Protocol Specific

Get raw http requests from pcap file

I need to do the following: load pcap file, read packets, retrieve HTTP requests and do something useful with it. I need pure HTTP without TCP and IP headers, and ofcourse I want to skip all this TCP/IP stuff as ACK,FIN etc.
my question is if the jnetpcap is up to this task? is there any tutorials/examples how I can achieve the above?

Unable to fetch payload from TCP packet featuring TCP Segmentation Offloading


I have written some code to fetch payloads from TCP packets. This has worked fine for one PCAP recording, but it seems there is a problem when encountering packets featuring TCP Segmentation Offloading / Large Segment Offloading.

My problem sounds very similar to one raised 2 years ago on but that thread was locked with a comment confirming the bug and the "promise" of a fix but nothing else. I just want to check if this is still a current issue, and/or if there are any potential workarounds.

I also tried to use the Payload class but setHeader() returns false.

Here's some cut down code:

Ip4 ip = new Ip4();
Tcp tcp = new Tcp();

Pcap pcap = Pcap.openOffline(pcapFile, errbuf);

PcapBpfProgram program = new PcapBpfProgram();
int optimize = 0;         // 0 = false  
int netmask = 0xFFFFFF00; //  

if (pcap.compile(program, filterExpression, optimize, netmask) != Pcap.OK) {  
	return null;

if (pcap.setFilter(program) != Pcap.OK) {  
	return null;         

JPacketHandler handler = new JPacketHandler() {

	public void nextPacket(JPacket packet, String str) {
		if (packet.hasHeader(ip)) {
			if (packet.hasHeader(tcp)) {
				// snipped packet handling code. This returns false, despite the packet containing TCP header + payload.

Not sure if it is related, but when debugging, the 'tcp' object's 'packet' is actually not the same as the one passed into nextPacket().

Editing SIP headers


I am using jnetpcap to change headers of SIP messages like;

if(sip.fieldValue(Sip.Request.RequestUrl)!=null) {
ReqURL= sip.fieldValue(Sip.Request.RequestUrl);
sip.addField(Sip.Request.RequestUrl, ReqURL.split("@")[0]+"@"+destnIP, 1);

If I print the sip headers I can see my changes but when I print the packet it has still the old headers.
I cannot find any way how to add these changes to packet.
I can change the other protocols like UDP port, MAC address, destination IP etc.

Can you please help me?


Why my customize protocol is only binded to tcp port 80?

Why my customize protocol is only binded to TCP port 80? Our project need to decode https(SSL/TLS) packets, as follow to the chapter 5 of user guide I wrote my own JHeader: TLS, code is here:
@Header(length = 5, name = "TLS", nicname = "TLS Record Header") // , suite = ProtocolSuite.TCP_IP)
public class TLS extends JHeader {

public static int TLS_RECORD_HEAD_LENGTH = 5;

@Bind(to = Tcp.class, intValue = { 443 })
public static boolean bindToTcp(JPacket packet, Tcp tcp) {
System.out.println("bind is called" + tcp.source() + " " + tcp.destination());
return (tcp.hasPayload() && (tcp.source() == 443 || tcp.destination() == 443));

@Field(offset = 0, length = 8)
public int contentType() {
return super.getByte(0);

public String contentTypeDescription() {
String ret = "";
int b = contentType();
switch (b) {
case 21:
ret = "Alert"; // 警告协议(alert): 21
case 22:
ret = "Handshacke";// 握手协议(handshake): 22
case 20:
ret = "Change cipher specification";// 改变密码格式协议(change_cipher_spec): 20
case 23:
ret = "Application data";// 应用数据协议(application_data): 23
return ret;

@Field(offset = 8, length = 8 * 2)
public int version() {
return super.getUShort(1);

public String versionDescription() {
String ret = "";
int v = version();
switch (v) {
case 0x301:
ret = "TLS 1.0";
case 0x303:
ret = "TLS 1.2";
return ret;

@Field(offset = 24, length = 2 * 8)
public int length() {
return super.getUShort( 3);
According to the logging, it is registered successfully, but no TLS header was captured by PCAP. but if I open the same file from wireshark, I can see many TLS packets. so I added a debugging logging at the bind function "bindToTcp" and here is the logs I got:

openOffline Method to access from Android Internal Storage

Hi everyone,

I am using JnetPcap library to extract the packets from a Mobile Wireshark application required for Android project analysis. I have to capture the IP address from the pcap file and display the same on the Google Maps.

I am facing an issue reading the Internal Storage of the Android phone using the openOffline method... Can this method be used for Android Internal Storage File Directory ?? The same code is working if the directory path is specified in Windows OS running on a PC....

Any inputs would be highly appreciated...

Please find below the code for the same.

package appprofiler.appprofilerv1;

* Created by soory_000 on 11/30/2015.

import android.os.Environment;

import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.jnetpcap.Pcap;
import org.jnetpcap.nio.JMemory;
import org.jnetpcap.packet.JFlow;
import org.jnetpcap.packet.JFlowKey;
import org.jnetpcap.packet.JFlowMap;
import org.jnetpcap.packet.JPacket;
import org.jnetpcap.packet.JPacketHandler;
import org.jnetpcap.packet.JScanner;
import org.jnetpcap.packet.PcapPacket;
import org.jnetpcap.protocol.tcpip.Http;
import org.jnetpcap.protocol.tcpip.Tcp;

public class IPExtract {
final static List ipaddress = new ArrayList();
private static String FILENAME;

public IPExtract(String Filename) {
this.FILENAME = Filename;

public static void main(String[] args) {
final StringBuilder errbuf = new StringBuilder();
final Pcap pcap = Pcap.openOffline(FILENAME, errbuf); // While trying to debug I am getting a Library error
if (pcap == null) {

Syndicate content