pcapfix - Online in the Cloud

PROGRAM:

NAME

pcapfix - repair pcap and pcapng files

SYNOPSIS

pcapfix [-d] [-n] [-o filename] [-t DATA_LINK_TYPE] [-v] filename

DESCRIPTION

Pcapfix is a tool to repair your damaged or corrupted pcap and pcapng files. It is written
in C and released under the GNU General Public License.

To fix your pcap files the tool first checks for an intact pcap global header and repairs
it if there are some corrupted bytes. It there seems to be no global header at all,
pcapfix adds a self-created one at the beginning of the file. In a second step the tool
tries to find pcap packet headers inside the file, below the global header. It checks if
the values are correct (or seem to be correct) and tries to repair a packet if there is
something wrong.

To fix your pcapng files the tool loops through all packet headers that can be found in
the file. It checks for mandatory Section Header and Interface Description Block and
creates them if missing. Pcapfix checks for correct block sizes and valid option fields.
If something is wrong, invalid fields are repaired (if possible) or skipped and adjusted
to finally get a proper pcapng file.

OPTIONS

-d, --deep-scan
Force deep scan (default = 0)
This option will force pcapfix to scan for any packet inside the whole file (instead
of the first 65535 bytes only).

-n, --pcapng
Force File Format to PCAPNG (default = 0)
This option will force pcapfix to repair the input file as it were in pcapng format
(useful for destroyed file headers).

-o, --outfile <filename>
Set the output file name. Default will be input file prepended by "fixed_".

-t, --data-link-type <nr>
Data Link Type (default = 1)
(See NOTES section below.)

-v, --verbose
Enable verbose output (default = 0)
You can use multiple -v options to increase verbosity.
An verbosity of 2 will result in very much output data during package search.

EXAMPLES

Repair the pcap file using deep scan mode, because large blocks of the file are corrupted.
pcapfix -d file.pcap

Repair the file damaged_file.pcapng using verbose output.
pcapfix -v damaged_file.pcapng

Repair the file wlan_traffic.pcap and force the data link type to be 119 (PRISM HEADER).
pcapfix -t 119 wlan_traffic.pcap

Repair the file damaged.pcapng which file header is corrupted and force its format to be
pcapng.
pcapfix -n damaged.pcapng

NOTES

Deep scan

In classic pcap files, pcapfix will only scan the first 65536 bytes (maximum packet
length) for a proper first packet. If you want to force packet detection even above
this limit (e.g. because your file has been heavily destroyed) you can use the deep
scan option (-d).

This option is not necessary for pcapng files because the whole file is arranged in
blocks that are 'unlimited' by default. In result pcapfix will always scan the whole
pcapng file for further blocks.

PCAPNG Format

Pcapfix will try to identify the file format to repair (pcap / pcapng) before doing
any further checks. If the header itself is corrupted, it will assume the format to
be classic pcap. To change this behaviour you can force the tool to do a pcapng-
repair by supplying -n (--pcapng) option.

Verbosity

You can use multiple -v options to increase verbosity. An verbosity of 2 will result
in very much output data during package search.

ASCII-mode transferred Files (FTP)

Pcapfix is able to repair pcap files that have been transferred in ascii-mode via
FTP. In those files a proper pcap structure will be created only to make them
readable by wireshark etc. The data inside the packets (and some pcap headers) might
still be corrupted. To repair those packets a deeper look inside the packet structure
(e.g. checksum) will be necessary.

Data Link Types

You can make pcapfix change / select your data link type by supplying -t option.
Although you may select a data link type number between 0 and 255, only the following
types are assigned: If the data link type field is corrupt, pcapfix will selct
LINKTYPE_ETHERNET by default.

See http://www.tcpdump.org/linktypes.html for futher information.

NUMBER LINK_TYPE

0 LINKTYPE_NULL
1 LINKTYPE_ETHERNET
6 LINKTYPE_TOKEN_RING
7 LINKTYPE_ARCNET_BSD
8 LINKTYPE_SLIP
9 LINKTYPE_PPP
10 LINKTYPE_FDDI
50 LINKTYPE_PPP_HDLC
51 LINKTYPE_PPP_ETHER
100 LINKTYPE_ATM_RFC1483
101 LINKTYPE_RAW
104 LINKTYPE_C_HDLC
105 LINKTYPE_IEEE802_11
107 LINKTYPE_FRELAY
108 LINKTYPE_LOOP
113 LINKTYPE_LINUX_SLL
114 LINKTYPE_LTALK
117 LINKTYPE_PFLOG
119 LINKTYPE_PRISM_HEADER
122 LINKTYPE_IP_OVER_FC
123 LINKTYPE_SUNATM
127 LINKTYPE_IEEE802_11_RADIO
129 LINKTYPE_ARCNET_LINUX
138 LINKTYPE_APPLE_IP_OVER_IEEE1394
139 LINKTYPE_MTP2_WITH_PHDR
140 LINKTYPE_MTP2
141 LINKTYPE_MTP3
142 LINKTYPE_SCCP
143 LINKTYPE_DOCSIS
144 LINKTYPE_LINUX_IRDA
147-162 LINKTYPE_USER0-LINKTYPE-USER15
163 LINKTYPE_IEEE802_11_RADIO_AVS
166 LINKTYPE_PPP_PPPD
169 LINKTYPE_GPRS_LLC
177 LINKTYPE_LINUX_LAPD
187 LINKTYPE_BLUETOOTH_HCI_H4
189 LINKTYPE_USB_LINUX
192 LINKTYPE_PPI
195 LINKTYPE_IEEE802_15_4
196 LINKTYPE_SITA
197 LINKTYPE_ERF
201 LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR
202 LINKTYPE_AX25_KISS
203 LINKTYPE_LAPD
204 LINKTYPE_PPP_WITH_DIR
205 LINKTYPE_C_HDLC_WITH_DIR
206 LINKTYPE_FRELAY_WITH_DIR
209 LINKTYPE_IPMB_LINUX
215 LINKTYPE_IEEE802_15_4_NONASK_PHY
220 LINKTYPE_USB_LINUX_MMAPPED
224 LINKTYPE_FC_2
225 LINKTYPE_FC_2_WITH_FRAME_DELIMS
226 LINKTYPE_IPNET
227 LINKTYPE_CAN_SOCKETCAN
228 LINKTYPE_IPV4
229 LINKTYPE_IPV6
230 LINKTYPE_IEEE802_15_4_NOFCS
231 LINKTYPE_DBUS
235 LINKTYPE_DVB_CI
236 LINKTYPE_MUX27010
237 LINKTYPE_STANAG_5066_D_PDU
239 LINKTYPE_NFLOG
240 LINKTYPE_NETANALYZER
241 LINKTYPE_NETANALYZER_TRANSPARENT
242 LINKTYPE_IPOIB
243 LINKTYPE_MPEG_2_TS
244 LINKTYPE_NG40
245 LINKTYPE_NFC_LLCP

