CODEWITHSUNDEEP
pcaphar
prongs
prongs

Reputation: 9606

pcap2har for a pcap that was generated by tshark(-w option)

My pcap file is generated via a command like: 

cmd = """tshark -r "%s" -R "frame.time_relative >= %f" -w "%s" """ % (pcap_name, first_dns_query_time, normalized_pcap_name)
subprocess.Popen(cmd)

And that normalized pcap is given input to pcap2har. I get this error:

Traceback (most recent call last):
  File "main.py", line 65, in <module>
    dispatcher = pcap.EasyParsePcap(filename=inputfile)
  File "/path/to/pcap2har/pcap2har/pcap.py", line 80, in EasyParsePcap
    ParsePcap(dispatcher, filename=filename, reader=reader)
  File "/path/to/pcap2har/pcap2har/pcap.py", line 27, in ParsePcap
    pcap = ModifiedReader(f)
  File "/path/to/pcap2har/pcap2har/pcaputil.py", line 105, in __init__
    raise ValueError, 'invalid tcpdump header'
ValueError: invalid tcpdump header

The portion of pcaputil.py that throws the error is:

    elif self.__fh.magic != dpkt.pcap.TCPDUMP_MAGIC:
        raise ValueError, 'invalid tcpdump header'

For my pcap(and for any pcap generated by the tshark command), self.__fh.magic is 168627466 and dpkt.pcap.TCPDUMP_MAGIC is 2712847316.

I commented the line that throws exception in pcaputil.py but after that I get this:

Traceback (most recent call last):
  File "main.py", line 65, in <module>
    dispatcher = pcap.EasyParsePcap(filename=inputfile)
  File "/path/to/pcap2har/pcap2har/pcap.py", line 80, in EasyParsePcap
    ParsePcap(dispatcher, filename=filename, reader=reader)
  File "/path/to/pcap2har/pcap2har/pcap.py", line 27, in ParsePcap
    pcap = ModifiedReader(f)
  File "/path/to/pcap2har/pcap2har/pcaputil.py", line 108, in __init__
    self.dloff = dpkt.pcap.dltoff[self.__fh.linktype]
KeyError: 4294967295L

I have already submitted the issue on github

Upvotes: 1

Views: 1964

Answers (2)

Felipe Volpato
Felipe Volpato

Reputation: 391

You can use editcap to change the format of a ".pcapng" file:

editcap teste.pcapng teste.pcap -F pcap

Upvotes: 1

user862787
user862787

Reputation:

As of Wireshark 1.8, the default output file format is pcap-ng, not pcap. If pcap2har had used one of the Python wrappers for libpcap, and you were running on a system with libpcap 1.0 or later (which also means "not running on Windows", as there's no version of WinPcap based on libpcap 1.0 or later), it would automatically be able to read many pcap-ng files, as libpcap can read them, but it's probably using its own code to read libpcap files.

Try running tshark with "-F pcap" to get it to generate a pcap file.

Upvotes: 2

Related Questions