Packet Decoding

make or get cap files

I wanted some test cap,pcap files in order to test the different kinds of malicious activity for my intrusion detection system. Its my academic project. I wanted to test for tcp protocol activities like portscan, dos, bad tcp handshake.etc..How can i get or make the capture files.
Thanking you in advance

Disabling CORE decoders?

Is there a way to disable the one of the CORE protocols? I've tried JRegistry.resetBindings(); AND JRegistry.clearScanners() with no luck.

The reason I would like to do this is because I have a suspicion that one of my capture files may not be decoding properly and would like to try disabling that decoder to make sure that is the problem.

I am getting the following stack trace and I believe the error is on line 178:

char firstChar = line.charAt(0);

and line is an empty string.

java.lang.StringIndexOutOfBoundsException: String index out of range: 0
at java.lang.String.charAt(Unknown Source)
at org.jnetpcap.packet.AbstractMessageHeader.decodeHeader(
at org.jnetpcap.packet.JHeader.decode(
at org.jnetpcap.packet.JPacket.getHeaderByIndex(
at org.jnetpcap.packet.JPacket.getHeader(
at org.jnetpcap.packet.JPacket.getHeader(
at org.jnetpcap.packet.structure.AnnotatedBinding.isBound(
at org.jnetpcap.packet.JHeaderScanner.scanAllBindings(
at org.jnetpcap.packet.JHeaderScanner.scanHeader(
at org.jnetpcap.packet.JScanner.scan(Native Method)
at org.jnetpcap.packet.JScanner.scan(
at org.jnetpcap.packet.JPacket.scan(
at org.jnetpcap.Pcap.nextEx(
at testingPackage.JnetPcapTest.parseFile(
at testingPackage.JnetPcapTest.parseDir(
at testingPackage.JnetPcapTest.main(

Decoding GRE

I am post-processing PCAP files in offline mode and so far so good in decoding IP, TCP, and UDP packets, but what I have come across are GRE packets where I would like to get the tunneled data (src/dst ip/port) but can't seem to access it. Packet format is Ethernet -> IP4 -> GRE -> IP4 -> UDP/TCP.

When I do a header count on the packet I get 3 and maybe its my lack of understanding, but for header @ index 0 it has both Ethernet and Ip4 and the ones at index 1 and 2 have neither. My first thought is that its failing to parse past the GRE header, but this is wild guess at best.

Looking at some older topics there was mention of being able to decode IP in IP and even looking at the JPacket.State javadoc there is mention of decoding Ethernet->Ip4->Snmp->Ip4 or Ethernet->Ip4->Ip4 (IP tunneled IP). The Ip4 in Ip4 makes sense since its one header followed by the other, but the first case of SNMP I am not getting since there doesn't seem to be a built-in protocol Dissector/Decoder for SNMP.

I would appreciate any help on this.


High memory consumption of header scan


i've a small problem when analyzing the various packet headers of a trace file.
The following method is called in nextPacket() of a PcapPacketHandler, the method should first check the existence of the different headers and store them and then analyze them, i.e. count packets, bytes etc.

Something like:

public void analyze(PcapPacket pcapPacket) {
		//Make a deep copy
		PcapPacket packet = new PcapPacket(pcapPacket);

		ip4 = new Ip4();
		if (packet.hasHeader(ip4)) {
			tcp = new Tcp();
			if (packet.hasHeader(tcp)) {
				saveAndAnalyze(tcp, ip4);
			} else {
				udp = new Udp();
				if (packet.hasHeader(udp)) {
					saveAndAnalyze(udp, ip4);
				} else {

The deep copy is done, because the packets will be partly displayed.
The problem is the extreme memory consumption of the header instantiations (new IP, UDP, TCP).
A trace file with 10000 packets (about 9.2 MB) uses nearly 300 MB RAM.
And if I'm not instantiating new headers the results of the analyze methods can be wrong.

What am I doing wrong?

I'am using jnetpcap-1.3.b3 on a Ubuntu machine.

Decode SNMP OIDs of Pcap File

Hi everyone

I would like to open an offline pcap file (contains SNMP traps) and would like to access and decode specific OIDs and its values. Is this possible using jNetPcap? I would appreciate your help on this. Thanks a lot.