Stripping TZSP header from jNetPcap packets


RouterBoards enable packet sniffing by encapsulating each target packet with a TZSP UDP header and sending it to whatever device you want to do the sniffing. In order to read the original packet, I needed to pull the payload out of UDP packet, strip off the TZSP header and then re-create the PCAP packet in an in-memory packet from the remaining data.

        boolean tzsp = false;
        JPacket pack = packet;
                    
        if(packet.hasHeader(udp)) {
             if(udp.destination() == 37008) {
                  byte[] payload = udp.getPayload();
                  byte[] data = null;
                  if(payload.length > 5) {
                      try {
                          int start = 4;
                          for(;start < payload.length; start++) {
                              // 1 is the tagged field ending byte
                              if(payload[start] == 1) {
                                   start++;
                                   break;
                              }
                          }
                          data = Arrays.copyOfRange(payload, start, payload.length - start);
                          pack = new JMemoryPacket(PcapDLT.EN10MB.value, data);
                          tzsp = true;                                   
                      } catch(Exception ex) {
                          ex.printStackTrace();
                      }
                 }
             }
        }
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s