how to handle Linux Cooked packets

908 views
Skip to first unread message

sgagr...@gmail.com

unread,
Oct 10, 2018, 4:40:58 AM10/10/18
to Pcap.Net Q&A
Hi,

I'm trying to analyse a pcap file that holds linux cooked capture frames.
See https://wiki.wireshark.org/SLL.
The library recognises this format but seems to handle the header length incorrectly. It assumes the header is 14 bytes long but when i look in wireshark (also shown on the link above) the header size of a SLL frame is 16 bytes.
Needless to say that all further interpretation of these packets fails.

What to do?

Best Regards,
Steve

Boaz Brickner

unread,
Nov 10, 2018, 2:11:32 AM11/10/18
to Pcap.Net Q&A
Hi Steve,

You are correct, Pcap.Net currently only supports Ethernet and IPv4 Datalink parsing.
This is why you have Packet.Ethernet and Packet.IpV4 properties, but no Packet.LinuxSll property.

If you'd like to extend Pcap.Net to parse this, feel to create a tracking issue for that on GitHub.
You should add some sample .pcap files to for testing.
You might want to contribute the code yourself as there I'm not sure if I'll be able to get to that any time soon.

Boaz.

fiddys...@gmail.com

unread,
Feb 5, 2019, 8:08:30 PM2/5/19
to Pcap.Net Q&A
Hi Steve,

I encountered the same situation. In the end I skipped the linux cooked packet header and went straight to the UDP payload:

var payloads = packets.Select(p => p.ToList().Skip(44).ToArray());

(I used wireshark to work out how many bytes to skip, in my case 44)

Reply all
Reply to author
Forward
0 new messages