filtering packets from pcap file

Question

I am new with the pcap library and I am building a program that loads pcap file and process it for my needs with winpcap.

this is part of my pseudo code:

pcap_file= pcap_open_offline(pcap_path, errbuff);

while ( !EOF )
{
    //read the next packet from pcap file
    pcap_next_ex(pcap_file, &header, &data);
    if ( the packet belongs to ETH->IP->UDP->RTP->H264 protocol)
        process_packet(header, data);
}

I found the function pcap_compile() but from my understanding this is for live capture.

Since I load pcap file offline I struggled to find similar filter function.

How can I filter packet that loaded from pcap file? The filter should pass only packets from the ETH->IP->UDP->RTP->H264 protocol.

Answer 1

I found the function pcap_compile() but from my understanding this is for live capture.

No, it's for live capture AND reading from a savefile.

The filter should pass only packets from the ETH->IP->UDP->RTP->H264 protocol.

No such filter is possible using pcap_compile().

To identify RTP traffic, you'd either have to know what UDP ports would be used by the traffic, and filter based on that, or you'd have to look at a few fields in the UDP payload and try to guess whether it's RTP traffic (and be willing to live with non-RTP packets passing the filter). Wireshark has a fairly weak heuristic to identify RTP running atop UDP; it is not enabled by default, because it's so weak that it would probably identify non-RTP traffic as being RTP traffic.

As for H.264, Wireshark recognizes that based on the SIP/SDP setup traffic, which means it involves more complicated packet parsing than can be done with a pcap filter and, more importantly, involves keeping state information, which is impossible with pcap filters.