DEVELOPMENT

This tool is still under development! Please send any further wishes, feature requests or
problems in compiling and execution to [email protected]. Additionally You may send me
pcap/pcapng files that could not be repaired too in order to improve pcapfix and get your
file repaired.

For further information visit the pcapfix homepage at http://f00l.de/pcapfix/.

MESSAGES AND EXIT CODES

1 , file was corrupted and has been repaired
0 , file is proper; nothing to repair
-1 , invalid options / parameters given
-2 , cannot open input file for reading
-3 , cannot open output file for writing
-4 , input file is empty
-5 , input file is too small
-6 , file type not supported
-11 , not a pcap/pcapng file
-12 , unable to repair the file
-13 , EOF while reading input file
-255 , unknown error

HISTORY

1.1.0 - 31.08.2013
* added checks for valid pcapng format (epb)
* added --outfile parameter to chose fixed file name
* improved pcapng packet alignment (pb, spb, nrb)
* improved pcapng option fields handling
* improved status and verbosity outputs
* fixed reparation bugs with swapped pcap files
* fixed MacOS compile problem
* fixed windows output file name extension missing
* fixed many minor bugs

1.0.2 - 18.02.2013
* added support for files larger than 2GB on 32bit systems

1.0.1 - 03.11.2013
* added reparation block type id zero (pcapng)
* added reparation of capture length inside EPB (pcapng)
* set data link type to ethernet on missing header (pcap)
* changed missing pcap header threshold
* fixed minor bugs

1.0.0 - 12.10.2013
* added pcapng support
* added nanoseconds support (Issue #1)
* improved console output
* minor bugs fixed

0.7.3 - 16.06.2013
* added snoop file detection
* added large file support on 32bit architectures
* improved missing header detection
* fixed compiling errors on hurd and kfreebsd architectures
* fixed minor bugs

0.7.2 - 30.03.2013
* compiles on Apple systems properly now
* fixed problems installing man-pages (on some systems)

0.7.1 - 03.01.2013
* REALLY fixed file pointer exception on windows64 systems
* updated man-page

0.7 - 18.10.2012
* added support for swapped (big endian) pcap files
* compiles on OpenBSD properly now
* fixed file pointer exception on windows64 systems
* fixed detection bug when corrupted packet is larger than 65536 bytes
* fixed minimal packet limit to cope with wlan traffic

0.6 - 20.05.2012
* added deep scan option (-d) to force packet detection inside the whole file
* detects ascii-corruption in pcap header (unix->win)
* improved global header and packet checks (0 <= usec <= 1000000)
* repair files that first packet is entirely corrupted
* repair oversized packets
* improved last packet mismatch correction
* fixed reading packets over EOF

0.5 - 05.05.2012
* repair files that packets were not saved chronologically
* detect and repair overlapping packets
* detect and repair cut-off pcap files
* detect and repair ascii-mode transferred pcap files (pcap headers only!)
* added progress bar
* added man-page

0.4 - 27.04.2012
* completely redesigned packet detection algorithm (replaced bottom-up-recovery with
brute-force-packet-guessing)
* improved detection rate by additional plausability checks
* increased speed when repairing large pcap files

0.3 - 31.03.2012
* when recovering packets size will be checked to be smaller than 65536
* added recognition when a file does not seem to be a pcap file at all
* compiles on windows systems properly now (tested with dev-cpp)
* added option to manually select data link type

0.2 - 11.03.2012
* pcapfix compiles on 64bit systems correctly now
* fixed segfault when no filename was given
* fixed (input) file not found bug on directory differ
* added recognition of other data link types beside ethernet in global header
* added source code documentation

0.1 - 01.03.2012
* this is the first version, everything has changed thou :-)

COPYRIGHT

Copyright (c) 2012-2014 Robert Krause

Pcapfix is free software: you can redistribute it and/or modify it under the terms of the
GNU General Public License as published by the Free Software Foundation, either version 3
of the License, or any later version.

Pcapfix is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.

Use pcapfix online using onworks.net services