large-pcap-analyzer icon indicating copy to clipboard operation
large-pcap-analyzer copied to clipboard

Published 20 hours ago verified publisher icon f18m

The tcpdump-like filter fails to read and match linux cooked captures (with link type SLL)

Open beef9 opened this issue 3 years ago • 4 comments

Executing: $ large_pcap_analyzer captures.pcap -v -Y "src host X and src port Y" -w output_large_pcap/output.pcap on a 320MiB file yields:

Successfully compiled PCAP filter: src host X and src port Y Analyzing PCAP file 'captures.pcap'... The PCAP file has size 0.31GiB = 320MiB. Successfully opened output PCAP 'output_large_pcap/output.pcap' Processing took 0 seconds. 0M packets (939519 packets) were loaded from PCAP (matching PCAP filter). 0M packets (0 packets) matched the filtering criteria (search string / PCAP filters / TCP streams filter) and were saved into output PCAP.

I took the same file and converted all ethernet layers to correctly formatted ethernet headers (with src MAC and dst MAC addresses), and now it works:

Successfully compiled PCAP filter: src host X and src port Y Analyzing PCAP file 'captures_edited.pcapng'... The PCAP file has size 0.33GiB = 333MiB. Successfully opened output PCAP 'output_large_pcap/output.pcap' Processing took 0 seconds. 0M packets (939519 packets) were loaded from PCAP (matching PCAP filter). 0M packets (24312 packets) matched the filtering criteria (search string / PCAP filters / TCP streams filter) and were saved into output PCAP.

beef9 avatar Mar 10 '21 17:03 beef9

hello, have you solved this problem? I had the same problem now.

MHTTHM avatar Jun 07 '21 13:06 MHTTHM

@MHTTHM

hello, have you solved this problem? I had the same problem now.

I used a tool compiled for windows, I can't remember the name now BUT I think I used the app named TraceWrangler. This tool can convert linux cooked headers to ethernet pseudo headers, but I don't think it stores the actual MAC addresses. So if you don't care about them, just go with this app.

beef9 avatar Jun 14 '21 18:06 beef9

@MHTTHM

hello, have you solved this problem? I had the same problem now.

I used a tool compiled for windows, I can't remember the name now BUT I think I used the app named TraceWrangler. This tool can convert linux cooked headers to ethernet pseudo headers, but I don't think it stores the actual MAC addresses. So if you don't care about them, just go with this app.

thank you for your help!

MHTTHM avatar Jun 15 '21 03:06 MHTTHM

Support for Linux cooked header should not be difficult to add... it's not a priority for me though... patches are welcome :)

f18m avatar Jun 15 '21 06:06 f18m