Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Is this a Bug? PCAP can't deal with ipv4&ipv6 hybrid data?

From: homeryan <homeryan@xxxxxxx>
Date: Fri, 30 Dec 2011 14:30:17 +0800
    I am processing a hybrid pcap file using libpcap and filter _expression_. The pcap file is hybrid with ipv4 & ipv6 packets. The code fragment is as follows:
/*----------------------------------------------------------------------------*/
pcap_t * fp; string pcapfilename = "g00.pcap"; string pcap_filter = "tcp dst port 80"; struct bpf_program filtercode; // open pcap file if ((fp = pcap_open_offline(pcapfilename.c_str(), errbuf)) == NULL) { cout << "file open failed" << endl; return 0; } //set filter string
if (pcap_filter.length() > 0) { u_int32_t netmask = 0xffffffff; struct bpf_program filtercode; if (pcap_compile(fp, &filtercode, pcap_filter.c_str(), 1, netmask) < 0) { cout << "compile filter code error " << pcap_geterr(fp) << endl; pcap_close(fp); return 0; } if (pcap_setfilter(fp, &filtercode) < 0) { cout << "set filter error " << pcap_geterr(fp) << endl; pcap_close(fp); return 0; } } // read packets
while((ret = pcap_next_ex(fp, &hdr, &pData)) > 0) //!!! notice here !!! { cout << "I got it!!!" << endl; }
/*----------------------------------------------------------------------------*/
 
    I'm assure that the pcap file has many packets with tcp dest port 80, but I got nothing while I try to read it out.
While I traced into the program, I got the "ret" is -2, it means the end of file is encountered.
I used another pcap file with pure ipv4 packets to test above code, it ran correctly and I got the right packets as expected.
 
Is this a bug?
 
 
2011-12-30

homeryan