SIP search generates an invalid pcap file

[hitokiri82]

When doing a SIP search, if I choose the ResultType PCAP, I do get a pcap file, but it is reported by Wireshark and by https://packettotal.com/ as an invalid pcap file.

[lmangani]

Related to #62

[hitokiri82]

I'm not sure is related, because I do get a pcap file, which I've run through pcapfix which reports the following errors with the file:

[] Reading from file: /tmp/phpqoQUff
[] Writing to file: fixed_phpqoQUff
[] File size: 17461 bytes.
[] Unknown file type. Assuming PCAP format.
[] Analyzing Global Header...
[-] Magic number: 0xb2c3d40a
[-] Major version number: 673
[-] Minor version number: 1024
[+] GTM to local correction: 0
[+] Accuracy of timestamps: 0
[-] Max packet length: 26214400
[-] Data link type: 256
[-] The global pcap header seems to be missing ==> CORRECTED!
[] Analyzing packets...
[-] CORRUPTED Packet #1 at position 0 (2999178250 | 67109537 | 0 | 0).
[+] FOUND NEXT Packet #2 at position 25 (1518537341 | 457743 | 1097 | 1097).
[-] Packet #1 at position 0 is invalid ==> SKIPPING.
[+] Packet #2 at position 25 (1518537341 | 457743 | 1097 | 1097).
[+] Packet #3 at position 1138 (1518537341 | 457916 | 394 | 394).
[+] Packet #4 at position 1548 (1518537341 | 458716 | 908 | 908).
[+] Packet #5 at position 2472 (1518537341 | 573727 | 349 | 349).
[+] Packet #6 at position 2837 (1518537341 | 594306 | 1367 | 1367).
[+] Packet #7 at position 4220 (1518537341 | 594432 | 394 | 394).
[+] Packet #8 at position 4630 (1518537341 | 827640 | 870 | 870).
[+] Packet #9 at position 5516 (1518537341 | 829977 | 1542 | 1542).
[+] Packet #10 at position 7074 (1518537341 | 833070 | 1164 | 1164).
[+] Packet #11 at position 8254 (1518537341 | 931066 | 402 | 402).
[+] Packet #12 at position 8672 (1518537341 | 938685 | 474 | 474).
[+] Packet #13 at position 9162 (1518537350 | 494293 | 1542 | 1542).
[+] Packet #14 at position 10720 (1518537350 | 495349 | 460 | 460).
[+] Packet #15 at position 11196 (1518537350 | 502018 | 1211 | 1211).
[+] Packet #16 at position 12423 (1518537350 | 795695 | 861 | 861).
[+] Packet #17 at position 13300 (1518537350 | 831074 | 1034 | 1034).
[+] Packet #18 at position 14350 (1518537351 | 60334 | 821 | 821).
[+] Packet #19 at position 15187 (1518537352 | 600757 | 433 | 433).
[+] Packet #20 at position 15636 (1518537352 | 617456 | 591 | 591).
[+] Packet #21 at position 16243 (1518537352 | 692401 | 644 | 644).
[-] LAST PACKET MISMATCH (1518537352 | 832226 | 543 | 543)
[+] CORRECTED Packet #22 at position 16903 (1518537352 | 832226 | 542 | 543).
[+] Packet #22 at position 16903 (1518537352 | 832226 | 542 | 543).
[*] Wrote 22 packets to file.
[+] SUCCESS: 7 Corruption(s) fixed!

After it's been fixed I can open the file using Wireshark and see all the SIP packages from the call.

This seems to me a problem with how the pcap file is generated while #62 seems to me a front-end issue.

[lmangani]

I see, you did not specify the contents were actually there, you just said invalid :)
Reopening - could you attach the PCAP before and after the fix? I can't currently replicate one.

[hitokiri82]

Sure. Also, I'm using the multi container version of the app.

[lmangani]

Ready to re-test - thanks

[hitokiri82]

I re-tested, still getting invalid pcap file.

[lmangani]

If you could provide a sample here or privately? I can't quite reproduce it, if other users are please step forward :)

[hitokiri82]

How can I get the pcap file to you privately?

[lmangani]

support at sipcapture dot org

[hitokiri82]

Sent

[mmughal01]

I get the same issue that Wireshark reports that the downloaded pcap file is corrupt. If I revert to the previous version of homer-docker I can successfully download the pcap file.

[tramontano]

I'm having the same issue on multi-container.

[ghost]

also i have this bug

[games130]

i am also experiencing this problem. I am using the latest docker file build on 2018-06-09.
Build Code: bqgodfppdgbru3vdtxxitx5

[negbie]

Should be fixed with sipcapture/homer-docker@47975cc

Update your preferences.php or your containers when you are using docker.