deiv
commented
8 years ago Hi, thanks for the report.
jpeg support is not perfect, sorry. I will take a look.
Is posible to get this pcap file you are talking, to try with it ?
Closed sirEgghead closed 8 years ago
deiv
commented
8 years ago Hi, thanks for the report.
jpeg support is not perfect, sorry. I will take a look.
Is posible to get this pcap file you are talking, to try with it ?
sirEgghead
commented
8 years ago Deleted post for security.
deiv
commented
8 years ago Ping me when you have a valid test file with that I can reproduce the failure. Thx.
sirEgghead
commented
8 years ago This one has a jpeg in it. Tested it. Corrupted. Exactly as described in the original post.
Edited to remove linked file.
deiv
commented
8 years ago In this case, the first bytes of the, apparently, jpeg file are:
FF D8 10 A0 6E 97 44 44 3D 60 50 1E 83 84 F8 52 48 07 E9 51 83 C7 CB 31 72 3B 12 B5 5E 62 82 29 D9 41 85 54 21 BC 03 DF 69 F6 F7 25 8B 9D 58 91 84 D9 89 03 9C 59 CF 33 A4 C9 65 84 66 AF B3 70 0C 2E 78 D8 8C FF 34
If we look at the jpeg file format, we can see that "FF D8" is interpreted as a "Start of Image" marker. The next suposed marked is "FF 34", that is not a valid one. So this is not a valid jpeg image.
If you run driftnet you can see the next error:
Corrupt JPEG data: 67 extraneous bytes before marker 0x34 Unsupported marker type 0x34
With this test file I'm unable to reproduce the others failures.
deiv
commented
8 years ago Closing it. Not enough info to reproduce the explained errors.
I have a Cisco 2960S as my core switch. I have a SPAN port (mirror) setup and connected to my server for WAN traffic. I have been consistently using the SPAN port for other purposes and it works fine. Today I installed driftnet and ran it against my monitoring port on my server and was pleased to see that it was saving files. When I opened them, all of the jpegs were corrupted. The png files were fine. So I tried driftnet against one of my pcap files that I saved with dumpcap against the same mirror port and some of the jpegs from there worked just fine. I ran driftnet again against the same file and I get a different amount of filenames. For instance, the first time I ran it against the test file, I received 27 files. The next time, I received 2. The next time 3. This is the same file with unmodified contents. The outputted file names occur in the same order. For instance, the first file name for each time I run driftnet against the test pcap file is driftnet-568453886b8b4567.jpeg. The image is the same. So this is fine. But why is it not extracting them all each time I run it? And why does it not always capture data from my NIC?