Libpcap to read pcap file

Following is a simple C program that allows you to read a pcap file using the libpcap library. The pcap is generated using Wireshark.

I tried this code in Visual studio. Don’t forget to add WPCAP in Property->Preprocessor->Preprocessor Definitions  and also wpcap.lib in Properties->Linker->Input-> Additional dependencies.

#include <stdio.h>
#include <pcap.h>

#define LINE_LEN 16

/* 4 bytes IP address */
typedef struct ip_address {
u_char byte1;
u_char byte2;
u_char byte3;
u_char byte4;

/* IPv4 header */
typedef struct ip_header {
u_char    ver_ihl;        // Version (4 bits) + Internet header length (4 bits)
u_char    tos;            // Type of service
u_short tlen;            // Total length
u_short identification; // Identification
u_short flags_fo;        // Flags (3 bits) + Fragment offset (13 bits)
u_char    ttl;            // Time to live
u_char    proto;            // Protocol
u_short crc;            // Header checksum
ip_address    saddr;        // Source address
ip_address    daddr;        // Destination address
u_int    op_pad;            // Option + Padding

/* UDP header*/
typedef struct udp_header {
u_short sport;            // Source port
u_short dport;            // Destination port
u_short len;            // Datagram length
u_short crc;            // Checksum

void packet_handler(u_char *, const struct pcap_pkthdr *, const u_char *);

int main(int argc, char **argv)
pcap_t *fp;
char errbuf[PCAP_ERRBUF_SIZE];
char source[PCAP_BUF_SIZE];

if(argc != 2) {

printf("usage: %s filename", argv[0]);
return -1;


/* Create the source string according to the new WinPcap syntax */
if ( pcap_createsrcstr(    source,            // variable that will keep the source string
PCAP_SRC_FILE,    // we want to open a file
NULL,            // remote host
NULL,            // port on the remote host
argv[1],        // name of the file we want to open
errbuf            // error buffer
) != 0) {

fprintf(stderr,"\nError creating a source string\n");
return -1;

/* Open the capture file */
if ( (fp= pcap_open(source,            // name of the device
65536,            // portion of the packet to capture
// 65536 guarantees that the whole packet will be captured on all the link layers
PCAP_OPENFLAG_PROMISCUOUS,     // promiscuous mode
1000,                // read timeout
NULL,                // authentication on the remote machine
errbuf            // error buffer
) ) == NULL) {
fprintf(stderr,"\nUnable to open the file %s.\n", source);
return -1;

// read and dispatch packets until EOF is reached
pcap_loop(fp, 0, packet_handler, NULL);

return 0;

void packet_handler(u_char *temp1,
const struct pcap_pkthdr *header, const u_char *pkt_data) {
struct tm ltime;
char timestr[16];
ip_header *ih;
udp_header *uh;
u_int ip_len;
u_short sport, dport;
time_t local_tv_sec;


/* convert the timestamp to readable format */
local_tv_sec = header->ts.tv_sec;
localtime_s(&ltime, &local_tv_sec);
strftime(timestr, sizeof timestr, "%H:%M:%S", &ltime);

/* print timestamp and length of the packet */
printf("%s.%.6d len:%d ", timestr, header->ts.tv_usec, header->len);

/* retireve the position of the ip header */
ih = (ip_header *)(pkt_data +
14); //length of ethernet header

/* retireve the position of the udp header */
ip_len = (ih->ver_ihl & 0xf) * 4;
uh = (udp_header *)((u_char*)ih + ip_len);

sport = uh->sport;
dport = uh->dport;

/* print ip addresses and udp ports */
printf("%d.%d.%d.%d:%d -> %d.%d.%d.%d:%d\n",




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s