethereal/wireshark UDF but a Winpcap UDF. It does NOT do any protocol analysis by itself, it just captures and sends raw packets on your network according to some filters. You have to perform the analysis (source/destination/protocol... etc) by yourself. I included a basic demo script which is doing so partialy (for the example) but does only support some basics for protocols IP, ICMP, UDP, TCP and ARP.

In the latest versions I included some utility function to extract (or set) a value from/into the binary string and compute Checksums for the most commons protocols. You can always convert to a regular string the binary data by using a StringToBinary() call.

Hope that helps.

Best regards,



I tested some of your examples posted on your website.

I was able to :

- List the devices

- Capture some HTTP packets

- Create a PCAP file

- Read a PCAP file

The data coming out of the PCAP file doesn't tell me a lot ?

When I open the PCAP file using Ethereal I does read it well !!

But can I find the data structure I see in here compared to what I see in the read PCAP function.

The Ethereal output is Time - Source - Destination - Protocol - Info Data

Output if the Function is Time - Lenght - Packet - Data ?

Can you give an example on how to read the output comparable to what I see in Etherial ?

PS : Good UDF so far !! ^_^

Edit : nevermind my question. I figured out how to read the data.

Thanks again.



Share this post

Link to post
Share on other sites

Share this post

Link to post
Share on other sites


your Winpcap.au3 is amazing, i have been using it for several days now.

I appriciate the time you have put into this, and that you have shared it.

I have one problem however,

I am recieving and processing tcp packets,

sometimes (i suspect when there is heavy traffic) i will get only the first 60 bytes of a TCP packet. Its alwas the first 60 bytes, and i know its incomplete because it doesn't end in a null. (all the complete packets end with a null from my analysis so far)

i suspect the problem might be somewhere in _PcapGetPacket but my debugging for the last day has found nothing. the project i am using this for relys on all packets being parsed, so this has brought it to a halt. thanks for taking the time to read this.

My TCP/IP knowledge is ok, but i am no expert. could this be packet fragmentation? I have had much larger packets, up to 1514 before they have been fragmented.

I know that the end application is recieving these packets, because it is making use of the data in them.

When the packet is cut short it is always the first 60 bytes (which is mostly header + 6 ascii characters/bytes of useful data)


ok ignore this post, i am getting the exact same data in Wireshark... prooving its nothing to do with Winpcap.au3 :mellow:

Edited by boomingranny

Share this post

Link to post
Share on other sites


I know this thread is quiet old, but is it possible to open an existing ".pcap" file for read and replaying it?


Edited by lsakizada

Be Green Now or Never (BGNN)!

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...