Stripping TZSP header from jNetPcap packets

RouterBoards enable packet sniffing by encapsulating each target packet with a TZSP UDP header and sending it to whatever device you want to do the sniffing. In order to read the original packet, I needed to pull the payload out of UDP packet, strip off the TZSP header and then re-create the PCAP packet in an in-memory packet from the remaining data.

        boolean tzsp = false;
        JPacket pack = packet;
        if(packet.hasHeader(udp)) {
             if(udp.destination() == 37008) {
                  byte[] payload = udp.getPayload();
                  byte[] data = null;
                  if(payload.length > 5) {
                      try {
                          int start = 4;
                          for(;start < payload.length; start++) {
                              // 1 is the tagged field ending byte
                              if(payload[start] == 1) {
                          data = Arrays.copyOfRange(payload, start, payload.length - start);
                          pack = new JMemoryPacket(PcapDLT.EN10MB.value, data);
                          tzsp = true;                                   
                      } catch(Exception ex) {

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s