Wireshark is great.  However, I recently found myself in need of a library to manipulate tcpdump pcap files. There are a couple of libraries such as jNetPcap (which appears abandoned) that merely wraps the native libpcap.  While researching I came across PKTS from “aboutsip.com“.  According to the PKTS repository:

pkts.io is a pure Java library for reading and writing pcaps. Its primary purpose is to manipulate/analyze existing pcaps, allowing you to build various tools around pcaps.

For the needs, I had this library was excellent. However, the documentation/examples were somewhat lacking.

Getting Started:

The easiest way to get started is to include import the pkts library using Mavin.

<dependency>
    <groupId>io.pkts</groupId>
    <artifactId>pkts-streams</artifactId>
    <version>3.0.3</version>
    <type>jar</type>
</dependency>

Loading a PCAP File

import io.pkts.Pcap;
import io.pkts.packet.Packet;
import java.io.IOException;

try {
    pcap = Pcap.openStream("/home/user/path/to/pcap/mypcap.pcap");
    pcap.loop((final Packet packet) -> { 
        // Here we can handle each packet.
        return true;
    });                       
} catch (IOException ex) {
    System.out.println(ex.getMessage());
}

Accessing Packet TCP Information

Whenever a data element is not present in the pcap file then the corresponding method will be null. For example, if there is no payload associated with the packet then getPayload() will be null.

import io.pkts.Pcap;
import io.pkts.packet.Packet;
import java.io.IOException;
import io.pkts.packet.Packet;
import io.pkts.packet.TCPPacket;
import io.pkts.protocol.Protocol;

try {
    pcap = Pcap.openStream("/home/user/path/to/pcap/mypcap.pcap");
    pcap.loop((final Packet packet) -> { 
        if(packet.hasProtocol(Protocol.TCP)) {
            TCPPacket tcp = (TCPPacket) packet.getPacket(Protocol.TCP);

            // Useful information 

            //The ports involved
            int dstport = tcp.getDestinationPort();
            int srcport = tcp.getSourcePort();
 
            //Time of packet arrival
            long packetTime = tcp.getArrivalTime(); 

            //See if various flags are set
            boolean isACK = tcp.isACK();
            boolean isCWR = tcp.isCWR();
            boolean isECE = tcp.isECE();
            boolean isFIN = tcp.isFIN();
            boolean isPSH = tcp.isPSH();
            boolean isRST = tcp.isRST();
            boolean isSYN = tcp.isSYN();
            boolean isTCP = tcp.isTCP();
            boolean isUDP = tcp.isUDP();
            boolean isURG = tcp.isURG();

            //Packet Payload
            Buffer payload = tcp.getPayload();
            //Payload as hex
            boolean String hexdump = tcp.getPayload().dumpAsHex();

        }
        return true;
    });                       
} catch (IOException ex) {
    System.out.println(ex.getMessage());
}

Accessing Packet IP Information

Whenever a data element is not present in the pcap file then the corresponding method will be null. For example, if there is no payload associated with the packet then getPayload() will be null.

import io.pkts.Pcap;
import io.pkts.packet.Packet;
import java.io.IOException;
import io.pkts.protocol.Protocol;
import io.pkts.packet.IPPacket;

try {
    pcap = Pcap.openStream("/home/user/path/to/pcap/mypcap.pcap");
    pcap.loop((final Packet packet) -> { 
        if(packet.hasProtocol(Protocol.IPv4)) {
            IPPacket ip = (IPPacket) packet.getPacket(Protocol.IPv4);
            
            //The IP addresses involved
            String dstip = ip.getDestinationIP();
            String srcip = ip.getSourceIP();

            // The payload data as hex
            String payload = ip.getPayload().dumpAsHex();

            // Time packet arrived.
            long packetTime = ip.getArrivalTime(); 

            // Is this packet a fragment?
            boolean isFragment = ip.isFragmented();
        }
        return true;
    });                       
} catch (IOException ex) {
    System.out.println(ex.getMessage());
}

Accessing MAC Addresses

Whenever a data element is not present in the pcap file then the corresponding method will be null. For example, if there is no payload associated with the packet then getPayload() will be null.

import io.pkts.Pcap;
import io.pkts.packet.Packet;
import java.io.IOException;
import io.pkts.protocol.Protocol;
import io.pkts.packet.MACPacket;

try {
    pcap = Pcap.openStream("/home/user/path/to/pcap/mypcap.pcap");
    pcap.loop((final Packet packet) -> { 
        if(packet.hasProtocol(Protocol.ETHERNET_II)) {
            MACPacket mac = (MACPacket) packet.getPacket(Protocol.ETHERNET_II);
            
            // Here is the MAC Address data
            String srcmac = mac.getSourceMacAddress();
            String dstmac = mac.getDestinationMacAddress();
        }
        return true;
    });                       
} catch (IOException ex) {
    System.out.println(ex.getMessage());
}