Invalid tcpdump header due to pcap generated using mergecap when parsed using dpkt

Question

ValueError: Invalid tcpdump header error for below code.

import dpkt

f = open('a.pcap')
pcap = dpkt.pcap.Reader(f)

for (src, sport, dst, dport, data) in udp_iterator(pc):

        if dport == 53:
            dns = dpkt.dns.DNS(data)
            if dns.opcode != dpkt.dns.DNS_QUERY:
                print "A DNS packet was sent to the nameserver, but the opcode was %d instead of DNS_QUERY (this is a software error)" % dns.opcode
            if dns.qr != dpkt.dns.DNS_Q:
                print "A DNS packet was sent to the name server, but dns.qr is not 0 and should be.  It is %d" % dns.qr
          print "DNS Query was: ", dns.qd[0].name
            print "ID is: ", dns.id
            print "Hello Dns query is ", dns.qr
            print  "Hello Query Type is ", dns.qd[0].type , type_table[dns.qd[0].type]
            print "Hello DNS Query was: ", dns.qd

Help will be highly appreciated. the pcap is generated using mergecap and then it is parsed using dpkt but the error is show below:

File "/usr/local/lib/python2.7/dist-packages/dpkt/pcap.py",
    in __init__
    raise ValueError('invalid tcpdump header')
ValueError: invalid tcpdump header

score 2 · Answer 1 · answered Jun 27 '16 at 12:42

Verify the file type with "capinfos a.pcap" and look at the second line.

If the first file was saved in pcapng format, mergecap will use this format for the output file.

Per the man file:

"Sets the file format of the output capture file. Mergecap can write the file in several formats; mergecap -F provides a list of the available output formats. The default is to use the file format of the first input file."

To get around this, you can use -F pcap. It would look something like this:

mergecap first.pcap second.pcap -w output.pcap -F pcap

Invalid tcpdump header due to pcap generated using mergecap when parsed using dpkt

1 Answers1