Packet Decoding

java.lang.StringIndexOutOfBoundsException at org.jnetpcap.packet.AbstractMessageHeader.decodeHeader(Unknown Source)

I'm using jnetpcap. When i'm reading a specific dump trace i get this error:

http://nopaste.info/8f6432a36a.html

The pwrapper:

http://nopaste.info/4b90a6e025.html

Other infos:
version of jnetpacp: 1.3b4
OS: windows xp
Arch: 32 bit

Any help would be appreciated!

G.A

Inspecting JBuffer content without fetching

I would like to "inpect" the content of the JBuffer without actually fetching its content. What's the fastest way to do this?

My understanding is that JBuffer.getByteArray() actually copies JBuffer internal buffer to your buffer (supplied as the parameter). I dont want to do that. I just want to peek the content.

Thanks!

make or get cap files

I wanted some test cap,pcap files in order to test the different kinds of malicious activity for my intrusion detection system. Its my academic project. I wanted to test for tcp protocol activities like portscan, dos, bad tcp handshake.etc..How can i get or make the capture files.
Thanking you in advance

Disabling CORE decoders?

Is there a way to disable the one of the CORE protocols? I've tried JRegistry.resetBindings(); AND JRegistry.clearScanners() with no luck.

The reason I would like to do this is because I have a suspicion that one of my capture files may not be decoding properly and would like to try disabling that decoder to make sure that is the problem.

I am getting the following stack trace and I believe the error is on line 178:

char firstChar = line.charAt(0);

and line is an empty string.


java.lang.StringIndexOutOfBoundsException: String index out of range: 0
at java.lang.String.charAt(Unknown Source)
at org.jnetpcap.packet.AbstractMessageHeader.decodeHeader(AbstractMessageHeader.java:178)
at org.jnetpcap.packet.JHeader.decode(JHeader.java:524)
at org.jnetpcap.packet.JPacket.getHeaderByIndex(JPacket.java:828)
at org.jnetpcap.packet.JPacket.getHeader(JPacket.java:802)
at org.jnetpcap.packet.JPacket.getHeader(JPacket.java:777)
at org.jnetpcap.packet.structure.AnnotatedBinding.isBound(AnnotatedBinding.java:305)
at org.jnetpcap.packet.JHeaderScanner.scanAllBindings(JHeaderScanner.java:372)
at org.jnetpcap.packet.JHeaderScanner.scanHeader(JHeaderScanner.java:444)
at org.jnetpcap.packet.JScanner.scan(Native Method)
at org.jnetpcap.packet.JScanner.scan(JScanner.java:415)
at org.jnetpcap.packet.JPacket.scan(JPacket.java:1086)
at org.jnetpcap.Pcap.nextEx(Pcap.java:2583)
at testingPackage.JnetPcapTest.parseFile(JnetPcapTest.java:165)
at testingPackage.JnetPcapTest.parseDir(JnetPcapTest.java:94)
at testingPackage.JnetPcapTest.main(JnetPcapTest.java:611)

Decoding GRE

I am post-processing PCAP files in offline mode and so far so good in decoding IP, TCP, and UDP packets, but what I have come across are GRE packets where I would like to get the tunneled data (src/dst ip/port) but can't seem to access it. Packet format is Ethernet -> IP4 -> GRE -> IP4 -> UDP/TCP.

When I do a header count on the packet I get 3 and maybe its my lack of understanding, but for header @ index 0 it has both Ethernet and Ip4 and the ones at index 1 and 2 have neither. My first thought is that its failing to parse past the GRE header, but this is wild guess at best.

Looking at some older topics there was mention of being able to decode IP in IP and even looking at the JPacket.State javadoc there is mention of decoding Ethernet->Ip4->Snmp->Ip4 or Ethernet->Ip4->Ip4 (IP tunneled IP). The Ip4 in Ip4 makes sense since its one header followed by the other, but the first case of SNMP I am not getting since there doesn't seem to be a built-in protocol Dissector/Decoder for SNMP.

I would appreciate any help on this.

Thanks,
Dan