开发者

Cannot decompress ZLIB/DEFLATE data

I'm trying to extract data from compressed bytes from network capture file (PCAP.)

Data from some of these packets don't have ZLIB header (the first 2 bytes, where lower 4 bits of first byte is always 8) and hence gave exception when I tried to decompress it using ZlibStream. Data with headers seem to work fine.

As I understand that ZLIB is just a header and footer over DEFLATE, I pass these data without headers to DeflateStream. This time DeflateStream doesn't throw any error, it just gave wrong data (but it gave correct length) ...

This is a sample data. The C# code sample uses DotNetZip:

byte[] test3 = new byte[] { 0x1a, 0x6d, 0xf, 0x8d, 0xb6, 0x87, 0x46, 0xdb, 0x43, 0xa3, 0xed, 0xa1, 0xd1, 
                0xf6, 0xd0, 0x68, 0x7b, 0x68, 0xb4, 0x3d, 0x34, 0xda, 0x1e, 0xb2, 0x44, 0x3a, 0x39, 0x6f, 0x24, 
                0xae, 0x1f, 0x2, 0x0, 0x0, 0x0, 0xff, 0xff };


static开发者_StackOverflow void UncompressData(byte[] data)
{
    if ((data[0] & 0x0F) != 0x08)
    {        
        var uncompressed = DeflateStream.UncompressBuffer(data);
        Console.WriteLine("Uncompressed Deflate data : {0} => {1} bytes", data.Length, uncompressed.Length);
    }
    else
    {
        var uncompressed = ZlibStream.UncompressBuffer(data);
        Console.WriteLine("Uncompressed ZLIB data : {0} => {1} bytes", data.Length, uncompressed.Length);
    }
}

I tested with C#'s System.IO.Compression.DeflateStream, Ionic.Zlib.DeflateStream (from DotNetZip), and Java's java.util.zip.Inflater. All gave similar array full of 0s ..

Any idea on what could be missing here? Is is possible that ZLIB/DEFLATE is stateful and the decompression required data from all prior packets?

Thank you.


Yes, you need the entire "file", you can't deflate individual packets in isolation.

From the zlib documentation, it is possible to start deflate from various points within the file. However, you need to have full control over the compression half of the puzzle, since you have to know exactly where those points are in order to start deflate from there. And they still (probably) wouldn't break on "packet" boundaries.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