This project is a packet sniffer and analyzer that uses the pcap library to capture packets from a network interface or read packets from a pcap file. It provides detailed information about the Ethernet, IP, TCP, and UDP headers, as well as the payload of each packet. It also keeps track of TCP and UDP flows and identifies TCP retransmissions.

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes.

To build the project, use the provided Makefile. In the project directory, run:

make

This will compile the source code and produce an executable named pcap_ex.

You can run the program with the following command:

sudo ./pcap_ex -i interface_name -f filter_exp

or

./pcap_ex -r file_name -f filter_exp

Here, interface_name is the name of the network interface from which to capture packets, file_name is the name of a pcap file from which to read packets, and filter_exp is a filter expression that specifies which packets to capture or read.

The -i and -r options are mutually exclusive. If you provide both, the program will print a help message and exit. If you do not provide either, the program will also print a help message and exit.

The filter expression is optional. If you do not provide it, the program will capture or read all packets.

The program supports the following filter expressions: (You can find more information about filter expressions here.)

• dst host ip_address
• src host ip_address
• host ip_address
• ether dst mac_address
• ether src mac_address
• ether host mac_address
• gateway ip_address
• dst net network
• src net network
• net network
• dst port port_number
• src port port_number
• port port_number
• tcp
• udp
• icmp
• less size
• greater size

The program uses a hash map to keep track of TCP and UDP flows and to identify TCP retransmissions. Each entry in the hash map represents a flow and contains a key and a value. The key is a string that consists of the source IP address, destination IP address, source port number, destination port number, and sequence number, separated by colons. The value is an integer that represents the number of packets in the flow.

When the program captures or reads a packet, it constructs the key from the packet's header fields and checks if the key is in the hash map. If the key is in the hash map, the program increments the value associated with the key. If the key is not in the hash map, the program adds a new entry to the hash map with the key and a value of 1.

The program uses the pcap library to capture packets from a network interface or read packets from a pcap file. It uses the pcap_next_ex function to get the next packet, and then it processes the packet's headers and payload.

The program prints detailed information about each packet, including the Ethernet, IP, TCP, and UDP headers, as well as the payload. It also prints statistics about the total number of packets, the total number of TCP and UDP packets, the total number of TCP and UDP bytes, the total number of TCP retransmissions, and the total number of TCP and UDP flows.