-
Notifications
You must be signed in to change notification settings - Fork 35
/
README
195 lines (159 loc) · 6.55 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
pcapfix v1.1.7 README
*********************
Pcapfix is a tool to repair your damaged or corrupted pcap and pcapng files.
It is written in C and released under the GNU General Public License.
To fix your pcap files the tool first checks for an intact pcap global header
and repairs it if there are some corrupted bytes. It there seems to be no
global header at all, pcapfix adds a self-created one at the beginning of the
file. In a second step the tool tries to find pcap packet headers inside the
file, below the global header. It checks if the values are correct (or seem
to be correct) and tries to repair a packet if there is something wrong.
To fix your pcapng files the tool loops through all packet headers that can
be found in the file. It checks for mandatory Section Header Block and
Interface Description Block and creates them if missing. Pcapfix checks for
correct block sizes and valid option fields. If something is wrong, invalid
fields are repaired (if possible) or skipped and adjusted to finally get a
proper pcapng file.
Please send any further wishes, feature requests or problems in compiling
and execution to [email protected]. Additionally You may send me pcap/pcapng
files that could not be repaired too in order to improve pcapfix and get
your file repaired.
For further information visit the pcapfix homepage at http://f00l.de/pcapfix/.
USAGE
=====
./pcapfix [OPTIONS] filename
OPTIONS: -d , --deep-scan Deep Scan (default = 0) (pcap only!)
-s , --soft-mode Soft mode (packet detection)
-n , --pcapng Force File Format to PCAPNG
-o <file> , --outfile <file> Set output file name
-t <nr> , --data-link-type <nr> Data Link Type (default = 1)
-v , --verbose Verbose output (default = 0)
Output file name
................
If you want to perform the reparation process on the input file without creating a
separate output file - e.g. in case you are out of space, you can use the -o option
and give the same name as the input file.
WARNING: This process is DANGEROUS and may destroy your data. You should only use
this option if you know what you are doing and accept the risk of losing the input
file.
Deep Scan Option
................
In classic pcap files, pcapfix will only scan the first 262144 bytes (maximum
packet length) for a proper first packet. If you want to force packet detection
even above this limit (e.g. because your file has been heavily destroyed) you
can use the deep scan option (-d).
This option is not necessary for pcapng files because the whole file is arranged
in blocks that are 'unlimited' by default. In result pcapfix will always scan
the whole pcapng file for further blocks.
Soft Mode
.........
There are programs that breach some pcap conventions when writing files.
Ignoring those rules do not break the pcap file but they make it difficult for
pcapfix to identify the packets in case of broken files.
By default pcapfix uses hard mode. If you encounter problems when repairing
files, try to switch to soft mode (-s). Pcapfix will then try to find the
packets in a more tolerant way.
PCAPNG Format
.............
Pcapfix will try to identify the file format to repair (pcap / pcapng) before
doing any further checks. If the header itself is corrupted, it will assume the
format to be classic pcap. To change this behaviour you can force the tool to
do a pcapng-repair by supplying -n (--pcapng) option.
Verbosity
.........
You can use multiple -v options to increase verbosity.
An verbosity of 2 will result in very much output data during package search.
ASCII-mode transfered Files (FTP)
.................................
Pcapfix is able to repair classic pcap files that have been transfered in
ascii-mode via FTP. In those files a proper pcap structure will be created
only to make them readable by wireshark etc. The data inside the packets
(and some pcap headers) might still be corrupted. To repair those packets
a deeper look inside the packet structure (e.g. checksum) will be necessary.
Data Link Types
...............
You can make pcapfix change / select your data link type by supplying -t option.
Although you may select a data link type number between 0 and 255, only the
following types are assigned: If the data link type field is corrupt, pcapfix
will select LINKTYPE_ETHERNET by default.
See http://www.tcpdump.org/linktypes.html for futher information.
NUMBER LINK_TYPE
0 LINKTYPE_NULL
1 LINKTYPE_ETHERNET
6 LINKTYPE_TOKEN_RING
7 LINKTYPE_ARCNET_BSD
8 LINKTYPE_SLIP
9 LINKTYPE_PPP
10 LINKTYPE_FDDI
50 LINKTYPE_PPP_HDLC
51 LINKTYPE_PPP_ETHER
100 LINKTYPE_ATM_RFC1483
101 LINKTYPE_RAW
104 LINKTYPE_C_HDLC
105 LINKTYPE_IEEE802_11
107 LINKTYPE_FRELAY
108 LINKTYPE_LOOP
113 LINKTYPE_LINUX_SLL
114 LINKTYPE_LTALK
117 LINKTYPE_PFLOG
119 LINKTYPE_PRISM_HEADER
122 LINKTYPE_IP_OVER_FC
123 LINKTYPE_SUNATM
127 LINKTYPE_IEEE802_11_RADIO
129 LINKTYPE_ARCNET_LINUX
138 LINKTYPE_APPLE_IP_OVER_IEEE1394
139 LINKTYPE_MTP2_WITH_PHDR
140 LINKTYPE_MTP2
141 LINKTYPE_MTP3
142 LINKTYPE_SCCP
143 LINKTYPE_DOCSIS
144 LINKTYPE_LINUX_IRDA
147-162 LINKTYPE_USER0-LINKTYPE-USER15
163 LINKTYPE_IEEE802_11_RADIO_AVS
166 LINKTYPE_PPP_PPPD
169 LINKTYPE_GPRS_LLC
177 LINKTYPE_LINUX_LAPD
187 LINKTYPE_BLUETOOTH_HCI_H4
189 LINKTYPE_USB_LINUX
192 LINKTYPE_PPI
195 LINKTYPE_IEEE802_15_4
196 LINKTYPE_SITA
197 LINKTYPE_ERF
201 LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR
202 LINKTYPE_AX25_KISS
203 LINKTYPE_LAPD
204 LINKTYPE_PPP_WITH_DIR
205 LINKTYPE_C_HDLC_WITH_DIR
206 LINKTYPE_FRELAY_WITH_DIR
209 LINKTYPE_IPMB_LINUX
215 LINKTYPE_IEEE802_15_4_NONASK_PHY
220 LINKTYPE_USB_LINUX_MMAPPED
224 LINKTYPE_FC_2
225 LINKTYPE_FC_2_WITH_FRAME_DELIMS
226 LINKTYPE_IPNET
227 LINKTYPE_CAN_SOCKETCAN
228 LINKTYPE_IPV4
229 LINKTYPE_IPV6
230 LINKTYPE_IEEE802_15_4_NOFCS
231 LINKTYPE_DBUS
235 LINKTYPE_DVB_CI
236 LINKTYPE_MUX27010
237 LINKTYPE_STANAG_5066_D_PDU
239 LINKTYPE_NFLOG
240 LINKTYPE_NETANALYZER
241 LINKTYPE_NETANALYZER_TRANSPARENT
242 LINKTYPE_IPOIB
243 LINKTYPE_MPEG_2_TS
244 LINKTYPE_NG40
245 LINKTYPE_NFC_LLCP
COPYRIGHT
=========
Copyright 2012-2021 Robert Krause
Pcapfix is free software: you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or any later version.
Pcapfix is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
Pcapfix. If not, see http://www.gnu.org/licenses/.