I have several PCAP files created using recent TCPDUMP on Linux. They start with the following bytes:
0a 0d 0d 0a 7c 00 00 00 4d 3c 2b 1a
The code in PcapGlobalHeader.parse doesn't seem to account for the first 8 bytes and looks for the byte order magic rightaway.
According to this page: https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionshb
the first 8 bytes are "Block Type = 0x0A0D0D0A" and "Block Total Length" respectively.
Only then comes the "Byte-Order Magic" bytes -- these are handled in the PcapGlobalHeader.parse method, but none of the expected formats seems to fit the actual bytes in my stream.
So even if I remove the first 8 bytes from the stream before passing it to Pcap.openStream, I still get
java.lang.IllegalArgumentException: Unknown header type.
This is using the 3.0.10 version.
My PCAP files open in wireshark GUI without problems.
So this seems like a pretty big gap in the current implementation. Or am I missing something?
I have several PCAP files created using recent TCPDUMP on Linux. They start with the following bytes:
0a 0d 0d 0a 7c 00 00 00 4d 3c 2b 1a
The code in
PcapGlobalHeader.parsedoesn't seem to account for the first 8 bytes and looks for the byte order magic rightaway.According to this page: https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionshb
the first 8 bytes are "Block Type = 0x0A0D0D0A" and "Block Total Length" respectively.
Only then comes the "Byte-Order Magic" bytes -- these are handled in the
PcapGlobalHeader.parsemethod, but none of the expected formats seems to fit the actual bytes in my stream.So even if I remove the first 8 bytes from the stream before passing it to
Pcap.openStream, I still getjava.lang.IllegalArgumentException: Unknown header type.This is using the 3.0.10 version.
My PCAP files open in wireshark GUI without problems.
So this seems like a pretty big gap in the current implementation. Or am I missing something?