Attempted to set a negative index while reading PCAP files

Question

I have a randomly occurring problem on a set of PCAP files. I am trying to parse all the packets from the recorded PCAP files using SharpPcap and PacketDotNet. The errors seem to occur at random.

I am not doing anything fancy. The following is my code for loading from PCAP file:

ICaptureDevice device;
try
{
    device = new CaptureFileReaderDevice(pcapFiles[i].FullName);
    device.Open();
}
catch (Exception ex)
{
    Console.WriteLine("Error opening PCAP file " + ex.ToString());
}
RawCapture packet;
while ((packet = device.GetNextPacket()) != null)
    ProcessPacket(packet);
device.Close();

In the ProcessPacket method I get the

Attempted to set a negative index

when executing the following line:

var packet = PacketDotNet.Packet.ParsePacket(Packet.LinkLayerType, Packet.Data);

I am using the latest version of both libraries, but I have tried implementations with older versions and ran into the same problem.

PCAP files were generated by Suricata IDS if that means anything.

Edit

I made a simple test using the following code:

    class Program
    {
        static void Main(string[] args)
        {
            FileInfo[] allFiles = new DirectoryInfo(@"D:\PCAP").GetFiles();
            FileInfo[] pcapFiles = allFiles.Where(x => x.Name.Contains("pcap") && x.Length > 0).ToArray();
            for (int i = 0; i < pcapFiles.Length; ++i)
            {
                ICaptureDevice device;
                try
                {
                    device = new CaptureFileReaderDevice(pcapFiles[i].FullName);
                    device.Open();
                }
                catch (Exception ex)
                {
                    Console.WriteLine("Error opening PCAP file " + ex.ToString());
                    return;
                }
                RawCapture packet;
                while ((packet = device.GetNextPacket()) != null)
                {
                    try
                    {
                        ProcessPacket(packet);
                    }
                    catch
                    {
                        Console.WriteLine(pcapFiles[i]);
                        break;
                    }
                }
                device.Close();
            }
            Console.WriteLine("Done.");
            Console.ReadLine();
        }

        public static void ProcessPacket(RawCapture Packet)
        {
            if (Packet.LinkLayerType == PacketDotNet.LinkLayers.Ethernet)
            {
                var packet = PacketDotNet.Packet.ParsePacket(Packet.LinkLayerType, Packet.Data);
                var ethernetPacket = (PacketDotNet.EthernetPacket)packet;
            }
        }
    }

What is interesting about this is that the number of files in which the errors occur varies from run to run. However, it seems to be increasing with each run.

Any help would be greatly appreciated.

Answer 1

I have resolved the problem by changing the library I was using. Instead of using SharpPcap, I used EasyPcap library. It does its job and is very simple to use.