0

I have a randomly occurring problem on a set of PCAP files. I am trying to parse all the packets from the recorded PCAP files using SharpPcap and PacketDotNet. The errors seem to occur at random.

I am not doing anything fancy. The following is my code for loading from PCAP file:

ICaptureDevice device;
try
{
    device = new CaptureFileReaderDevice(pcapFiles[i].FullName);
    device.Open();
}
catch (Exception ex)
{
    Console.WriteLine("Error opening PCAP file " + ex.ToString());
}
RawCapture packet;
while ((packet = device.GetNextPacket()) != null)
    ProcessPacket(packet);
device.Close();

In the ProcessPacket method I get the

Attempted to set a negative index

when executing the following line:

var packet = PacketDotNet.Packet.ParsePacket(Packet.LinkLayerType, Packet.Data);

I am using the latest version of both libraries, but I have tried implementations with older versions and ran into the same problem.

PCAP files were generated by Suricata IDS if that means anything.

Edit

I made a simple test using the following code:

    class Program
    {
        static void Main(string[] args)
        {
            FileInfo[] allFiles = new DirectoryInfo(@"D:\PCAP").GetFiles();
            FileInfo[] pcapFiles = allFiles.Where(x => x.Name.Contains("pcap") && x.Length > 0).ToArray();
            for (int i = 0; i < pcapFiles.Length; ++i)
            {
                ICaptureDevice device;
                try
                {
                    device = new CaptureFileReaderDevice(pcapFiles[i].FullName);
                    device.Open();
                }
                catch (Exception ex)
                {
                    Console.WriteLine("Error opening PCAP file " + ex.ToString());
                    return;
                }
                RawCapture packet;
                while ((packet = device.GetNextPacket()) != null)
                {
                    try
                    {
                        ProcessPacket(packet);
                    }
                    catch
                    {
                        Console.WriteLine(pcapFiles[i]);
                        break;
                    }
                }
                device.Close();
            }
            Console.WriteLine("Done.");
            Console.ReadLine();
        }

        public static void ProcessPacket(RawCapture Packet)
        {
            if (Packet.LinkLayerType == PacketDotNet.LinkLayers.Ethernet)
            {
                var packet = PacketDotNet.Packet.ParsePacket(Packet.LinkLayerType, Packet.Data);
                var ethernetPacket = (PacketDotNet.EthernetPacket)packet;
            }
        }
    }

What is interesting about this is that the number of files in which the errors occur varies from run to run. However, it seems to be increasing with each run.

Any help would be greatly appreciated.

4

1 回答 1

0

我已经通过更改我正在使用的库解决了这个问题。我没有使用 SharpPcap,而是使用了EasyPcap库。它完成了它的工作并且使用起来非常简单。

于 2014-05-01T12:47:59.103 回答