Hi,
Can somebody please share a simple example on how to access HTTP transport headers from HTTP traffic payload? I can currently get the body payload from the HTTP Traffic by using the following
WinPcap file = WinPcap.openOffline("C:\\foo.cap", new StringBuffer());
PcapPacket packet = new PcapPacket(JMemory.POINTER);
while (file.nextEx(packet) == Pcap.NEXT_EX_OK) {
Payload payload = packet.getHeader(new Payload());
}
Any suggestions or advice are welcome. Thanks in advance!
Hi,
I am using JnetPcap in my java (Eclipse) projects to read pcap files and analyze them with my own code. At an 64 bit machine, it worked fine. I can create projects with the jar as well as with the source code and export my own jar file to use the programs elsewhere.
The exported jars didn't run on a 32 bit machine, so I created new projects with the jar and dll file for the 32bit. Running the program in Eclipse on a 32bit machine worked fine. Running the exported jar gave the error:
java.lang.NoSuchFieldException: Unable to initialize field JMemory.ref:JMemoryReference
Exception in thread "main" java.lang.ExceptionInInitializerError
at org.jnetpcap.nio.JMemory.
I created a new project in Eclipse with the source code but ran into the same error.
What can be the problem here?
Thanks,
I have an application listen to traffic on promisciouos mode under heavy traffic. I suspect packets losing, I did test that run my application and snoop command at the same, and some packets does not reach my application.
Is there any way that pretty sure packets are lost. (Test scenario,log etc)?
I search this problem on google and also jnetpcap forum. My inference is below, can you check whether true or not.
libpcap has ring buffer, slow fetching from buffer (with nextPacket function) cause to packet losing because of natural behaviour of ring buffer that wrap around. Increment buffer size resolve packets losing problem (may be reduce # of lost packets).
We can set the buffer size using "pcap_set_buffer_size" function. I add (actually copy-paste from 1.4.x) "pcap_set_buffer_size" and "pcap_activate" functions to 1.3.x. But i am not sure really increment buffer size because of i don't know default value.
Every body, when I use code in XP and Vista, I get the different result:
...
if(packet.hasHeader(tcp)){
...
}
...
When I use it in XP, I can get the TCP Packet,but in Vista, I can't find it.How can I resolved it?
Please every body teach me, thanks.
Is there a way to disable the one of the CORE protocols? I've tried JRegistry.resetBindings(); AND JRegistry.clearScanners() with no luck.
The reason I would like to do this is because I have a suspicion that one of my capture files may not be decoding properly and would like to try disabling that decoder to make sure that is the problem.
I am getting the following stack trace and I believe the error is on line 178:
char firstChar = line.charAt(0);
and line is an empty string.
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
at java.lang.String.charAt(Unknown Source)
at org.jnetpcap.packet.AbstractMessageHeader.decodeHeader(AbstractMessageHeader.java:178)
at org.jnetpcap.packet.JHeader.decode(JHeader.java:524)
at org.jnetpcap.packet.JPacket.getHeaderByIndex(JPacket.java:828)
at org.jnetpcap.packet.JPacket.getHeader(JPacket.java:802)
at org.jnetpcap.packet.JPacket.getHeader(JPacket.java:777)
at org.jnetpcap.packet.structure.AnnotatedBinding.isBound(AnnotatedBinding.java:305)
at org.jnetpcap.packet.JHeaderScanner.scanAllBindings(JHeaderScanner.java:372)
at org.jnetpcap.packet.JHeaderScanner.scanHeader(JHeaderScanner.java:444)
at org.jnetpcap.packet.JScanner.scan(Native Method)
at org.jnetpcap.packet.JScanner.scan(JScanner.java:415)
at org.jnetpcap.packet.JPacket.scan(JPacket.java:1086)
at org.jnetpcap.Pcap.nextEx(Pcap.java:2583)
at testingPackage.JnetPcapTest.parseFile(JnetPcapTest.java:165)
at testingPackage.JnetPcapTest.parseDir(JnetPcapTest.java:94)
at testingPackage.JnetPcapTest.main(JnetPcapTest.java:611)
New version of jNetPcap 1.3 version (beta 4) has been released. The software update improves memory utilization and performance.
To download: jnetpcap download page
I am post-processing PCAP files in offline mode and so far so good in decoding IP, TCP, and UDP packets, but what I have come across are GRE packets where I would like to get the tunneled data (src/dst ip/port) but can't seem to access it. Packet format is Ethernet -> IP4 -> GRE -> IP4 -> UDP/TCP.
When I do a header count on the packet I get 3 and maybe its my lack of understanding, but for header @ index 0 it has both Ethernet and Ip4 and the ones at index 1 and 2 have neither. My first thought is that its failing to parse past the GRE header, but this is wild guess at best.
Looking at some older topics there was mention of being able to decode IP in IP and even looking at the JPacket.State javadoc there is mention of decoding Ethernet->Ip4->Snmp->Ip4 or Ethernet->Ip4->Ip4 (IP tunneled IP). The Ip4 in Ip4 makes sense since its one header followed by the other, but the first case of SNMP I am not getting since there doesn't seem to be a built-in protocol Dissector/Decoder for SNMP.
I would appreciate any help on this.
Thanks,
Dan
We just released version 1.3.b4 (beta 4) to our testing community. The purpose of this release is to test the distribution packages to make sure everything is included in them, before uploading to public distribution servers. The beta 4 code has already been tested and verified to be working correctly within the testing community. We are just making sure we didn't forget to include anything in the various distribution packages (even though its almost fully automatic process.)
Hi
First, I would like to thank for all the efforts that u put behind this project,
My Q is that, is 1.3.b4 included with heuristic and statistical functions such as Number of packet per session and so on.....?
Thanks in Advance.
Hi,
i've a small problem when analyzing the various packet headers of a trace file.
The following method is called in nextPacket() of a PcapPacketHandler, the method should first check the existence of the different headers and store them and then analyze them, i.e. count packets, bytes etc.
Something like:
public void analyze(PcapPacket pcapPacket) {
//Make a deep copy
PcapPacket packet = new PcapPacket(pcapPacket);
ip4 = new Ip4();
if (packet.hasHeader(ip4)) {
tcp = new Tcp();
if (packet.hasHeader(tcp)) {
saveAndAnalyze(tcp, ip4);
} else {
udp = new Udp();
if (packet.hasHeader(udp)) {
saveAndAnalyze(udp, ip4);
} else {
saveAndAnalyze(ip4);
}
}
}
}
The deep copy is done, because the packets will be partly displayed.
The problem is the extreme memory consumption of the header instantiations (new IP, UDP, TCP).
A trace file with 10000 packets (about 9.2 MB) uses nearly 300 MB RAM.
And if I'm not instantiating new headers the results of the analyze methods can be wrong.
What am I doing wrong?
Btw:
I'am using jnetpcap-1.3.b3 on a Ubuntu machine.