79425279

Date: 2025-02-09 16:53:20
Score: 2
Natty:
Report link

This is before This Wireshark doesn't work and has filter "sip ||rtp"

Or, rather, that's a hex dump of the first 400 bytes of the "before" file in question.

It appears to be capturing on two devices, one of which is a loopback device, and the other of which is not a loopback device.

This means that it probably has packets with two different link-layer types; libpcap can't read those, and will return an error for the first packet that has a link-layer type different from the link-layer type of the first packet in the file. SharpPcap is a wrapper around libpcap/WinPcap/Npcap, so that's probably the error it's returning.

And this is after, This pcap file works and has the filter "frame.number < lineCount+1"

Or, rather, that's a hex dump of the first 400 bytes of the "after" file in question.

That file is a pcapng file, not a pcap file, just as the first file is. Your one-byte change modified the link-layer type of the second interface, presumably changing it from 0 (which is the low-order byte of the value of LINKTYPE_NULL, the type for most BSD loopback interfaces, and also the type that Npcap uses for Windows loopback interfaces) to 1 (which is the low-order byte of the value of LINKTYPE_ETHERNET), so the two interfaces are reported as having the same link-layer type.

That will prevent libpcap/Npcap from returning an error when reading the file.

Unfortunately, it will cause any program reading the file to misinterpret packets from the loopback interface as if they were Ethernet packets, so what they report about the packet will be bogus.

I'm unsure if this is a SharpPcap or a Wireshark problem

It's neither - it's a libpcap problem (Npcap is libpcap plus a driver and library that talks to the driver, to support traffic capture on Windows, but, as you're using it to read the file, it's just using libpcap code). Libpcap can't handle pcapng files that have packets with more than one link-layer type, as its API assumes all packets in the file have the same link-layer type (libpcap was written before pcapng existed; it's the library that defined the pcap file format, which is a format that supports only one link-layer type per file, unlike pcapng).

SharpPcap is a wrapper around libpcap/Npcap, for use by C# programs.

do you guys have an idea how to fix this?

Wait for libpcap to provide a new API that fully handles pcapng (when it exists, it will also transparently handle reading pcap files), and for SharpPcap to add a new API to support the new libpcap API, and then change your program to use that new API.

A workaround would be to use TShark to separate the pcapng file into two pcap (or pcapng) files, one that has packets from the first interface and one that has packets from the second interface. Your C# program won't be able to see all the packets in a single pass - you'd have to have it read one file and then the other - but at least your program won't mishandle packets from the second interface.

Reasons:
  • RegEx Blacklisted phrase (1.5): how to fix this?
  • Long answer (-1):
  • Has code block (-0.5):
  • Contains question mark (0.5):
  • Unregistered user (0.5):
  • Low reputation (1):
Posted by: user29571306