November 2014

manipulating an header - no setters


I'm trying to capture and manipulate ARP headers within my LAN.

I;ve managed to filter and capture the right packets.

When trying to manipulate them (e.g. - change from reply to request or vice versa, modify sender/target addresses etc.) I find the Arp header class has only getters but NO setters so I'm forced to manually modify the actual Bytes in the Buffer..

I found this link: in which you've stated:
You can use existing ethernet and ARP setters to change any of the fields or do it manually in the hexdump string or buffer.

Please help me - are there any setters for the Arp class or must I manually modify each byte according to the Field's offset and length..?

TCP Packets work over switch but not through a router - solved

Using the examples included with jNetPcap's sample code I was able to build a TCP Packet Creator. The creator is a proof of concept to a customer in which we can take 100 pieces of data (positions on a map), package them up and send them to another machine. We also have to set the DSCP code for the data based on criteria which is dynamic - hence the reason why I did not use a simple Socket class in Java. The setTrafficClass() does not seem to work correctly.

When I initially started I used two machines on the same subnet (192.168.35.x) that are connected via an Ethernet switch. The creator sends the packets to another program; my reader receives the packets and displays them correctly. Everything seems fine.

My colleague and I moved one of the machines to another subnet. We needed to show the program work over a router. We did not expect the problems we are currently having. We loaded Wireshark on both machines to see what might be going on.

We also downloaded a set of simple TCP Server and TCP Client programs to see what they would do over a router and a switch. The client simply sends a string to the server. The first thing we noticed was several packets in Wireshark when we sent the string. There were several exchanges between the client and the server - I'm guessing some sort of handshaking.

When I try to send my 100 pieces of data I only get 100 packets. There is no handshaking. When I was using the switch the reader gets the data, but when the router was introduced nothing is received by the reader program. I'm assuming the switch is more forgiving of the mistakes I must have in my code.

How can I introduce the handshaking that seems to be necessary? Are there fields in the TCP/IP Packet that I must set to do this? Do all id fields in packet headers have to be unique? Wireshark tells me "This frame is a (suspected) retransmission. They are not retransmissions so how do I fix this?

Thank you very much


Not seeing UDP Header

I have a computer that is recording UDP surveillance data.

My code using jnetpcap isn't seeing the UDP payload for some reason. Right now, I just use the toString to print out the packet information. The packets are definitely UDP which can be seen in the toString message (type = 17 [next: User Datagram]). None of the UDP payload is printing out in the toString portion and the code never gets inside the final if statement.

Sample code:
PcapPacketHandler<String> jpacketHandler = new PcapPacketHandler<String>() { 
     Udp udp = new Udp();

     public void nextPacket(PcapPacket packet, String user) { 
          if (!packet.hasHeader(Ip4.ID)) {
            System.out.println("Not IP4");
          Ip4 ip = new Ip4();
          //debug print
          if (packet.hasHeader(udp)) {
            System.out.println("Got UDP");
                //do other stuff here

Sample Output:

Null Packet header and body

//		 Will be filled with NICs
		final List<PcapIf> deviceList = new ArrayList<PcapIf>(); 
// 		For any error msgs		
		final StringBuilder errorBuffer = new StringBuilder();     
//		Get a list of devices on this system
//		optional metadata, good to debug - can skip down to open Device directly..
		int result = Pcap.findAllDevs(deviceList, errorBuffer);
		if (result == Pcap.ERROR || result == Pcap.WARNING || deviceList.isEmpty()) {
			System.err.printf("Can't read list of devices, error is %s\n", errorBuffer.toString());
		PcapIf deviceToCapture = null;
		for (final PcapIf device : deviceList) {
			if (device.getName().contains(deviceNameToCapture)){
				deviceToCapture = device;
		if (deviceToCapture == null){
			System.err.printf("Can't read specified device in "+deviceList+", error is %s\n", errorBuffer.toString());
		final int snaplen = 64 * 1024;           // Capture all packets, no truncation
		final int flags = Pcap.MODE_PROMISCUOUS; // capture all packets
//		Open the desired device
		final Pcap pcap = Pcap.openLive(deviceToCapture.getName(), snaplen, flags, timeout, errorBuffer);
		if (pcap == null) {
			System.err.printf("Error while opening device for capture: %s\n",  errorBuffer.toString());
		final PcapBpfProgram program = new PcapBpfProgram();  
		int optimize = 0;         // 0 = false 
//		Set filter
		if (pcap.compile(program, filterExpression, optimize, netmask) != Pcap.OK) {
		if (pcap.setFilter(program) != Pcap.OK) {
		ByteBufferHandler<IPacketHandler<PcapHeader, ByteBuffer>>bufferHandler = new ByteBufferHandler<IPacketHandler<PcapHeader, ByteBuffer>>() {

