Using Node.js to Convert PCAP Files to HAR Format for H5 Performance Testing

Background: Capturing network packets with tcpdump and saving them as PCAP files is a common approach for analyzing application‑layer resource loading in H5 performance testing.

Problem: Node.js lacks a direct library for converting PCAP to HAR, while Python offers pcap2har. By extending the open‑source node‑pcap project, we implemented PCAP‑to‑HAR parsing in Node.js.

PCAP Overview: PCAP is a packet‑capture library (libpcap, winpcap) that saves captured packets to a .pcap file. The file consists of a Global Header, multiple Packet Headers, and Packet Data.

Global Header (24 bytes) includes fields such as Magic number, version (major/minor), timezone, timestamp accuracy, snap length, and link type. For Android captures the link type is 113 (Linux cooked capture).

Packet Header (16 bytes) contains Timestamp (seconds and microseconds), Captured Length (Caplen), and Original Length (Len).

Packet Data holds the actual link‑layer frame; its length is defined by Caplen and must be interpreted according to the link‑type.

HAR Format: HAR (HTTP Archive) is a JSON‑based format that records HTTP request/response details, enabling tools like Firebug, Fiddler, and httpwatch to analyze web performance. Key fields include version, creator, browser, pages, entries, and comments.

In H5 analysis we focus on the pages and entries sections, especially fields such as startedDateTime, request, response, total time, and timings.

Node‑pcap Parsing: Using node‑pcap we can extract TCP session data, retrieve HTTP request/response payloads, and compute timing metrics. The code (omitted here) demonstrates how to read a PCAP file, track sessions with tcp_tracker , and handle data‑send and data‑recv events, taking care to reassemble fragmented application‑layer payloads.

Application‑Layer Data Extraction: By listening to "data send" and "data recv" events, we collect HTTP payloads, concatenating fragments when necessary due to MTU limits.

Time‑Dimension Information: When a TCP session ends, the "end" event allows calling tcp_session.session_stats() to obtain detailed timing statistics for each phase of the TCP handshake and data transfer.

Conclusion: The article demonstrates how to use node‑pcap to gather timing and application‑layer data from PCAP files, laying the groundwork for converting this information into HAR files; future work will address HTTPS decryption and full HAR generation.