CaptureFileWriterDevice.Write((RawCapture p) writes incorrect LinkLayerType if its not known to PacketDotNet

[twa89]

I am opening a wireshark capture of a BACnet MSTP cap file, then trying to write the packet back out using CaptureFileWriterDevice.Write() method. When it writes the packet out, it does not preserve the link layer byte that was in the original packet that was read in.

BACnet MSTP is link layer 165, I see this byte in the source file, but in the one written out is was replaced with 0.

I looked at PacketDotNet and it seems to have an enum for link layer that doesn't have this value (165). I would think if a packet is read in, it could be written back as read. Here is a sample file with just 1 mstp packet.

onemstp.zip

[kayoub5]

@twa89 the link layer is determined through the constructor of CaptureFileWriterDevice, not through the Write method (the link layer of the RawCapture is simply ignored)

How did you create the CaptureFileWriterDevice ?

[twa89]

I created it just with the wireshark file. The constructor that takes only a filename. From: Ayoub Kaanich <notifications@github.com> Sent: Sunday, December 6, 2020 5:07 AM To: chmorgan/sharppcap <sharppcap@noreply.github.com> Cc: Anderson Jr, Thomas (SI BP AM R&D SW DCC) <thomasanderson@siemens.com>; Mention <mention@noreply.github.com> Subject: Re: [chmorgan/sharppcap] CaptureFileWriterDevice.Write((RawCapture p) writes incorrect LinkLayerType if its not known to PacketDotNet (#174) @twa89<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftwa89&data=04%7C01%7CthomasAnderson%40siemens.com%7Ccde289741d5b484a758008d899d71340%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637428496301964005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jRNLEaIv7wRn3bKACMDnjfZWOdhOOty%2BC4wX%2FqAfnqA%3D&reserved=0> the link layer is determined through the constructor of CaptureFileWriterDevice, not through the Write method (the link layer of the RawCapture is simply ignored) How did you create the CaptureFileWriterDevice ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fchmorgan%2Fsharppcap%2Fissues%2F174%23issuecomment-739487155&data=04%7C01%7CthomasAnderson%40siemens.com%7Ccde289741d5b484a758008d899d71340%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637428496301973963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pBJBp4lIFRwXnEbGdrf%2B%2FnM9Msp6Ou3N2Udl6%2BzbNAU%3D&reserved=0>, or unsubscribe<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAG7MZW7H3AMSYSNDKNTZUX3STNQVTANCNFSM4UO3HS5Q&data=04%7C01%7CthomasAnderson%40siemens.com%7Ccde289741d5b484a758008d899d71340%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637428496301973963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WrUvQ3WTgPtRR4oQSlika%2FvpRwvQuH%2B6cS4ef%2F9zyFE%3D&reserved=0>.

[kayoub5]

@twa89 use the constructor where you can specify the LinkLayer, the one that only accepts file name uses link layer Ethernet.

See https://github.com/chmorgan/sharppcap/blob/de6d35505b9f22f9678272e431e2bce960375b94/SharpPcap/LibPcap/CaptureFileWriterDevice.cs#L160-L163

[twa89]

Linklayer 165 is not a choice in the enum. I will try casting it. From: Ayoub Kaanich <notifications@github.com> Sent: Monday, December 7, 2020 1:08 AM To: chmorgan/sharppcap <sharppcap@noreply.github.com> Cc: Anderson Jr, Thomas (SI BP AM R&D SW DCC) <thomasanderson@siemens.com>; Mention <mention@noreply.github.com> Subject: Re: [chmorgan/sharppcap] CaptureFileWriterDevice.Write((RawCapture p) writes incorrect LinkLayerType if its not known to PacketDotNet (#174) @twa89<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftwa89&data=04%7C01%7CthomasAnderson%40siemens.com%7C2e855d17fe684b5c87de08d89a7ed1ab%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637429216756473776%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gQGBQP8qbxLwZb0RGjdF5tSTYAcEEjjtE7pmxvKuYUE%3D&reserved=0> use the constructor where you can specify the LinkLayer, the one that only accepts file name uses link layer Ethernet. See https://github.com/chmorgan/sharppcap/blob/de6d35505b9f22f9678272e431e2bce960375b94/SharpPcap/LibPcap/CaptureFileWriterDevice.cs#L160<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fchmorgan%2Fsharppcap%2Fblob%2Fde6d35505b9f22f9678272e431e2bce960375b94%2FSharpPcap%2FLibPcap%2FCaptureFileWriterDevice.cs%23L160&data=04%7C01%7CthomasAnderson%40siemens.com%7C2e855d17fe684b5c87de08d89a7ed1ab%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637429216756473776%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HiWR8ruYKLbdLJFoYs%2FGd4I58wbJf10XLvE%2BaJDpYjQ%3D&reserved=0> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fchmorgan%2Fsharppcap%2Fissues%2F174%23issuecomment-739718023&data=04%7C01%7CthomasAnderson%40siemens.com%7C2e855d17fe684b5c87de08d89a7ed1ab%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637429216756483767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZPyX8R1b3FXxrZRAifsgJtzCjtmMxEhv%2B49OSBCUiN8%3D&reserved=0>, or unsubscribe<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAG7MZW2GG5NHJQVZDIRFX7DSTR5MPANCNFSM4UO3HS5Q&data=04%7C01%7CthomasAnderson%40siemens.com%7C2e855d17fe684b5c87de08d89a7ed1ab%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637429216756483767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sBa2BSnY1pU77f3erkG3DbYiBj08dA4GAnql4hwvQd4%3D&reserved=0>.

[twa89]

I tried using the constructor like this and it still writes the packet as ethernet.

         FileWriter = new CaptureFileWriterDevice((PacketDotNet.LinkLayers)165,100000,CaptureFile,FileMode.Open);

[twa89]

If I open that onemstp.cap file attached above in wireshark, it shows it correctly as MSTP.
I then open that file with CaptureFileWriterDevice and then write the packet to a new file.
The new file opened in wireshark is now ethernet and not decoded correctly.

[twa89]

I did get this working with this signature, it was throwing an exception on the size I was passing in above too.
FileWriter = new CaptureFileWriterDevice((PacketDotNet.LinkLayers)165,65535,CaptureFile,FileMode.Open);
This is kind of a kluge with the casting, but does save the packet correctly now.