Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] How to skip unrecognizable packets in saved pcap files

From: Ye Deng <yedeng0@xxxxxxxxx>
Date: Mon, 19 Sep 2011 00:22:01 -0400
Hello all,

I have a serious issue when using libpcap functions to process pcap files.
The error happens when I use pcap_next_ex() function to get packets from saved pcap files one-by-one. The pcap_next_ex() terminates processing, and returns an error saying, "bogus savefile header"

Therefore I may want to know: how to skip the unrecognizable packets, and let libpcap functions to process the resting valid packets? I really prefer to use some *existing* modules/tools to do the job. 
I tried "mergecap" and "editcap", and found they cannot skip the unrecognizable packets. Are there some "improved mergecap/editcap" can do the job, and produce pcap files without any unrecognizable packet?

After I did some researches online, I found the "unrecognizable packets" may be generated by file transfers using HTTP/FTP in some text mode.
Please search "corrupt" on this webpage below.
Therefore, I think the pcap-next-generation-dump-file can deal with this issue.
But I tried "pcap-ng" in Wireshark, and got an assertion failure during every capturing test, which shows that the "pcap-ng" related functions are still unfinished...

Also, I read the source code of libpcap, that error happens when length of captured packet is considered too big.
In "/libpcap-1.1.1/sf-pcap.c"
In this function below:
static int pcap_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
... ...
if (hdr->caplen > 65535) 
{ snprintf(p->errbuf, PCAP_ERRBUF_SIZE,"bogus savefile header");
return (-1); }
... ... 
}

I think it is possible to do a "magic number searching" when the if() above is true. The bytes holding that "magic number" can be considered as the beginning of next valid packet.
Notice that every valid packet has a timestamp in packet header. 
typedef struct pcaprec_hdr_s {
guint32 ts_sec; /* timestamp seconds */
guint32 ts_usec; /* timestamp microseconds */
guint32 incl_len; /* number of octets of packet saved in file */
guint32 orig_len; /* actual length of packet */
} pcaprec_hdr_t;
If we know the range of the capturing time, we can use some bytes in "pcaprec_hdr_s.ts_sec" as the "magic number".

Did anyone implement such an unrecognizable-packet-skipping function/module before? 
I really want to find some *existing* module or tools that can do the skipping job.
I will appreciate a lot if someone can help me for this.


Regards,
Deng