Packet Decoding



Getting the following exception with the code below, jnetpcap 1.3.0, and the input file at:

but not this file:

Am I doing something wrong, or is this a bug in JNetPcap?

Exception in thread "main" java.nio.BufferUnderflowException
	at org.jnetpcap.nio.JBuffer.check(Unknown Source)
	at org.jnetpcap.nio.JBuffer.getUByte(Unknown Source)
	at org.jnetpcap.protocol.tcpip.Tcp.hlen(Unknown Source)
	at org.jnetpcap.protocol.tcpip.Tcp.decodeHeader(Unknown Source)
	at org.jnetpcap.packet.JHeader.decode(Unknown Source)
	at org.jnetpcap.packet.JPacket.getHeaderByIndex(Unknown Source)
	at org.jnetpcap.packet.JPacket.hasHeader(Unknown Source)
	at org.jnetpcap.packet.JPacket.hasHeader(Unknown Source)
	at edu.iastate.ece.cyberprint.JNetPcapTest.main(
package edu.iastate.ece.cyberprint;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;

import org.jnetpcap.JBufferHandler;
import org.jnetpcap.Pcap;
import org.jnetpcap.PcapBpfProgram;
import org.jnetpcap.PcapHeader;
import org.jnetpcap.nio.JBuffer;
import org.jnetpcap.packet.JMemoryPacket;
import org.jnetpcap.protocol.lan.Ethernet;
import org.jnetpcap.protocol.tcpip.Tcp;

public class JNetPcapTest {
    static Ip4 ip4_identifier;
    static Tcp tcp_identifier;
    static Ethernet eth_identifier;

    public static void main(String[] args) throws Exception {
	StringBuilder error = new StringBuilder();
	PcapBpfProgram bpf = new PcapBpfProgram();

	ip4_identifier = new Ip4();
	tcp_identifier = new Tcp();
	eth_identifier = new Ethernet();

	ArrayList ip4s_al = new ArrayList();
	final List ip4s = Collections.synchronizedList(ip4s_al);

incorrect TCP packet length?

Hi all,

I'm using the latest 1.3.1 code from svn (I've just checked it out) on Ubuntu 10.04 and I'm having a problem with certain TCP packets not reporting the right header length.
As an example one of those packets contains a SIP message and the SIP part is not parsed correctly because the offset is wrong; the parse starts after the wrong TCP header length.
I've compared with wireshark two TCP packets, both containing SIP messages, and they both show as header length 20 in wireshark but jnetpcap reports 20 for one of them:

Tcp:  ******* Tcp offset=34 (0x22) length=20 
Tcp:           source = 43613
Tcp:      destination = 5080
Tcp:              seq = 0xB51B6C05 (3038473221)
Tcp:              ack = 0x1C60B2E9 (476099305)
Tcp:             hlen = 5
Tcp:         reserved = 0
Tcp:            flags = 0x18 (24)
Tcp:                    0... .... = [0] cwr: reduced (cwr)
Tcp:                    .0.. .... = [0] ece: ECN echo flag
Tcp:                    ..0. .... = [0] ack: urgent, out-of-band data
Tcp:                    ...1 .... = [1] ack: acknowledgment
Tcp:                    .... 1... = [1] ack: push current segment of data
Tcp:                    .... .0.. = [0] ack: reset connection
Tcp:                    .... ..0. = [0] ack: synchronize connection, startup
Tcp:                    .... ...0 = [0] fin: closing down connection
Tcp:           window = 120
Tcp:         checksum = 0x8D4E (36174) [correct]
Tcp:           urgent = 0

and 636 for the other:

Tcp:  ******* Tcp offset=34 (0x22) length=636
Tcp:           source = 48461
Tcp:      destination = 5060
Tcp:              seq = 0xFEAB841 (267040833)
Tcp:              ack = 0xB3EA6F11 (3018485521)
Tcp:             hlen = 5
Tcp:         reserved = 0
Tcp:            flags = 0x18 (24)
Tcp:                    0... .... = [0] cwr: reduced (cwr)
Tcp:                    .0.. .... = [0] ece: ECN echo flag
Tcp:                    ..0. .... = [0] ack: urgent, out-of-band data

Match multiple headers in a packet payload

Hi, i am trying to decode SMPP protocol PDU's.
I ve already implemented the header, but i have a problem when a packet has more than one SMPP PDU in the same packet. My program only decodes the first one , how can i do to decode all SMPP PDU's in a packet, with out having to find the other SMPP's headers in the payload.
I have the same header repetead several times in the payload.
Thanks in advance.

Custom TCP header over IPv4 (overriding the core TCP header)

Hello everyone,
I'm trying to add a custom TCP header which binds to ipv4; essentially replacing the core TCP header that comes with jnetpcap. I've tried my custom header for other unregistered ip types (eg 50), but haven't been successful with type 6 which is TCP. I've set everything up, correctly registered the header and have bind it to ipv4, but it seems that ip packets with type==6 are diverted to the core tcp binding and not to my custom header.

How can I add a custom library that overrides the core TCP binding, using a custom header? I've been pulling my hair out over this and would appreciate any feedback on this.

Got an exception while reading all headers


I am new and using jnetstream to read packet from the pcap files. In multi threaded environment it is not able to read all the headers(intermittent). Throws below exception

Exception in thread "ProcessingEngine-Thread_agent"
java.lang.StackOverflowError: Can't pop empty stack
at com.slytechs.utils.memory.BitBuffer.pop(Unknown Source)
at com.slytechs.utils.memory.BitBuffer.getBits(Unknown Source)
at com.slytechs.jnetstream.packet.AbstractData.readShort(Unknown Source)
at org.jnetstream.protocol.FastScanner.scanEthernet2(Unknown Source)
at org.jnetstream.protocol.FastScanner.scanEthernet(Unknown Source)
at org.jnetstream.protocol.FastScanner.scan(Unknown Source)
at org.jnetstream.protocol.FastScanner.fullScan(Unknown Source)
at com.slytechs.jnetstream.packet.APacket.fullScan(Unknown Source)
at com.slytechs.jnetstream.packet.APacket.getAllHeaders(Unknown Source)

After throwing this error thread got killed which was using this API.

Kindly let me know what could be the reason.