February 2016

Jnetpcap flow grouping

Hello Mark.
I am currently working on a project related to bandwidth throttling by analysis flow vise bandwidth consumption. I have come across research publications which does something similar using CISCO NetFlow. I am interested to know, how jnetpcap group packets in to flows and how using jnetpcap flow is justifiable as an alternative to CISCO NetFlow.
I have used the Jnetpcap library to implement the core functionality of my project. I am grateful to any clarification you could offer.

Trying to create an ARP packet

I am trying to create an ARP packet, but it seems I cant set the opcode. Any help will be greatly appreciated.

Editing SIP headers


I am using jnetpcap to change headers of SIP messages like;

if(sip.fieldValue(Sip.Request.RequestUrl)!=null) {
ReqURL= sip.fieldValue(Sip.Request.RequestUrl);
sip.addField(Sip.Request.RequestUrl, ReqURL.split("@")[0]+"@"+destnIP, 1);

If I print the sip headers I can see my changes but when I print the packet it has still the old headers.
I cannot find any way how to add these changes to packet.
I can change the other protocols like UDP port, MAC address, destination IP etc.

Can you please help me?


Dumping without having a Pcap open

Hey there ,

if have the following code implemented in my project :

public void dump(String dummy , String filename , PcapPacketArrayList packets){

StringBuilder errbuf = new StringBuilder();
Pcap pcap = Pcap.openOffline(dummy,errbuf);

PcapDumper dump = pcap.dumpOpen(filename);

PcapPacketHandler dumper = new PcapPacketHandler(){

public void nextPacket(PcapPacket packet, PcapDumper user) {

for(int ctr = 0; ctr < packets.size(); ctr++){
user.dump(packets.get(ctr).getCaptureHeader(), packets.get(ctr));

pcap.loop(1, dumper , dump);


What it does : it takes some parameters (like a list with packets and a dummy pcap filename) opens the dummy with openoffline , opens a dump on that pcap , and in the handler just iterates through the list , adding all packets to the dump to create a new pcapfile .

My question is : is there another way than to use a dummy pcap file, like using just a dumper to straight add the packets out of a list ? i couldnt come up with another idea on how to conveniently write a new pcap file out of stored packets , maybe you can give me a hint ?

Fyi : the dummy file consists of just one random packet i picked up with wireshark , just to be able to get into a "next packet" handler

Ethical Hacking.

... i am trying to use jNetPcap for a spoofed SSH Dictionary hacks & more.


> [ details: http://paco-knife-tarot.blogspot.com/2015/12/dictionary-ssh-hack.html ];

my best hacking trick so far is an a uncoordinated (yet) attack on 2 ports: SSH & HTTP.

> [ details: http://paco-knife-tarot.blogspot.com/2016/02/danger-level-confirmed-hack... ].

Build release for Raspberry Pi

I'm trying to build the library from source and get an error during compilation.

I am using the instruction set out here: http://jnetpcap.com/?q=compile/debian using the 1.3 release.

I am running Raspbian 7 (wheezy) on a Raspberry Pi. I made locate script using find as the packaged version didn't seem to do the right thing. this is irrelevant of the error I now have but need to do it to get this far.

Running ant clean test gives these errors (and a few more afterwards)

     [echo] arch=arm
     [echo] name=Linux
     [echo] Using pcap version 1301
     [echo] compiling JNI C++ files to object code
     [echo] using g++ compiler
     [echo] system include = /usr/lib/jvm/jdk-8-oracle-arm-vfp-hflt/include
       [cc] 30 total files to be compiled.
       [cc] In file included from /usr/monitor/make/jnetpcap/src/c/nio_jbuffer.cpp:27:0:
       [cc] /usr/monitor/make/jnetpcap/src/c/nio_jbuffer.h:55:9: error: uint64_t does not name a type
       [cc] /usr/monitor/make/jnetpcap/src/c/nio_jbuffer.cpp: In function jdouble Java_org_jnetpcap_nio_JBuffer_getDouble0(JNIEnv*, jclass, jlong, jboolean, jint):
       [cc] /usr/monitor/make/jnetpcap/src/c/nio_jbuffer.cpp:135:18: error: nio_uint_ptr was not declared in this scope
       [cc] /usr/monitor/make/jnetpcap/src/c/nio_jbuffer.cpp:135:18: error: expected ) before address
       [cc] /usr/monitor/make/jnetpcap/src/c/nio_jbuffer.cpp:135:38: error: expected ) before ; token
       [cc] /usr/monitor/make/jnetpcap/src/c/nio_jbuffer.cpp:135:38: error: expected ) before ; token
       [cc] /usr/monitor/make/jnetpcap/src/c/nio_jbuffer.cpp: In function jfloat Java_org_jnetpcap_nio_JBuffer_getFloat0(JNIEnv*, jclass, jlong, jboolean, jint):

How to instruct Jnetpcap to parse only up to Transport Layer?


When parsing a PCAP-file how can I instruct Jnetpcap to only parse up to transport layer (TCP/UDP in most cases)? Currently by default I also get headers for application level (Http/Html/etc).

So the lowest level I want is TCP/UDP and the rest (Html/Http/etc) is then available as byte array via getPayload().