This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wrong sll header in linux cooked capture

0

Got a capture with a wrong sll header and wireshark fails to find the IP header. Any ideas on how to bypass this problem and be able to read the trace anyway?
Here are 2 packets from the trace: https://www.cloudshark.org/captures/3559585c0d15

Thanks and regards Matthias alt text

asked 08 Nov '15, 01:50

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 08 Nov '15, 04:18

Hm, that download location requires a login... you might want to put it up at http://www.cloudshark.org or any other location where anyone can access it without credentials.

(08 Nov '15, 03:31) Jasper ♦♦

How was that trace captured? That link-layer header does not match the tcpdump.org description of a Linux cooked capture header - according to that description, the link-layer address starts at the 6th byte of the header and runs for 8 bytes, possibly with padding, and the address length field has the value 6, so the MAC address is e8:e7:32:d0:51:19, with two padding bytes of 0x81 and 0x00 following it, and with the protocol type immediately following that.

That header appears to have 12 bytes of link-layer address or, at least, 12 bytes of something between the link-layer address length and protocol type fields.

(08 Nov '15, 03:57) Guy Harris ♦♦

I have no idea how this trace was taken - it's from an appliance with RedHat Linux ...

(08 Nov '15, 04:20) mrEEde

Perhaps the appliance vendor "improved" libpcap; report this to them as a bug.

(08 Nov '15, 04:30) Guy Harris ♦♦

Hm, looks like they may have fumbled a VLAN tag into the SLL header, at least 0x8100 (Ethertype for 802.1Q) and two more bytes seem familiar...

(08 Nov '15, 04:39) Jasper ♦♦

Yes, it's the default location to insert a VLAN header..... in an Ethernet frame. Unfortunately they used the same code to do that for an SLL frame. If they would have inserted it two octets further in the frame all would be fine.

(08 Nov '15, 05:16) Jaap ♦

Try importing this frame which has this change applied

0000  00 00 00 01 00 06 e8 e7 32 d0 51 19 00 00 81 00  ........2.Q.....
0010  09 e0 08 00 45 00 00 34 a0 ef 00 00 38 06 ca 87  ....E..4....8...
0020  0a 16 00 12 0a 1a 03 0c 1f 05 cf b4 0d 6c 5e d3  .............l^.
0030  e1 a3 89 6c 80 10 be e6 5d 1d 00 00 01 01 08 0a  ...l....].......
0040  56 45 bf 5d 08 cd 5e f2                          VE.]..^.
(08 Nov '15, 05:20) Jaap ♦

Yes, it's the default location to insert a VLAN header..... in an Ethernet frame. Unfortunately they used the same code to do that for an SLL frame.

Not as of libpcap 1.4.0 it doesn't. That bug was in releases up to 1.3.0, but Jakub Zawadzki submitted a patch for that and a fix was checked in 2012-08-18.

What version of Red Hat was the appliance running - and, if you can determine it, what version of libpcap was it running?

(08 Nov '15, 12:48) Guy Harris ♦♦

uname -a Linux 2.6.32-504.23.4.el6.x86_64 #1 (RHEL6)

SMP Fri May 29 10:16:43 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

libcap-2.16-5.5.el6.x86_64

(08 Nov '15, 13:05) mrEEde
1

libcap-2.16-5.5.el6.x86_64

libpcap, not libcap - they're different libraries. Some Web searches suggest that RHEL 6 might have libpcap 1.4.0, but perhaps the presumed RHEL 6 on the machine (inferred from the kernel information) has an older version, if RHEL 6 started with an older version and later updated to 1.4.x.

(08 Nov '15, 13:43) Guy Harris ♦♦

sorry,

libpcap-1.0.0-6.20091201git117cb5.el6.x86_64

(08 Nov '15, 13:48) mrEEde

Yeah, that's too old (1.0.0, and 2009-12-01 is almost 4 years before I checked Jakub's change in). You might want to tell the appliance vendor that they might want to update the RHEL 6 packages.

