Sun, Jan 10, 2016

pcap-ng support in Pcap4J

pcap-ng support in Pcap4J

Sometimes I receive inquiries about support for pcap-ng files in Pcap4J. I wrote the result of my investigation on it in this article.


What’s a pcap-ng file

A pcap-ng file (i.e. a file with .pcapng extension ) is a packet dump file in The pcap Next Generation Capture File Format (or pcap-ng format for short). This format was created to overcome the limitations of the traditional Libpcap File Format (or pcap format for short) which is used in pcap files.

Although the pcap format has been widely used for a long time, recent Wireshark, the de facto standard packet capture tool, uses the pcap-ng format by default to save captured packets. So, it’s expected that the pcap-ng format would be more common and pcap format would be a legacy in the future.

pcap-ng support in Pcap4J

Of course Pcap4J supports traditional pcap format. But how about the pcap-ng format?

Whether Pcap4J can handle pcap-ng files is up to its underlying native library. Remember Pcap4J is a wrapper library for libpcap and WinPcap. If the libpcap/WinPcap supports the pcap-ng format Pcap4J does, and vice versa.

pcap-ng support in libpcap

The libpcap got limited support for reading pcap-ng files in 1.1.0, and then the following three bugs around the feature were fixed:

No enhancement for pcap-ng support since 1.1.0 as of now (1.7.5).

I don’t know what “limited” means, but anyway it looked like Pcap4J 1.6.2 could read pcap-ng files without any problems as far as I tested it with libpcap 1.7.4.

As for writing pcap-ng files, the libpcap doesn’t provide any support for it yet.

pcap-ng support in WinPcap

WinPcap is the Windows version of libpcap and each version of it is based on a certain version of libpcap. The newest version of WinPcap, WinPcap 4.1.3, was developed with libpcap 1.0.0. It means WinPcap doesn’t support pcap-ng format yet at all.

But, there is an unofficial build of WinPcap based on libpcap 1.7.4. As far as I tested this WinPcap through Pcap4J 1.6.2, it worked well on reading pcap-ng files as well as on basic functionalities such as finding network devices and live capture except getting capture statistics.

How to read a pcap-ng file

How to read a pcap-ng file is exactly the same as how to read a pcap file.

Use Pcaps.openOffline() to open a pcap-ng file and call read methods such as getNextPacketEx() and loop() on the returned PcapHandle object to get packets in the file.

For example:

public static void main(String args[]) throws PcapNativeException, NotOpenException {
  PcapHandle ph = Pcaps.openOffline("/path/to/test.pcapng");
  ph.setFilter("tcp", BpfProgram.BpfCompileMode.OPTIMIZE);
  while (true) {
    try {
      Packet p = ph.getNextPacketEx();
      if (p != null) {
        System.out.println(p);
      }
    } catch (EOFException e) {
      System.out.println("End of file");
      break;
    } catch (TimeoutException e) {
      System.out.println("Timed out");
      break;
    }
  }
}


If you try to read a pcap-ng file using Pcap4J with a native library which doesn’t support pcap-ng format, Pcap4J throws PcapNativeException as follows:

Exception in thread "main" org.pcap4j.core.PcapNativeException: bad dump file format
        at org.pcap4j.core.Pcaps.openOffline(Pcaps.java:203)
        at Test.main(Test.java:16)