can't get payload of TCP packet

[QiuZidane]

Hi, Kaitory:

  I am using getNextPacketEx() to get response tcp packet from server,   the PSH flag of the tcp packet is true,  so the packet should contain payload,   but when i use getPayload() , it returns null.
 ( I am doing this on SuSe linux Enterprise Server 10,  libpcap 1.8.1)

  But  the payload can be captured in normally when the program run on windows.

  Could you please give me some advise？ thanks a lot:)

the scene is very simple: i have run the capture program on both side (client / server).

  1. client(windows/browser) post an http request to the server(SuSE/Tomcat)  
  2. server response an html page to the client

[kaitoy]

Did you add a packet factory module (e.g. pcap4j-packetfactory-static.jar) to your classpath?
Pcap4J doesn't dissect packets without it.

[QiuZidane]

yes, i have added pcap4j-packetfactory-static-1.7.0.jar.

on suse, the program can get payload from request tcp packet , but can't get payload from response tcp packet.

on window, both request and response packet's payload can be captured.

btw: i use get(TcpPacket.class) to build the TcpPacket.

[kaitoy]

What does System.out.println(handle.getNextPacketEx()); show on the response packet?

[QiuZidane]

IPv4 total length is 264, the packet should have 224 length payload data, but there was no payload data shown below.......so strange.......

---

[Ethernet Header (14 bytes)]
Destination address: 00:00:0c:9f:f1:3a
Source address: 00:50:56:ae:33:2a
Type: 0x0800 (IPv4)
[IPv4 Header (20 bytes)]
Version: 4 (IPv4)
IHL: 5 (20 [bytes])
TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
Total length: 264 [bytes]
Identification: 45858
Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
Fragment offset: 0 (0 [bytes])
TTL: 64
Protocol: 6 (TCP)
Header checksum: 0x5778
Source address: /122.18.29.31
Destination address: /122.138.29.154
[TCP Header (20 bytes)]
Source port: 9080 (unknown)
Destination port: 16766 (unknown)
Sequence Number: 2660284204
Acknowledgment Number: 2980165323
Data Offset: 5 (20 [bytes])
Reserved: 0
URG: false
ACK: true
PSH: true
RST: false
SYN: false
FIN: false
Window: 2800
Checksum: 0x3050
Urgent Pointer: 0

[kaitoy]

Could you show System.out.println(ByteArrays.toHexString(handle.getNextRawPacket(), ""));, too?
I want to see the raw data.

[QiuZidane]

I captured another response packet :

the raw data:
00000c9ff13a005056ae332a080045000107264640004006e4557a121d1f7a8a1d9a237866b43d8b9a560b6bf30350180e14304f0000

the packet :
[Ethernet Header (14 bytes)]
Destination address: 00:00:0c:9f:f1:3a
Source address: 00:50:56:ae:33:2a
Type: 0x0800 (IPv4)
[IPv4 Header (20 bytes)]
Version: 4 (IPv4)
IHL: 5 (20 [bytes])
TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
Total length: 263 [bytes]
Identification: 9798
Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
Fragment offset: 0 (0 [bytes])
TTL: 64
Protocol: 6 (TCP)
Header checksum: 0xe455
Source address: /122.18.29.31
Destination address: /122.138.29.154
[TCP Header (20 bytes)]
Source port: 9080 (unknown)
Destination port: 26292 (unknown)
Sequence Number: 103255910
Acknowledgment Number: 191623939
Data Offset: 5 (20 [bytes])
Reserved: 0
URG: false
ACK: true
PSH: true
RST: false
SYN: false
FIN: false
Window: 3604
Checksum: 0x304f
Urgent Pointer: 0

[QiuZidane]

Hello @kaitoy
do you have any idea of this issue ?
Thanks~!

[kaitoy]

The raw data is only 54 bytes and the packet object Pcap4J built is representing the 54 bytes.
How did you create the PcapHandle object?

[QiuZidane]

I used getNextRawPacket() :

byte[] packet_raw = handle.getNextRawPacket();
Packet packet = EthernetPacket.newPacket(packet_raw, 0, packet_raw.length);
System.out.println(ByteArrays.toHexString(packet_raw , ""));

[kaitoy]

So, how did you create the handle object?

[QiuZidane]

I just follow your sample:
InetAddress addr = InetAddress.getByName(strSrcIpAddress);
PcapNetworkInterface nif = Pcaps.getDevByAddress(addr);
PcapHandle handle = nif.openLive(SNAPLEN, PromiscuousMode.PROMISCUOUS, READ_TIMEOUT);

[kaitoy]

What's the value of the SNAPLEN?

[QiuZidane]

the value is 65536

[kaitoy]

I think the cause is in libpcap side.
Is Wireshark able to capture entire packets on SUSE?

[QiuZidane]

wireshark can't .
I used tcpdump to capture packets on suse and use wireshark to dissected them , the packets seem to be normal.
But the tcpdump use libpcap.0.9.3. i will try a lower version libpcap later , such as libpcap 1.7.4, hope it can run.

[QiuZidane]

I just try libpcap-1.4.0 and libpcap-1.2.1， the result is same as before....

[kaitoy]

Could you inquire of libpcap project the issue?
Pcap4J is just a wrapper of libpcap and I can't solve issues in libpcap side.

[QiuZidane]

OK ， thanks !