PCAPNG files: java.lang.IllegalArgumentException: Unknown header type #139
Comments
|
Hi and thanks for reporting. It does indeed seems like a big gap. I have not spent much time on this project in recent years but will happily look at pull requests. I cannot promise I'll get to it myself in any reasonable time, although I will eventually. If you could upload a pcap showcasing the issue (and make sure it doesn't contain any sensitive information about your environment), that would help though. Regards, /Jonas |
|
After digging some more, this extended header is apparently from the "PCAP-NG" format, (NG for Next Generation), so there will be more to it than just the larger header. See https://wiki.wireshark.org/Development/PcapNg
A workaround is to use the tshark option "-F pcap" to force the output file type "pcap" rather than the default which is "pcapng".
As for example files, several files referenced on https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures are pcapng and thus do contain this same "extended" header, for instance:
- 200722_win_scale_examples_anon.pcapng
https://gitlab.com/wireshark/wireshark/-/wikis/uploads/__moin_import__/attachments/SampleCaptures/200722_win_scale_examples_anon.pcapng
- smb-legacy-implementation.pcapng
https://gitlab.com/wireshark/wireshark/-/wikis/uploads/__moin_import__/attachments/SampleCaptures/smb-legacy-implementation.pcapng
- tfp_capture.pcapng
https://gitlab.com/wireshark/wireshark/-/wikis/uploads/__moin_import__/attachments/SampleCaptures/tfp_capture.pcapng
|
geert3
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have several PCAP files created using recent TCPDUMP on Linux. They start with the following bytes:
0a 0d 0d 0a 7c 00 00 00 4d 3c 2b 1a
The code in
PcapGlobalHeader.parsedoesn't seem to account for the first 8 bytes and looks for the byte order magic rightaway.According to this page: https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionshb
the first 8 bytes are "Block Type = 0x0A0D0D0A" and "Block Total Length" respectively.
Only then comes the "Byte-Order Magic" bytes -- these are handled in the
PcapGlobalHeader.parsemethod, but none of the expected formats seems to fit the actual bytes in my stream.So even if I remove the first 8 bytes from the stream before passing it to
Pcap.openStream, I still getjava.lang.IllegalArgumentException: Unknown header type.This is using the 3.0.10 version.
My PCAP files open in wireshark GUI without problems.
So this seems like a pretty big gap in the current implementation. Or am I missing something?
The text was updated successfully, but these errors were encountered: