I am attempting to apply a BPF filter on an offline pcap file using pcap4j. Here's is the code I'm using:

handle = Pcaps.openOffline(tempFilename);
handle.setFilter(' net 53.53.53.53', BpfProgram.BpfCompileMode.OPTIMIZE);
Packet packet;
while ((packet = handle.getNextPacket()) != null) {
    LOGGER.info("packet: {}\n", packet);
}
handle.close();

After running through this code in the intellij debugger, I have determined it crashes during the .getNextPacket() method... specifically I have found that this line is the last line where execution is attempted before the crash happens. The crash prints out no trace at all, except that it received a SIGABRT signal. Obviously, I will need to include a dumper to dump the packets into the new pcap file, but for now I wanted to keep the code as simple as possible.

Here is my pom.xml for reference:

<dependency>
    <groupId>org.pcap4j</groupId>
    <artifactId>pcap4j-core</artifactId>
    <version>1.8.2</version>
</dependency>
<dependency>
    <groupId>org.pcap4j</groupId>
    <artifactId>pcap4j-packetfactory-static</artifactId>
    <version>1.8.2</version>
</dependency>

If anyone thinks they know a solution to this problem, or an alternative solution that will allow me to filter a PCAP file in the intended way, it would be much appreciated.

Thanks in advance!

EDIT: If it helps I am running on Mac OS which may be a part of the issue?

@MattHapner

I had the same issue. I believe Wireshark had installed a particular version of libpcap that is troublesome for Pcap4j.

Try this:

brew install libpcap

THen run your java app with this set as an env var so that this brew-version of libpcap is used:

DYLD_LIBRARY_PATH=/usr/local/Cellar/libpcap/1.9.1/lib java blah.jar

You can prove to yourself that it's loading your libpcap instead of another one you might have on your system:

DYLD_PRINT_LIBRARIES=YES DYLD_LIBRARY_PATH=/usr/local/Cellar/libpcap/1.9.1/lib java blah.jar