Capture length incorrect if not multiple of 8
A java PCAP and DPI library
Brought to you by:
voytechs
Menu
▾
▴
#105 Capture length incorrect if not multiple of 8
When the wirelength and capture length are not multiples of 8, the wirelen is correctly reported, but the capture length is rounded to the next highest mutliple of 8 causing an IllegalArgumentException in PcapPacket.scan() with the error being wirelen < buffer len.
Wireshark can correctly read these files on the same machine.
Examples (wirelen/capture length)
500/504
1438/1440
1358/1360
70/72
130/136
1438/1440
222/224
1390/1392
This is also the case in version 1.4 which I upgraded to after getting the error with 1.3.
I have found out that the pcaps giving us trouble are written by napatech capture cards. It is using 8 byte blocks to transfer the data, so the incl_len is a multiple of 8 while the orig_len is the actual size on the wire. The extra bytes are nulls.
To work around it:
<code>
int id = JRegistry.mapDLTToId(pcap.datalink());
while (pcap.nextEx(header,buffer) == Pcap.NEXT_EX_OK)
{
header.hdr_len(header.wirelen());
buffer.setSize(header.wirelen());
PcapPacket pkt = new PcapPacket(header, buffer)
pkt.scan(id);
// other stuff to process the packets.
}
</code>
This is a confirmed bug and for now is postponed. For now, we need to put it off as it needs to be fixed a too many places to attempt in a general release.