tcpdump mailing list archives

Fixing damaged cap file

From: "ubu.petr () seznam cz" <ubu.petr () seznam cz>
Date: Sun, 01 Apr 2007 01:50:30 +0200

Dear TcpDump and LibPcap team,
I am new tcpdump and libpcap case, I have one big wish for You.

Please, could You be so pleasure and send me patch for

http://archive.ubuntu.com/ubuntu/pool/main/libp/libpcap0.8/libpcap0.8_0.9.5.orig.tar.gz<http://email.seznam.cz/redir?http://archive.ubuntu.com/ubuntu/pool/main/libp/libpcap0.8/libpcap0.8_0.9.5.orig.tar.gz>

?

Here is the situation:
If You have big cap file from tcpdump, tshark or snort, that contains
damaged packets, it is not possible to parse it. TcpDump end with
"tcpdump: pcap_loop: bogus savefile header" message. So I found the
solution, but unhappily I am not programmer:

Maybe in this code (savefile.c):

               if (hdr->caplen > 65535) {
                       snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
                           "bogus savefile header");
                       return (-1);
               }

I need to add something like that:
Please tcpdump, do not end, but run over damaged packets (move from
current position in cap file byte by byte) from cap file until You find
good header and packet, than go ahead. If this problem appears again,
run over damaged packages again.

With this patch file from You, I will compile tcpdump and will parse my
big file successfully.

If will be so great if in the future tcpdump have options like "tcpdump
-r cap_file -w fixed_cap_file -s 0 --skip-bad-packets".

Here is a place for "tcpdump -r cap_file -w fixed_cap_file -s 0
--recover-bad-packets-headers" too.

Your's Sincerely, Petr Novák

PS: I found another lame solution in bash script. But it is a hard workto write this complex bash script.

1) run "editcap in_file out_file"

2) if "editcap: An error occurred while reading "test": File contains arecord that's not valid. (pcap: File has 544501582-byte packet, biggerthan maximum of 65535)", then run "tshark -r in_file | tail"3) take the number from the last row (first column) without contains"[Unreassembled Packet [incorrect TCP checksum]]" or "HTTP Continuationor non-HTTP traffic"

4) editcap in_file out_file_tmp00000i -r 1-number
5) dd if=in_file of=tmp00000i bs=size_in_bytes_of_out_file_tmp00000i skip=1
6) dd if=in_file of=header bs=1 count=24
7) cat header tmp00000i > header_tmp00000i
8) tcpdump -r header_tmp00000i

9) if "tcpdump: pcap_loop: bogus savefile header" occurs in first rows,then "dd if=header_tmp00000i of=fix_header_tmp00000i bs=1 skip=1"

10) dd if=header_tmp00000i of=log_dropped_bytes bs=1 count=1

11) repeat 9)-10) after success or "tcpdump: pcap_loop: bogus savefileheader" appears in lower rows

12) loop 1)-11) through tmp00000i
13) cat out_file with all fix_header_tmp00000i into out_file_fixed

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Fixing damaged cap file ubu.petr () seznam cz (Mar 31)