python - dpkt invalid tcpdump header error -

Fix- python - dpkt invalid tcpdump header error -

I was runing a python code with some pcaps file, and this message came up:  

      Traceback (most recent call last):
        File "flowRecorder.py", line 900, in <module>
          main()
        File "/home/alduk/Dropbox/Aleja_Internship/FlowID/venv/lib/python3.6/site-packages/click/core.py", line 722, in __call__
          return self.main(*args, **kwargs)
        File "/home/alduk/Dropbox/Aleja_Internship/FlowID/venv/lib/python3.6/site-packages/click/core.py", line 697, in main
          rv = self.invoke(ctx)
        File "/home/alduk/Dropbox/Aleja_Internship/FlowID/venv/lib/python3.6/site-packages/click/core.py", line 895, in invoke
          return ctx.invoke(self.callback, **ctx.params)
        File "/home/alduk/Dropbox/Aleja_Internship/FlowID/venv/lib/python3.6/site-packages/click/core.py", line 535, in invoke
          return callback(*args, **kwargs)
        File "flowRecorder.py", line 879, in main
          pcap = dpkt.pcap.Reader(file)
        File "/home/alduk/Dropbox/Aleja_Internship/FlowID/venv/lib/python3.6/site-packages/dpkt/pcap.py", line 251, in __init__
          raise ValueError('invalid tcpdump header')
      ValueError: invalid tcpdump header
      
My pcap file is a set of different pcaps (20 pcaps). All the pcap files was put together using the comand "mergecap".

The error message above is because of mergecap generates pcap-ng files. Wireshark can open this kind of files. However, pcap-ng present issues with python-dpkt library.

To solve this problem do the following:

 Check with hexdump:

  hexdump file.pcap 0000000 0 ADDA  

Whits this command you can see if this is a  format "PPAP-NG" or not. From my pcap file can read further: 

Block type: Block type block of section header block is full of 4-four string "\ r \ n \ n \ r" (0x0A0D0D0A). 

Now, use this command:

editcap -F libpcap -T ether file.pcapng NewPCAPFile.pcap  


I will hope that the above works! Good Luck!

kind regards!

Aleja :)