jonbo372
commented
1 year ago Hi and thanks for reporting.
It does indeed seems like a big gap. I have not spent much time on this project in recent years but will happily look at pull requests. I cannot promise I'll get to it myself in any reasonable time, although I will eventually. If you could upload a pcap showcasing the issue (and make sure it doesn't contain any sensitive information about your environment), that would help though.
Regards,
/Jonas
geert3
I have several PCAP files created using recent TCPDUMP on Linux. They start with the following bytes:
0a 0d 0d 0a 7c 00 00 00 4d 3c 2b 1a
The code in
PcapGlobalHeader.parsedoesn't seem to account for the first 8 bytes and looks for the byte order magic rightaway. According to this page: https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionshb the first 8 bytes are "Block Type = 0x0A0D0D0A" and "Block Total Length" respectively.Only then comes the "Byte-Order Magic" bytes -- these are handled in the
PcapGlobalHeader.parsemethod, but none of the expected formats seems to fit the actual bytes in my stream.So even if I remove the first 8 bytes from the stream before passing it to
Pcap.openStream, I still getjava.lang.IllegalArgumentException: Unknown header type.This is using the 3.0.10 version. My PCAP files open in wireshark GUI without problems. So this seems like a pretty big gap in the current implementation. Or am I missing something?