Packet Decoding

SIP over TCP not decoding correctly....

Hi There,

Just started using jNetPCAP, and I have to say, I am very impressed so far. However, I've just discovered that checking for SIP messages with a TCP transport is not very reliable.

Having found the thread discussing problems with TCP SIP traffic previously, I've checked out the svn branch-1.3.1, rebuilt, and installed the resulting new jnetpcap.so file on my Ubuntu machine. Unfortunately, it does not appear to fix the problem of the SIP over TCP detection issue. It does capture a few more TCP/SIP packets, but does not capture them all. By the way - the target system is a RedHat 5 system, and the same issue happens there - I am just developing on Ubuntu.

You mentioned that if you had a capture file, you could resolve this issue. I am trying to get authorisation to send one over to you at the moment.

Thanks,

Richie

UDP Payload limited to 1472 bytes

I am trying to save to file UDP payload, but it is always limited to 1472 bytes. I've captured the same data using wireshark, and it captured the full datagram payload.

Any idea?

OS: Windows 32 bits
JnetPcap Version: 1.3r1339

Sample code:

Use the arrow to expand or collapse this section
public void nextPacket(PcapPacket packet, String user) {
	Udp udp = new Udp();
	Ip4 ip = new Ip4();
	Payload payload = new Payload(); 

	if (packet.hasHeader(ip) && packet.hasHeader(udp) && packet.hasHeader(payload)){
		try {		
			byte[] data = payload.getByteArray(0, payload.size()); 		           
			FileOutputStream fos;
			try {
				fos = new FileOutputStream(new File("dumppayload_"+(new Date().getTime())+".bin"));
				fos.write(data);
				fos.close();
				try {
					System.out.println("Received packet. from: "+InetAddress.getByAddress(ip.source()).getCanonicalHostName()+" port "+udp.source()+ " -->"+InetAddress.getByAddress(ip.destination())+" port "+udp.destination()+ ". Length:"+payload.size() +" bytes");
				} catch (Throwable e1) {
					e1.printStackTrace();
				}	
			} catch (FileNotFoundException e) {
				e.printStackTrace();
			} catch (IOException e) {
				e.printStackTrace();
			}		
		} catch (UnknownHostException e) {
			e.printStackTrace();
		}
	}
}

help with pcap

Hi guys

I am new to using pcap and tools associated with it. I have huge traces (in TB) which I have to analyze. I am only interested in the packet header (viz absolute timestamp, sending and receiving MAC, sending and receiving IP and transport protocol ports. All other information are not required. Is there a way that I can extract these information from a pcap file to a tab seperated text file? or any other format wher I can post process it is also ok.

Initially I tried exporting the pcap file to text and then used shell tools to extract the data. but it proved hugely expensive in storage and in computing power.

Will jnetpcap fit my needs? please let me know.

Any suggestion or starting point would be greatly helpful.

THanks in advance

Working with individual packets

You can work with a captured, read or created packet as a java Packet object. The Packet class provides much information about the state of the packet and information that is contained within it. There are several types of packet implementations available:

  • Packet class. A generic packet type that all packet types represent.
  • JMemoryPacket class. A packet that was not captured but created.
  • TemplatePacket class. A special type of packet that can be used, but not necessarily have to, as a template for creating JMemoryPacket based packets.
  • PcapPacket class. A pcap type packet that was captured through libpcap or WinPcap libraries.
  • NapatechPacket class. A Napatech type of packet that was captured through Napatech library and hardware capture cards.

The Packet baseclass provides the common API for accessing contents of a packet. There is the general

BufferUnderflowException

Mark,

Getting the following exception with the code below, jnetpcap 1.3.0, and the input file at:

ftp://ftp.ll.mit.edu/pub/ideval/2000/LLS_DDOS_1.0/data_and_labeling/tcpd...

but not this file:

http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/200...

Am I doing something wrong, or is this a bug in JNetPcap?

Exception in thread "main" java.nio.BufferUnderflowException
	at org.jnetpcap.nio.JBuffer.check(Unknown Source)
	at org.jnetpcap.nio.JBuffer.getUByte(Unknown Source)
	at org.jnetpcap.protocol.tcpip.Tcp.hlen(Unknown Source)
	at org.jnetpcap.protocol.tcpip.Tcp.decodeHeader(Unknown Source)
	at org.jnetpcap.packet.JHeader.decode(Unknown Source)
	at org.jnetpcap.packet.JPacket.getHeaderByIndex(Unknown Source)
	at org.jnetpcap.packet.JPacket.hasHeader(Unknown Source)
	at org.jnetpcap.packet.JPacket.hasHeader(Unknown Source)
	at edu.iastate.ece.cyberprint.JNetPcapTest.main(JNetPcapTest.java:54)
package edu.iastate.ece.cyberprint;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;

import org.jnetpcap.JBufferHandler;
import org.jnetpcap.Pcap;
import org.jnetpcap.PcapBpfProgram;
import org.jnetpcap.PcapHeader;
import org.jnetpcap.nio.JBuffer;
import org.jnetpcap.packet.JMemoryPacket;
import org.jnetpcap.protocol.lan.Ethernet;
import org.jnetpcap.protocol.network.Ip4;
import org.jnetpcap.protocol.tcpip.Tcp;

public class JNetPcapTest {
    static Ip4 ip4_identifier;
    static Tcp tcp_identifier;
    static Ethernet eth_identifier;

    public static void main(String[] args) throws Exception {
	StringBuilder error = new StringBuilder();
	PcapBpfProgram bpf = new PcapBpfProgram();

	ip4_identifier = new Ip4();
	tcp_identifier = new Tcp();
	eth_identifier = new Ethernet();

	ArrayList ip4s_al = new ArrayList();
	final List ip4s = Collections.synchronizedList(ip4s_al);