tcpdump mailing list archives
Fixing damaged cap file
From: "ubu.petr () seznam cz" <ubu.petr () seznam cz>
Date: Sun, 01 Apr 2007 01:50:30 +0200
Dear TcpDump and LibPcap team, I am new tcpdump and libpcap case, I have one big wish for You. Please, could You be so pleasure and send me patch forhttp://archive.ubuntu.com/ubuntu/pool/main/libp/libpcap0.8/libpcap0.8_0.9.5.orig.tar.gz <http://email.seznam.cz/redir?http://archive.ubuntu.com/ubuntu/pool/main/libp/libpcap0.8/libpcap0.8_0.9.5.orig.tar.gz>
? Here is the situation: If You have big cap file from tcpdump, tshark or snort, that contains damaged packets, it is not possible to parse it. TcpDump end with "tcpdump: pcap_loop: bogus savefile header" message. So I found the solution, but unhappily I am not programmer: Maybe in this code (savefile.c): if (hdr->caplen > 65535) { snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "bogus savefile header"); return (-1); } I need to add something like that: Please tcpdump, do not end, but run over damaged packets (move from current position in cap file byte by byte) from cap file until You find good header and packet, than go ahead. If this problem appears again, run over damaged packages again. With this patch file from You, I will compile tcpdump and will parse my big file successfully. If will be so great if in the future tcpdump have options like "tcpdump -r cap_file -w fixed_cap_file -s 0 --skip-bad-packets". Here is a place for "tcpdump -r cap_file -w fixed_cap_file -s 0 --recover-bad-packets-headers" too. Your's Sincerely, Petr NovákPS: I found another lame solution in bash script. But it is a hard work to write this complex bash script.
1) run "editcap in_file out_file"2) if "editcap: An error occurred while reading "test": File contains a record that's not valid. (pcap: File has 544501582-byte packet, bigger than maximum of 65535)", then run "tshark -r in_file | tail" 3) take the number from the last row (first column) without contains "[Unreassembled Packet [incorrect TCP checksum]]" or "HTTP Continuation or non-HTTP traffic"
4) editcap in_file out_file_tmp00000i -r 1-number 5) dd if=in_file of=tmp00000i bs=size_in_bytes_of_out_file_tmp00000i skip=1 6) dd if=in_file of=header bs=1 count=24 7) cat header tmp00000i > header_tmp00000i 8) tcpdump -r header_tmp00000i9) if "tcpdump: pcap_loop: bogus savefile header" occurs in first rows, then "dd if=header_tmp00000i of=fix_header_tmp00000i bs=1 skip=1"
10) dd if=header_tmp00000i of=log_dropped_bytes bs=1 count=111) repeat 9)-10) after success or "tcpdump: pcap_loop: bogus savefile header" appears in lower rows
12) loop 1)-11) through tmp00000i 13) cat out_file with all fix_header_tmp00000i into out_file_fixed - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Fixing damaged cap file ubu.petr () seznam cz (Mar 31)