(08 Nov '15, 13:53) Guy Harris ♦♦
showing 5 of 12 show 7 more comments

2 Answers:

2

You could use editcap to remove 4 bytes, starting at an offset of 6, from each packet:

editcap −C  6:4 linux_cooked.pcapng linux_cooked_fixed.pcapng

or 4 bytes from some other offset if that's what's required to give it the right MAC address - as long as the 0x00 0x00 before the 0x08 0x00 aren't part of the MAC address (if they are, you'd have to have a program remove 6 bytes and add 2 padding bytes before the 0x08 0x00).

answered 08 Nov '15, 04:05

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

editcap −C 6:4 linux_cooked.pcapng linux_cooked_fixed.pcapng

editcap: Can't open −C: No such file or directory :-(

(08 Nov '15, 04:24) mrEEde

You'll need a newer version of Wireshark, then. The ability to chop data starting at a given offset was introduced in this change:

commit 54adc0d2ffe70561ffbe8b38a4bc36e33ef9ae0d
Author: Chris Maynard <[email protected]>
Date:   Sun Sep 8 20:29:26 2013 +0000

Allow an optional offset to be specified when chopping bytes from packets.</code></pre><p>so it'd have to be a release that included that change.</p></div><div id="comment-47374-info" class="comment-info"><span class="comment-age">(08 Nov '15, 04:29)</span> <span class="comment-user userinfo">Guy Harris ♦♦</span></div></div><span id="47404"></span><div id="comment-47404" class="comment"><div id="post-47404-score" class="comment-score"></div><div class="comment-text"><p>Got it working in using Win7 - my wireshark is at 1.12.1 RHEL</p><p>Editcap (Wireshark) 2.0.0rc2 (v2.0.0rc2-0-g74e5b56 from master-2.0)</p><p>editcap -C 6:4 cooked.pcapng cooked.fixed.pcapng</p><p>Thanks !</p></div><div id="comment-47404-info" class="comment-info"><span class="comment-age">(08 Nov '15, 11:57)</span> <span class="comment-user userinfo">mrEEde</span></div></div></div><div id="comment-tools-47371" class="comment-tools"></div><div class="clear"></div><div id="comment-47371-form-container" class="comment-form-container"></div><div class="clear"></div></div></td></tr></tbody></table>

1

The latest TraceWrangler build is now able to convert those malformed cooked captures to Pseudo-Ethernet while keeping the VLAN information alive (pulling it from the SLL header and inserting it into the packet after the newly contructed Pseudo-Ethernet header).

Find it here: https://www.tracewrangler.com/download/automated/

To convert the frames, add the pcap/pcapng file to the file list, and add an "Edit" task. On the "Layers -> Edit" pane, check "Replace Linux Cooked Header with Ethernet". Then run the task.

answered 08 Nov '15, 09:35

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

The latest TraceWrangler build is now able

...if you're running an OS that can run Windows binaries (Windows itself, or a UN*X on which Wine can run it).

(08 Nov '15, 09:44) Guy Harris ♦♦

yep, correct :-)

(08 Nov '15, 10:08) Jasper ♦♦

Installed the latest TraceWrangler and followed your instructions and the task ran sucessfully (as it seems) ... Log:

Completed scanning file "cooked.pcapng" for frame details in 11 seconds

Completed scanning file "cooked.pcapng" for PCAPng structure details in 11 seconds

Completed processing file "cooked.pcapng" with 0 errors

The file didn't change though and I couldn't find a File-> Save ...

Never used tracewrangler before (Linux user - sorry) ...

Thanks anyway

(08 Nov '15, 12:03) mrEEde

The scanning is just something TW does automatically to gain knowledge about what's in a capture whenever you add a pcap/pcapng file to the file list.

Tracewrangler never modifies files, it always saves the modifications to a new file (which should appear after the edit task was run).

(08 Nov '15, 13:08) Jasper ♦♦

Aha - now I see: A new file was - silently - created !

cooked_edited.pcapng

Perfect, how I wish TW would be available in Linux also ...

Thanks !

(08 Nov '15, 13:17) mrEEde

Yeah I know... I'd love to have a Linux version, but Delphi can't do that unfortunately. But TW runs on Wine, so it can be used on Linux.

(08 Nov '15, 13:38) Jasper ♦♦
showing 5 of 6 show 1 more comments