Packet Decoding

Decoding GRE

I am post-processing PCAP files in offline mode and so far so good in decoding IP, TCP, and UDP packets, but what I have come across are GRE packets where I would like to get the tunneled data (src/dst ip/port) but can't seem to access it. Packet format is Ethernet -> IP4 -> GRE -> IP4 -> UDP/TCP.

When I do a header count on the packet I get 3 and maybe its my lack of understanding, but for header @ index 0 it has both Ethernet and Ip4 and the ones at index 1 and 2 have neither. My first thought is that its failing to parse past the GRE header, but this is wild guess at best.

Looking at some older topics there was mention of being able to decode IP in IP and even looking at the JPacket.State javadoc there is mention of decoding Ethernet->Ip4->Snmp->Ip4 or Ethernet->Ip4->Ip4 (IP tunneled IP). The Ip4 in Ip4 makes sense since its one header followed by the other, but the first case of SNMP I am not getting since there doesn't seem to be a built-in protocol Dissector/Decoder for SNMP.

I would appreciate any help on this.

Thanks,
Dan

High memory consumption of header scan

Hi,

i've a small problem when analyzing the various packet headers of a trace file.
The following method is called in nextPacket() of a PcapPacketHandler, the method should first check the existence of the different headers and store them and then analyze them, i.e. count packets, bytes etc.

Something like:

public void analyze(PcapPacket pcapPacket) {
		//Make a deep copy
		PcapPacket packet = new PcapPacket(pcapPacket);

		ip4 = new Ip4();
		if (packet.hasHeader(ip4)) {
			tcp = new Tcp();
			if (packet.hasHeader(tcp)) {
				saveAndAnalyze(tcp, ip4);
			} else {
				udp = new Udp();
				if (packet.hasHeader(udp)) {
					saveAndAnalyze(udp, ip4);
				} else {
					saveAndAnalyze(ip4);
				}
			}
		}
	}

The deep copy is done, because the packets will be partly displayed.
The problem is the extreme memory consumption of the header instantiations (new IP, UDP, TCP).
A trace file with 10000 packets (about 9.2 MB) uses nearly 300 MB RAM.
And if I'm not instantiating new headers the results of the analyze methods can be wrong.

What am I doing wrong?

Btw:
I'am using jnetpcap-1.3.b3 on a Ubuntu machine.

Decode SNMP OIDs of Pcap File

Hi everyone

I would like to open an offline pcap file (contains SNMP traps) and would like to access and decode specific OIDs and its values. Is this possible using jNetPcap? I would appreciate your help on this. Thanks a lot.

Cheers
Igor

1.3.b4 almost ready

The beta 4 release is nearly ready. The memory footprint of a running jNetPcap based application is much better.

Beta 4 does away with old way of finalizing objects using the common Object.finalize method, which gets called when object is no longer referenced and is about to be cleaned up. This was the place where certain native memory related jNetPcap objects, would perform their cleanup, releasing native resources. This approach has many issues which are discussed in this Sun/Oracle and several other articles.

Pass RawEhternet Packet Handle directly from C to JnetPcap

Is it possible to pass a Packet handle captured by C code to be directly passed to JNetPcap for processing?