Delete Packet after parsing

Hi guys!
I need a little help.
I'm parsing with JnetPacket packet captured by tcpdump on android.
Now, tcpdump is saving packets in a pcap file and I'm going to read it periodically.

The problem is that of course the first time I see the packet readed from the start to that moment and the second time JnetPcap reads again all those packets that were previously parsed.
So I'm not able to delete those packets from file after reading.
Any help?


Ubuntu 14.04 LTS has a null TCP header - solution found

The problem I am seeing is identical to but that topic was closed. I am using the jnetpcap 1.3.0-1 Ubuntu 64 bit version. I also have the same version of jnetpcap for a 32 bit Windows box. I have a simple application which creates a TCP/IP Packet and ultimately sends it to another machine. This program works flawlessly on Windows, however on my Ubuntu box it fails when I attempt to get my Tcp object via packet.getHeader
public void buildTCPHeader() {
  packet.setUByte(46, 0x50);
  tcp = packet.getHeader(new Tcp());
Is there some sort of known issue with Ubuntu or have I forgotten to do something that Windows is more forgiving on, but Ubuntu is not? Thanks Phil

OpenSolaris Complete Support is there or Not?

Platforms supported list is showing OpenSolaris support, but no downloads are available for this unix system.Can anyone tell is there any downlaod available or not?

Packets not read completely -> caplen always 16, but frames contain more data (as seen in wireshark and other tools)

Hello Forum,

I´m new here and hope for your help.

I wrote a programm, which opens pcap-Files offline and parses the payload of specific TCP- and UDP-Frames.
For most of the files I read (captured with tcpdump on linux, wireshark on windows, ...) this works fine.

Unfortunately I have also files captured on/from a system I´m not responsible for.
And files from this system are not handled correct. Jnetpcap doesn´t find any TCP- or UDP-Headers in the frames in the file, while in wireshark I can see them.

Getting a little bit deeper in this I saw, that jnetpcap reads/displays just the first 16 Bytes of each frame and the caplen is always just 16.

-> see my output:

Use the arrow to expand or collapse this section
New Packet -> FrameNumber: 2990 -> wirelen: 342 -> caplen: 16
--- packet.toHexdump(): ---
0000:*ff ff ff ff ff ff fc 15 b4 e9 ac 5c 08 00*45 00* ...........\..E.

--- packet.getState().toDebugString(): ---
JMemory: JMemory@4467488class org.jnetpcap.packet.JPacket$State: size=176 bytes
JMemory: owner=PcapHeader.class(size=16/offset=32)
JPacket.State#2989: sizeof(packet_state_t)=112
JPacket.State#2989: sizeof(header_t)=32 and *2=64
JPacket.State#2989: pkt_header_map=0x3
JPacket.State#2989: pkt_flags=0x1
JPacket.State#2989: pkt_header_count=2
JPacket.State#2989: pkt_wirelen=342
JPacket.State#2989 : [ Protocol(ID/Flag) | Start | Prefix | Header | Gap | Payload | Postfix ]
JPacket.State#2989[0]: [ ETHERNET( 1/0800) | 0 | 0 | 14 | 0 | 2 | 0 ]
JPacket.State#2989[1]: [ PAYLOAD( 0/0800) | 14 | 0 | 2 | 0 | 0 | 0 ]


But when I look at the same packet in Wireshark I see that the caplen is 342 (same as wirelen) and all data are in the packet:

Pcap packet encoding and decoding

I am doing a project in which I use kafka producer and consumer. Kafka producer captures the packets using jnetpcap library. These packets need to be converted into array[byte] format to send to Kafka consumer where decoding has to take place , conversion of array[byte] to PcapPacket format. How to write encoder and decoder for the same? Thanks in advance.