For all packets, getProtocol() returns 'pcap'

[seanrowens]

Hi, this could be some kind of stupid mistake on my part, I'm fairly new to pcap stuff, so I hesitate to file an issue, but as far as I can tell I'm doing everything correctly.

I used Wireshark (Version 2.6.4 (v2.6.4-0-g29d48ec8)) to capture some UDP packets and saved them as "Wireshark/tcpdump/... - pcap". When I tried to read them using pkts, all of the packets return 'pcap' from getProtocol(). Loading them in tcpdump shows them as UDP packets.

Code, sample pcap file, and some screenshots, attached below.

AppPkts2.java.txt

jmavsim_px4_commander_startup2.pcap.gz

[jonbo372]

Hi,

Your code looks fine but I wonder if it is because I don't recognize the link layer. From the screen shot, seems like "null/loopback". You could step debug through the code to see if this is properly recognized or not but I'll take a look at some later point (not quite sure when so if you're in a rush, do the step debugging part)

[seanrowens]

I'll try to take a crack at it tonight. Can you give me any tips on where to start looking/stepping?

[jonbo372]

just put a break point at the hasProtocol and step in from there. Then you'll see how pkts.io tries to identify what link layer it is etc. If it doesn't recognize it, it won't go further and as such, you won't get to the IP layer -> Transport Layer (UDP)

[seanrowens]

It's throwing a FramingException on line 123 of PCapPacketImpl. Going to see if I can go a bit deeper.

[seanrowens]

Yep, in EthernetFramer on line 86 it's returning null, because the the bytes don't match any of the values in the EtherType enum. Then EtherFramer.getEtherType(), line 72, throws an UnknownEtherType exception which is caught in EtherFramer.frame() and results in throwing a FramingException.

[seanrowens]

The unrecognized byte values are all 64, 17 so a type value of 16401.

[seanrowens]

Ethertypes for libpcap;

https://github.com/the-tcpdump-group/libpcap/blob/master/ethertype.h

and tcpdump;

https://github.com/the-tcpdump-group/tcpdump/blob/master/ethertype.h

don't list anything for ethertype 0x4011. And yet tcpdump seems to recognize the types.

[seanrowens]

https://stackoverflow.com/questions/39327734/capturing-packets-on-loopback

[zendawg]

I am having the same 'problem' but it turns out that is because the protocol - IEEE802_11 - is not supported - it's a PCAP file from a WLAN capture. I wouldn't mind trying to tackle this and write the underlying code to be able to parse these types of frames.

Since the "Protocols in frame" is given as wlan, llc (Logical Link Control), ip and tcp, I am thinking so long as I implement the correct frame and packet implementations of wlan and llc (since ip and tcp are already dealt with), it shouldn't require too much effort other than making sure the correct data fields in the class are implemented.

Feedback greatly appreciated, bit strapped for time at the moment, but do you think this is do-able and is there anything I should bear in mind when tackling this?