Pcap Recorder

Pcap Recorder is a tool designed to record traffic.
It allows both recording the whole traffic or just a part based on start/stop conditions.
The following are some of its various features included:

  • Multiple conditions can be set to start/stop recording.

  • Combining these conditions using the "AND"/"OR" operators.

  • Going a few packets or some seconds in the past and capture those packets too.

The Pcap Recorder main window contains the following items:

../_images/pcap_recorder_items.png

  • 1 Parameters sets recording parameters.

  • 2 WinPcap sets the parameters of the hardware filter and gateway range.

  • 3 Start Condition sets start conditions.

  • 4 Prestart Collection sets parameters to record packets received in the past.

  • 5 Stop Condition sets stop conditions.

  • 6 Statistics statistics for the current recording.

  • 7 Status recorder state.

Parameters

Before recording a pcap file, these parameters need to be set:

  • Adapter: is selected from the adapters drop down menu.

  • Log file: could be either PCAP or PCAPNG file.

  • Log File Creation Option:

    • Create unique file every time logging starts.

    • Overwrite file every time logging starts.

    • Append to log file every time logging starts: this option is useful when a storage on the same file is needed, the new received packets are added to the end of the log file.

  • Start Option:

    • Start Automatically: when clicking Start button, the recording started immediately.

    • Start on Condition: after clicking Start button, the tool receives packets and does not log to file till the conditions in Start Condition section are satisfied.

  • Restart Option:

    • Stop when Complete: is the default option. When Stop Condition is satisfied, the recording stops and does not resume till button Start is clicked again.

    • Automatically Restart when Complete: when Stop Condition is satisfied, the tool restart recording automatically.

WinPcap

This enables filtering packets before playing them via the adapter.

Packets Filter

The filter has three parts:

Capture Filter

  • WinPcap Capture Filter configuration allows you to specify a complex filter criteria. It allows you to filter frames you are interested in and discard uninteresting ones.

Important

Filter syntax is accessible in PCAP_Filter.

Vlan Support

  • You can specify if you need packets with vlan or not by choosing TRUE or FALSE in Vlan Support field.

Gateway Port Filter

  • Gateway Port Filter allows the specification of port ranges that are usable while filtering packets.

  • When filtering a packet, if the gateway port value does not match the filtered ports it will be discarded.

Important

Gateway Port Filter syntax is as follows:

  • Port Filter items separated by commas. Example 1, 2

  • Items could be single port numbers or ranges (range is two numbers separated by dash). Example 1, 2, 5-9

  • Port filtering supports reception ports (Rx) and transmission ports (Tx)

  • Values could be either decimal or hexadecimal. Example 1, 0x05, 5-0x09

  • Spaces are allowed between an item and a comma, or an item and a dash, For example 1, 2, 4 - 5 is correct but 1,4 5 is wrong

Note

When working with gateways (BRSpy or Capture Module for example), if present, the filter will handle the encapsulated Ethernet packet and not the Raw packet.

Note

The supported gateways and their ether types are:

  • BR-SPY ETH Wrapper (0x2082)

  • BR-SPY ETH Mini Wrapper (0x2182)

  • BR-SPY ETH Mini Wrapper Legacy (0x2183)

  • BR-SPY ETH 1000T Mini Wrapper (0x2282)

  • BR-SPY CAN Wrapper (0x2085)

Only the packets that match the chosen filter are sent.

Start Condition

  • This part is only visible when Start Option is Start on Condition.

  • The recording is started only when any/all (based on the operator Or/And) conditions are met.

  • The user can set multiple conditions:

    • Signal Raw Value: the user selects a specific signal and sets a value. When a packet containing the signal with the convenient raw value, this condition is marked as satisfied.

    • Signal Physical Value: same as Signal Raw Value but the check is done on the physical value instead of the raw value.

    • Packets Count: number of received packets since Start button is clicked.

    • Keyboard Shortcut: takes the form CTRL + ALT + any character. The recording starts when user clicks on the specific keys simultaneously.

  • The user can set the operator:

    • And: The recording starts when ALL conditions are met.

    • Or: The first condition met starts the recording.

Note

Signal Raw Value and Signal Physical Value conditions could be set multiple times with different signals and values.

../_images/multiple_signals_conditions.png

Important

  1. Different conditions could be satisfied with the different packets.
    • Just take the following example for Start Condition:

      • First condition: database.speed_signal.Physical = 70.

      • Second condition: database.speed_signal.Physical = 100.

      • The second received packet contains speed signal with physical value = 70 → the first condition is then satisfied.

      • The fifth received packet contains speed signal with physical value = 100 → the second condition is then satisfied and since the first condition is already marked as satisfied, the recording starts.

  2. Once the start conditions are satisfied, all coming packets are recorded not only the ones which have convenient conditions.

Prestart Collection

When Start Condition is satisfied, Pcap Recorder does not record only coming packets but also Min(latest x packets , packets received on the last x seconds).

  • Duration (in Seconds): packets received in the last x seconds.

  • Packets Count: last x packets received.

Stop Condition

  • In addition to conditions explained in Start Condition section, user can apply the following stop conditions:

    • Duration (in Seconds): the recording will stop after x seconds from receiving the first packet.

    • File size (in Bytes): the recording will stop when log file size reaches the specified value.

Note

  • Packets Count and Duration stop conditions does not take into consideration packets recorded from Prestart Collection.

  • For Example:

    • In Prestart Collection, Packets Count = 30.

    • In Stop Condition, Packets Count = 20.

    • The output file will have 50 (30 + 20) packets.

Statistics

  • Bit Rate: Number of bits received per second.

  • Packet Rate: Number of packets received per second.

  • Recorded Packets: Number of packets written in the file.

  • Received Packets: Number of received packets from the device.

  • Filtered out Packets: Number of packet dropped by the device when a filter is applied.

  • Dropped Packets: Number of dropped packets from the device.

  • Recorded Files: Number of recorded files. This value is only significant when Restart Option is Automatically Restart when Complete and Creation Option is Create unique file everytime logging starts. Otherwise, it is equal to 1.

Status

These states inform user about the current state of the recorder:

  • Inactive: the tool is not performing any action, neither receiving nor recording packets.

  • Recording: the tool is recording and packets are being written in the log file.

  • Waiting for Start Condition: the tool is receiving packets and checking if any/all conditions configured in Start Condition section are satisfied to begin the recording.

  • Recording, Waiting for Stop Condition: the tool is writing packets on the log file and checking if any/all conditions configured in Stop Condition section are satisfied to stop the recording.

Example Use Case

../_images/demo.gif