The tcpdump-like filter fails to read and match linux cooked captures (with link type SLL)

Question

The tcpdump-like filter fails to read and match linux cooked captures (with link type SLL)

Opened this issue 3 years ago · 4 comments

Executing:
$ large_pcap_analyzer captures.pcap -v -Y "src host X and src port Y" -w output_large_pcap/output.pcap on a 320MiB file yields:

Successfully compiled PCAP filter: src host X and src port Y
Analyzing PCAP file 'captures.pcap'...
The PCAP file has size 0.31GiB = 320MiB.
Successfully opened output PCAP 'output_large_pcap/output.pcap'
Processing took 0 seconds.
0M packets (939519 packets) were loaded from PCAP (matching PCAP filter).
0M packets (0 packets) matched the filtering criteria (search string / PCAP filters / TCP streams filter) and were saved into output PCAP.

I took the same file and converted all ethernet layers to correctly formatted ethernet headers (with src MAC and dst MAC addresses), and now it works:

Successfully compiled PCAP filter: src host X and src port Y
Analyzing PCAP file 'captures_edited.pcapng'...
The PCAP file has size 0.33GiB = 333MiB.
Successfully opened output PCAP 'output_large_pcap/output.pcap'
Processing took 0 seconds.
0M packets (939519 packets) were loaded from PCAP (matching PCAP filter).
0M packets (24312 packets) matched the filtering criteria (search string / PCAP filters / TCP streams filter) and were saved into output PCAP.

Answer 1 · 2021-06-07T13:43:35.000Z

hello， have you solved this problem?
I had the same problem now.

Answer 2 · 2021-06-14T18:39:18.000Z

@MHTTHM

hello， have you solved this problem?
I had the same problem now.

I used a tool compiled for windows, I can't remember the name now BUT I think I used the app named TraceWrangler.
This tool can convert linux cooked headers to ethernet pseudo headers, but I don't think it stores the actual MAC addresses. So if you don't care about them, just go with this app.

Answer 3 · 2021-06-15T03:48:28.000Z

@MHTTHM

hello， have you solved this problem?
I had the same problem now.

I used a tool compiled for windows, I can't remember the name now BUT I think I used the app named TraceWrangler.
This tool can convert linux cooked headers to ethernet pseudo headers, but I don't think it stores the actual MAC addresses. So if you don't care about them, just go with this app.

thank you for your help!

Answer 4 · 2021-06-15T06:53:54.000Z

Support for Linux cooked header should not be difficult to add... it's not a priority for me though... patches are welcome :)