Packet Decoding

incorrect TCP packet length?

Hi all,

I'm using the latest 1.3.1 code from svn (I've just checked it out) on Ubuntu 10.04 and I'm having a problem with certain TCP packets not reporting the right header length.
As an example one of those packets contains a SIP message and the SIP part is not parsed correctly because the offset is wrong; the parse starts after the wrong TCP header length.
I've compared with wireshark two TCP packets, both containing SIP messages, and they both show as header length 20 in wireshark but jnetpcap reports 20 for one of them:

Tcp:  ******* Tcp offset=34 (0x22) length=20 
Tcp:           source = 43613
Tcp:      destination = 5080
Tcp:              seq = 0xB51B6C05 (3038473221)
Tcp:              ack = 0x1C60B2E9 (476099305)
Tcp:             hlen = 5
Tcp:         reserved = 0
Tcp:            flags = 0x18 (24)
Tcp:                    0... .... = [0] cwr: reduced (cwr)
Tcp:                    .0.. .... = [0] ece: ECN echo flag
Tcp:                    ..0. .... = [0] ack: urgent, out-of-band data
Tcp:                    ...1 .... = [1] ack: acknowledgment
Tcp:                    .... 1... = [1] ack: push current segment of data
Tcp:                    .... .0.. = [0] ack: reset connection
Tcp:                    .... ..0. = [0] ack: synchronize connection, startup
Tcp:                    .... ...0 = [0] fin: closing down connection
Tcp:           window = 120
Tcp:         checksum = 0x8D4E (36174) [correct]
Tcp:           urgent = 0

and 636 for the other:

Tcp:  ******* Tcp offset=34 (0x22) length=636
Tcp:           source = 48461
Tcp:      destination = 5060
Tcp:              seq = 0xFEAB841 (267040833)
Tcp:              ack = 0xB3EA6F11 (3018485521)
Tcp:             hlen = 5
Tcp:         reserved = 0
Tcp:            flags = 0x18 (24)
Tcp:                    0... .... = [0] cwr: reduced (cwr)
Tcp:                    .0.. .... = [0] ece: ECN echo flag
Tcp:                    ..0. .... = [0] ack: urgent, out-of-band data

Match multiple headers in a packet payload

Hi, i am trying to decode SMPP protocol PDU's.
I ve already implemented the header, but i have a problem when a packet has more than one SMPP PDU in the same packet. My program only decodes the first one , how can i do to decode all SMPP PDU's in a packet, with out having to find the other SMPP's headers in the payload.
I have the same header repetead several times in the payload.
Thanks in advance.

Custom TCP header over IPv4 (overriding the core TCP header)

Hello everyone,
I'm trying to add a custom TCP header which binds to ipv4; essentially replacing the core TCP header that comes with jnetpcap. I've tried my custom header for other unregistered ip types (eg 50), but haven't been successful with type 6 which is TCP. I've set everything up, correctly registered the header and have bind it to ipv4, but it seems that ip packets with type==6 are diverted to the core tcp binding and not to my custom header.

How can I add a custom library that overrides the core TCP binding, using a custom header? I've been pulling my hair out over this and would appreciate any feedback on this.

Got an exception while reading all headers


I am new and using jnetstream to read packet from the pcap files. In multi threaded environment it is not able to read all the headers(intermittent). Throws below exception

Exception in thread "ProcessingEngine-Thread_agent"
java.lang.StackOverflowError: Can't pop empty stack
at com.slytechs.utils.memory.BitBuffer.pop(Unknown Source)
at com.slytechs.utils.memory.BitBuffer.getBits(Unknown Source)
at com.slytechs.jnetstream.packet.AbstractData.readShort(Unknown Source)
at org.jnetstream.protocol.FastScanner.scanEthernet2(Unknown Source)
at org.jnetstream.protocol.FastScanner.scanEthernet(Unknown Source)
at org.jnetstream.protocol.FastScanner.scan(Unknown Source)
at org.jnetstream.protocol.FastScanner.fullScan(Unknown Source)
at com.slytechs.jnetstream.packet.APacket.fullScan(Unknown Source)
at com.slytechs.jnetstream.packet.APacket.getAllHeaders(Unknown Source)

After throwing this error thread got killed which was using this API.

Kindly let me know what could be the reason.

decode specific protocols


Is it possible to limit the set of protocols the JPacket.scan(...) method is looking for? In particular, I am only interested in TCP, UDP and ICMP (and Ethernet and IP4, of course). I suppose I have to do something with the JRegistry class (?) but I don't understand the API.

Why am I asking? Because:
- First, I get error output of the form "validate_sip(): #171959 INVALID size=9 sip=ACK 157" when trying to process my pcap files. This is either a bug or caused by the fact that the pcap files only contain the first 96 bytes of each packet (capture length). Since I am not interested in sip, I would be more than happy to find a way to get rid of those messages.
- Second, I would like to speed up the decoding process. The scan method is significantly slowing down my program. One option would be to manually parse the packet payload but that's something I would like to avoid Smile

(Windows Vista 32-bit, Java 1.6.0_15, jNetPcap 1.3.0 (2011-04-01))