Packet Decoding

multiple custom protocols bound to tcp

I created three custom protocols that all bind to tcp, they work individually (only one registered) when reading an offline pcap file.

I'd like the register all three, then based on the tcp port decode the packet accordingly.

Based on the tcp port, can I re-scan a packet so that I can check packet.hasHeader(one)?

If (tcp.port == X ) then
check hasHeader(one)
process packet
Else if (tcp.port == Y) then
check hasHeader(two)
process packet

Perhaps my logic is flawed....

Thanks in advance.

Updated 40+ Misc Junit test cases

As I was wanting to verify my setup against the JUnit test cases, I found the 40+ misc example ( However, when I tried to run it on my system, I found all kinds of deprecated and invalid syntax. I'm guessing this has something to do with updated code (I'm on 1.4), and possibly running Java 1.6.

Anyways, I went through and fixed most things so the JUnit test run mostly fine. The only thing I'm missing is the expected test-l2tp.pcap file, so my substitute file fails some of the assertions where it expects specific sizes. Is that file posted somewhere where I'm missing it?

I have attached the updated file (renamed to .txt so it can be uploaded...that's silly) for reference...I'm sure it's not perfect (I couldn't resolve HttpTrafficGenerator), but it's a first stab at updating.

Uninitialized FlowKey when writing custom flow mapper

I am working through the tutorials, and got the JFlowMap mostly working in the role of the JPacketHandler. The main oddity I'm seeing is that most flows are empty. Printing the flow, I get:

JFlowMap superFlowMap = new JFlowMap()
		for (JFlow flow : superFlowMap.values()){
			if (flow.getAll().isEmpty()) {
				System.err.println("Empty flow" + flow.toString() + "{" + flow.getKey().isInitialized() + "}");
Empty flow[count=16790, map=0x1400000000, hash=0x0] size=0{true}

The flows seem to be empty (no actual packets), although the key's look valid (isInitialized() returns true).

That was only POC, though, trying to get the tutorial to work. As I started digging into actually writing my custom mapper, most of the packets don't have a valid key. Based on the tutorial (, my custom JPacketHandler starts like this:

	JPacketHandler customFlowMapper = new JPacketHandler(){
		public void nextPacket(JPacket packet, String user){
			JPacket.State state = packet.getState();
			JFlowKey key = state.getFlowKey();
			// Only add in packets if they have a flowID and they're IP
			if (key != null && key.isInitialized() && packet.hasHeader(ip)){

Pretty much all of the packets that come through are not initialized. Clearly something is wrong...what am I missing?

Some (perhaps relevant) specs for my setup
Version 1.4 r1300
Ubuntu Maverick running in a VM on my Mac (since Mac support isn't ready yet)
Java 1.6

Any direction you can provide would be awesome!

Exception when capturing http traffic (possible bug).

Steps to reproduce (using jnetpcap 1.3, win32, winpcap 4.1.2, oracle java 1.6.24).

1/ run the attached code (based on classic example).
2/ open in firefox

then an exception is thrown:

Exception in thread "main" java.lang.StringIndexOutOfBoundsException: String index out of range: 0
at java.lang.String.charAt(
at org.jnetpcap.packet.AbstractMessageHeader.decodeHeader(Unknown Source)
at org.jnetpcap.packet.JHeader.decode(Unknown Source)
at org.jnetpcap.packet.JPacket.getHeaderByIndex(Unknown Source)
at org.jnetpcap.packet.JPacket.hasHeader(Unknown Source)
at org.jnetpcap.packet.JPacket.hasHeader(Unknown Source)
at Demo$1.nextPacket(
at Demo$1.nextPacket(
at org.jnetpcap.Pcap.loop(Native Method)
at org.jnetpcap.Pcap.loop(Unknown Source)
at Demo.main(
Java Result: 1

Java demo:

import java.util.ArrayList;
import java.util.Date;
import java.util.List;

import org.jnetpcap.Pcap;
import org.jnetpcap.PcapIf;
import org.jnetpcap.packet.PcapPacket;
import org.jnetpcap.packet.PcapPacketHandler;
import org.jnetpcap.protocol.tcpip.Http;

public class Demo {

public static void main(String[] args) {
List alldevs = new ArrayList(); // Will be filled with NICs
StringBuilder errbuf = new StringBuilder(); // For any error msgs

* First get a list of devices on this system
int r = Pcap.findAllDevs(alldevs, errbuf);
if (r == Pcap.NOT_OK || alldevs.isEmpty()) {
System.err.printf("Can't read list of devices, error is %s", errbuf.toString());

System.out.println("Network devices found:");

int i = 0;

read captured DECT packets

I try to read the packets from a recorded DECT pcap file. Each packet has a length of 73 bytes. Is it possible to save all packet bytes to a java byte array for further modification? I do not need to subdivide them into header and data parts. I only found guides for usual packets like TCP, UDP, IP so far.