Wireshark-dev: Re: [Wireshark-dev] Is this a Bug? PCAP can't deal with ipv4&ipv6 hybrid data?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 30 Dec 2011 12:47:07 -0800
On Dec 29, 2011, at 10:30 PM, homeryan wrote:

>     I am processing a hybrid pcap file using libpcap and filter expression.

Then the right place to ask is tcpdump-workers@xxxxxxxxxxxxxxxxx, as per

	http://www.tcpdump.org/

The name nonwithstanding, that list is for both libpcap and tcpdump, and both for people working on both of them and for people using both of them.

> // open pcap file
>     if ((fp = pcap_open_offline(pcapfilename.c_str(), errbuf)) == NULL)
>     {
>         cout << "file open failed" << endl;
>         return 0;
>     }

(You probably also want to print the contents of errbuf there, to indicate *why* the file open failed, but, as the file open isn't failing, that's not part of the issue you're having.)

>     I'm assure that the pcap file has many packets with tcp dest port 80,

So are they IPv4 packets sent to TCP port 80, IPv6 packets sent to TCP port 80, or both?

If they're only IPv6 packets sent to TCP port 80 - i.e., if there are no IPv4 packets sent to TCP port 80 - what happens if you make the filter "ip6 and tcp dst port 80"?  If that string doesn't give an error from pcap_compile() (this is a test to make sure your version of libpcap is not so old as not to have IPv6 support or not to include that support by default), what happens if you open the file in, for example, Wireshark (which you presumably have, as you're sending this to the Wireshark list)?  Do those packets have, for example, extension headers?