pcap2har for a pcap that was generated by tshark(-w option)

StackOverflow https://stackoverflow.com/questions/15142100

  •  16-03-2022
  •  | 
  •  

Question

My pcap file is generated via a command like: 

cmd = """tshark -r "%s" -R "frame.time_relative >= %f" -w "%s" """ % (pcap_name, first_dns_query_time, normalized_pcap_name)
subprocess.Popen(cmd)

And that normalized pcap is given input to pcap2har. I get this error:

Traceback (most recent call last):
  File "main.py", line 65, in <module>
    dispatcher = pcap.EasyParsePcap(filename=inputfile)
  File "/path/to/pcap2har/pcap2har/pcap.py", line 80, in EasyParsePcap
    ParsePcap(dispatcher, filename=filename, reader=reader)
  File "/path/to/pcap2har/pcap2har/pcap.py", line 27, in ParsePcap
    pcap = ModifiedReader(f)
  File "/path/to/pcap2har/pcap2har/pcaputil.py", line 105, in __init__
    raise ValueError, 'invalid tcpdump header'
ValueError: invalid tcpdump header

The portion of pcaputil.py that throws the error is:

    elif self.__fh.magic != dpkt.pcap.TCPDUMP_MAGIC:
        raise ValueError, 'invalid tcpdump header'

For my pcap(and for any pcap generated by the tshark command), self.__fh.magic is 168627466 and dpkt.pcap.TCPDUMP_MAGIC is 2712847316.

I commented the line that throws exception in pcaputil.py but after that I get this:

Traceback (most recent call last):
  File "main.py", line 65, in <module>
    dispatcher = pcap.EasyParsePcap(filename=inputfile)
  File "/path/to/pcap2har/pcap2har/pcap.py", line 80, in EasyParsePcap
    ParsePcap(dispatcher, filename=filename, reader=reader)
  File "/path/to/pcap2har/pcap2har/pcap.py", line 27, in ParsePcap
    pcap = ModifiedReader(f)
  File "/path/to/pcap2har/pcap2har/pcaputil.py", line 108, in __init__
    self.dloff = dpkt.pcap.dltoff[self.__fh.linktype]
KeyError: 4294967295L

I have already submitted the issue on github

Was it helpful?

Solution

As of Wireshark 1.8, the default output file format is pcap-ng, not pcap. If pcap2har had used one of the Python wrappers for libpcap, and you were running on a system with libpcap 1.0 or later (which also means "not running on Windows", as there's no version of WinPcap based on libpcap 1.0 or later), it would automatically be able to read many pcap-ng files, as libpcap can read them, but it's probably using its own code to read libpcap files.

Try running tshark with "-F pcap" to get it to generate a pcap file.

OTHER TIPS

You can use editcap to change the format of a ".pcapng" file:

editcap teste.pcapng teste.pcap -F pcap
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top