#9 ReadingCaptureFile - wrong byte array

[freehugo7]

After extending the ReadingCaptureFile-example slightly to output the data[]-array:

private static void device_OnPacketArrival(object sender, CaptureEventArgs e)
{
if(e.Packet.LinkLayerType == PacketDotNet.LinkLayers.Ethernet)
{
var packet = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
var ethernetPacket = (PacketDotNet.EthernetPacket)packet;

            Console.WriteLine("{0} At: {1}:{2}: MAC:{3} -> MAC:{4}",
                              packetIndex,
                              e.Packet.Timeval.Date.ToString(),
                              e.Packet.Timeval.Date.Millisecond,
                              ethernetPacket.SourceHwAddress,
                              ethernetPacket.DestinationHwAddress);

            for (int i = 0; i < e.Packet.Data.GetLength(0); i++)
            {
                if (i > 0 && i % 16 == 0) Console.WriteLine();
                Console.Write("{0:x2} ", e.Packet.Data[i]);
            }
            Console.WriteLine();

            packetIndex++;
        }
    }

we obtain the following output:

ReadingCaptureFile.exe
SharpPcap 4.2.0.0, ReadingCaptureFile

-- Please enter an input capture file name: ping.pcap
opening 'ping.pcap'

-- Capturing from 'ping.pcap', hit 'Ctrl-C' to exit...
0 At: 30.08.2015 21:04:00:864: MAC:00238BA1B88F -> MAC:3085A99738EF
30 85 a9 97 38 ef 00 23 8b a1 b8 8f 08 00 45 00
45 78 61 6d 70 6c 46 ea be 2c 86 61 00 80 06 00
43 61 70 74 75 72 65 46 69 6c 65 5c 62 69 6e 5c
44 65 62 75 67 00 44 ea be 2c 86 43 00 80 08 00
30 30 30 30 30 30 30 30 00 41 4c 4c 55 53 45 52
53 50 52 4f 46 49 5a ea be 2c 86 5c 00 80 0a 00
72 61
1 At: 30.08.2015 21:04:00:864: MAC:3085A99738EF -> MAC:00238BA1B88F
00 23 8b a1 b8 8f 30 85 a9 97 38 ef 08 00 45 00
45 78 61 6d 70 6c 46 ea be 2c 86 61 00 80 06 00
43 61 70 74 75 72 65 46 69 6c 65 5c 62 69 6e 5c
44 65 62 75 67 00 44 ea be 2c 86 43 00 80 08 00
30 30 30 30 30 30 30 30 00 41 4c 4c 55 53 45 52
53 50 52 4f 46 49 5a ea be 2c 86 5c 00 80 0a 00
72 61
2 At: 30.08.2015 21:04:01:864: MAC:00238BA1B88F -> MAC:3085A99738EF
30 85 a9 97 38 ef 00 23 8b a1 b8 8f 08 00 45 00
45 78 61 6d 70 6c 46 ea be 2c 86 61 00 80 06 00
43 61 70 74 75 72 65 46 69 6c 65 5c 62 69 6e 5c
44 65 62 75 67 00 44 ea be 2c 86 43 00 80 08 00
30 30 30 30 30 30 30 30 00 41 4c 4c 55 53 45 52
53 50 52 4f 46 49 5a ea be 2c 86 5c 00 80 0a 00
72 61
3 At: 30.08.2015 21:04:01:864: MAC:3085A99738EF -> MAC:00238BA1B88F
00 23 8b a1 b8 8f 30 85 a9 97 38 ef 08 00 45 00
45 78 61 6d 70 6c 46 ea be 2c 86 61 00 80 06 00
43 61 70 74 75 72 65 46 69 6c 65 5c 62 69 6e 5c
44 65 62 75 67 00 44 ea be 2c 86 43 00 80 08 00
30 30 30 30 30 30 30 30 00 41 4c 4c 55 53 45 52
53 50 52 4f 46 49 5a ea be 2c 86 5c 00 80 0a 00
72 61
4 At: 30.08.2015 21:04:02:864: MAC:00238BA1B88F -> MAC:3085A99738EF
30 85 a9 97 38 ef 00 23 8b a1 b8 8f 08 00 45 00
45 78 61 6d 70 6c 46 ea be 2c 86 61 00 80 06 00
43 61 70 74 75 72 65 46 69 6c 65 5c 62 69 6e 5c
44 65 62 75 67 00 44 ea be 2c 86 43 00 80 08 00
30 30 30 30 30 30 30 30 00 41 4c 4c 55 53 45 52
53 50 52 4f 46 49 5a ea be 2c 86 5c 00 80 0a 00
72 61
5 At: 30.08.2015 21:04:02:864: MAC:3085A99738EF -> MAC:00238BA1B88F
00 23 8b a1 b8 8f 30 85 a9 97 38 ef 08 00 45 00
45 78 61 6d 70 6c 46 ea be 2c 86 61 00 80 06 00
43 61 70 74 75 72 65 46 69 6c 65 5c 62 69 6e 5c
44 65 62 75 67 00 44 ea be 2c 86 43 00 80 08 00
30 30 30 30 30 30 30 30 00 41 4c 4c 55 53 45 52
53 50 52 4f 46 49 5a ea be 2c 86 5c 00 80 0a 00
72 61
-- End of file reached.
Hit 'Enter' to exit...

the ping.pcap is attached and consist of a three simple
ping+reply pairs.

in different tests we found, that only the first 16-18
bytes are correct ... whereas the rest is identical throughout
the capture.

any ideas ?

[freehugo7]