I am getting ValueError: Invalid tcpdump header error for below code. Any help appreciated
import dpkt
f = open('a.pcap')
pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
ip = eth.data
tcp = ip.data
if tcp.dport == 80 and len(tcp.data) > 0:
http = dpkt.http.Request(tcp.data)
print http.uri
f.close()
The Error is shown below
Traceback (most recent call last):
File "malcap.py", line 6, in <module>
pcap = dpkt.pcap.Reader(f)
File "/usr/lib/python2.7/site-packages/dpkt/pcap.py", line 104, in __init__
raise ValueError, 'invalid tcpdump header'
ValueError: invalid tcpdump header
Since I met with same error, here is issue analysis.
Note: at the moment it looks like issue observed on MacOS only while on Linux tcpdump works as expected.
1) man tcpdump
refers to pcap format:
and if you open PCAP-SAVEFILE document you may see:
the first field in the per-file header is a 4-byte magic number, with the value 0xa1b2c3d4
2) From pcap.py you may see next:
elif self.__fh.magic != TCPDUMP_MAGIC:
raise ValueError, 'invalid tcpdump header'
3) Based on 1) and 2) we may be sure that file is not pcap.
Let's check with hexdump:
hexdump test1.pcap 0000000 0a 0d 0d 0a
that's different from our expectations.
Let's check if this is a new format "pcap-ng". From http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html we may read next:
Block Type: The block type of the Section Header Block is the integer corresponding to the 4-char string "\r\n\n\r" (0x0A0D0D0A).
4) Since we are working with pylibpcap and there is no support for pcap-ng (at the moment) we need to deal with this issue somehow.
There are two options: 4.1) use editcap tool:
editcap -F libpcap -T ether test.pcapng test.pcap
4.2) gather data with dumpcap tool which supports data storage in both formats (use -P for old format). I.e.:
dumpcap -P -i en0 -w test.pcap
(en0 for macbook air case)
However looks like there is a bug in Apple tcpdump implementation.
Mac OS description for tcpdump says next:
-P Use the pcap-ng file format when saving files. Apple modification.
If you run tcpdump (without -P and without specifying -i interface):
tcpdump -w test.pcap
hexdump test.pcap
you will see result in pcap-ng format:
bash-3.2$ hexdump test.pcap 0000000 0a 0d 0d 0a
While if you run tcpdump with specified interface:
tcpdump -w test.pcap -i en0
Format would be correct:
bash-3.2$ hexdump test.pcap 0000000 d4 c3 b2 a1 02