Not sure what I'm doing wrong here. I am using Ardikars Pcap 1.4.2 on CentOS 7 with libpcap installed and when I print out the devices everything is null, even if I'm running as admin.

implementation group: 'com.ardikars.pcap', name: 'pcap-jdk7', version: '1.4.2'

libpcap 1.5.3-13.el7_9.x86_64

struct timeval { .. } has a different size on Unix and Windows.

Pcap#lookupInterface() always returns '' on windows

Issue

All address is null on linux.

Version

pcap-api 0.0.18 (Unstable)

OS Version

Linux 5.4.0-kali4-amd64 #1 SMP Debian 5.4.19-1kali1 (2020-02-17) x86_64 GNU/Linux

Pcap version

libpcap version 1.9.1 (with TPACKET_V3)

Java version

openjdk version "14-panama" 2020-03-17
OpenJDK Runtime Environment (build 14-panama+1-15)
OpenJDK 64-Bit Server VM (build 14-panama+1-15, mixed mode, sharing)

Step to reproduce

    for (Interface iface : Pcaps.lookupInterfaces()) {
      LOGGER.info(iface.name());
      LOGGER.info(iface.description());
      LOGGER.info(String.valueOf(iface.flags()));
      if (Objects.nonNull(iface.addresses())) {
        for (Address address : iface.addresses()) {
          LOGGER.info("\t{}", address.address());
          LOGGER.info("\t{}", address.netmask());
          LOGGER.info("\t{}", address.broadcast());
          LOGGER.info("\t{}", address.destination());
        }
      }
    }

Hi.. I am trying to write a packet capture which captures http traffic. This is how my program looks like.

DefaultLiveOptions liveOptions = new DefaultLiveOptions(); liveOptions.promiscuous(false).timeout(readTimeoutMillis).bufferSize(bufferSize) .snapshotLength(snapLength); StringBuilder sbBpfFilter = new StringBuilder("tcp port ").append(80).append(" or ").append(443).append(" and dst ").append(defaultInterfaceAddress.getHostAddress()); String bpfFilter = sbBpfFilter.toString(); pcapHandle = pcapService.live(pcapNetworkInterface, liveOptions); pcapHandle.setNonBlock(true); pcapHandle.setFilter(bpfFilter, true); // Start capturing packets in an infinite loop pcapHandle.loop(-1, new MyPacketHandler(pcapHandle), "Hello pcap!");

The program throws exception saying the filter is empty. But if you look at the logger its not empty. It does have spaces.
23:43:51.818 [PacketSnifferThread] INFO c.q.k.h.p.PerformancePacketSniffer - BPF filter:tcp port 9090 or 9443 and dst 192.168.4.27 pcap_can_set_frmon: Function doesn't exist. pcap_can_set_rfmon: pcap_statustostr: Function doesn't exist. 23:43:51.836 [PacketSnifferThread] ERROR c.q.k.h.p.PerformancePacketSniffer - Exception starting packet capture java.lang.IllegalArgumentException: filter: null (expected: filter != null && notBlank(filter)) at pcap.jdk7.internal.DefaultPcap.setFilter(DefaultPcap.java:74) ~[pcap-jdk7-0.8.3.jar:na] at com.qumu.kodiak.http.perf.PerformancePacketSniffer$PacketSnifferRunnable.run(PerformancePacketSniffer.java:154) ~[classes/:na] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_201] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_201] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_201] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [na:1.8.0_201] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_201] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_201] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_201]
Please help.

• On MacOS, immediate mode must be turned on with a BIOCIMMEDIATE ioctl(2) for backward compatibility (pre-1.5.0).
• Why on Windows immediate mode always returns (-3)?

Typo: Pcaps#lookupInet4Addres(..), should be Pcaps#lookupInet4Address(..).

I'm trying to use it in my project. I installed npcap like in this instruction (https://pcap.ardikars.com/getting-started/installing-libpcap-or-npcap), what next I must do to use code like this: https://pcap.ardikars.com/getting-started/obtaining-the-device-list in my project?
Thanks :)

If you have an entire Ethernet packet, and you use the codec features like this:

Ethernet ethernet = buffer.cast(Ethernet.class);
Ip4 ip4 = buffer.readerIndex(ethernet.size()).cast(Ip4.class);
ip4.checksum(ip4.calculateChecksum());

The wrong checksum is calculated. That is because the accumulation -= buffer.getShort(10) & 0xFFFF; in Ip4::calculateChecksum is trying to remove the preexisting checksum from checksum calculation (which is the correct thing to do) but the address of the checksum it is trying to remove, 10, is only correct when the Ip4 was constructed with offset zero.

If the Ip4 header is part of a larger buffer, in my case an Ethernet packet, then it is grabbing some arbitrary bytes from the middle of the MAC address in the ethernet header.

  public int calculateChecksum() {
    int accumulation = Checksum.sum(buffer, offset, ihl() << 2);
    accumulation -= buffer.getShort(10) & 0xFFFF;
    accumulation = (accumulation >> 16 & 0xFFFF) + (accumulation & 0xFFFF);
    return (~accumulation & 0xFFFF);
  }

The correct code would be

accumulation -= buffer.getShort(headerChecksum) & 0xFFFF;

We keep having issues with npcap being reinstalled without Winpcap Compatibility mode (for example, by installing Wireshark) and our software not working with it because ardikars pcap requires Winpcap Compatiblity mode.

See pcap4j for how they supported npcap native mode. kaitoy/pcap4j#87

Use non-blocking live capure API with multiple threads.

Issue:

• Currently one Selectable (Pcap) only able to registered to one Selector.