Use file content heuristics to decide file reader.

[Dimi1010]

The PR adds heuristics based on the file content that is more robust than deciding based on the file extension.

The new decision model scans the start of the file for its magic number signature. It then compares it to the signatures of supported file types [1] and constructs a reader instance based on the result.

A new function createReader has been added due to changes in the public API of the factory.

• If no reader is available to read the file: nullptr is returned. (previously returned PcapFileDeviceReader)
• If the file could not be opened or does not exist: std::runtime_error is thrown. (previously returned PcapFileDeviceReader)
• The new function returns std::unique_ptr<IFileDeviceReader> instead of IFileDeviceReader*.

[codecov]

Codecov Report

❌ Patch coverage is 86.59218% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.45%. Comparing base (f2ba2a6) to head (c7cab2b).
⚠️ Report is 2 commits behind head on dev.

Files with missing lines	Patch %	Lines
Pcap++/src/PcapFileDevice.cpp	83.03%	15 Missing and 4 partials ⚠️
Tests/Pcap++Test/Tests/FileTests.cpp	91.80%	1 Missing and 4 partials ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##              dev    #1962    +/-   ##
========================================
  Coverage   83.45%   83.45%            
========================================
  Files         311      311            
  Lines       55000    55163   +163     
  Branches    11789    11935   +146     
========================================
+ Hits        45899    46036   +137     
- Misses       7822     8248   +426     
+ Partials     1279      879   -400     

Flag	Coverage Δ
alpine320	75.92% <65.47%> (-0.03%)	⬇️
fedora42	75.88% <66.27%> (-0.01%)	⬇️
macos-13	81.59% <78.84%> (-0.02%)	⬇️
macos-14	81.59% <78.84%> (-0.02%)	⬇️
macos-15	81.60% <78.57%> (-0.02%)	⬇️
mingw32	70.65% <65.57%> (-0.01%)	⬇️
mingw64	70.63% <65.57%> (+0.09%)	⬆️
npcap	?
rhel94	75.88% <65.47%> (-0.03%)	⬇️
ubuntu2004	60.17% <44.44%> (-0.03%)	⬇️
ubuntu2004-zstd	60.27% <44.44%> (-0.01%)	⬇️
ubuntu2204	75.82% <65.47%> (-0.03%)	⬇️
ubuntu2204-icpx	60.63% <50.58%> (-0.08%)	⬇️
ubuntu2404	75.92% <65.47%> (-0.03%)	⬇️
ubuntu2404-arm64	75.61% <65.47%> (-0.02%)	⬇️
unittest	83.45% <86.59%> (+<0.01%)	⬆️
windows-2022	85.44% <72.72%> (+0.11%)	⬆️
windows-2025	85.47% <72.72%> (+0.06%)	⬆️
winpcap	85.47% <72.72%> (-0.14%)	⬇️
xdp	53.40% <0.00%> (-0.17%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[seladb]

ditto: this can be an enum inside of CaptureFileFormatDetector

[Dimi1010]

I suppose. It has internal linkage so it doesn't really matter.

But then we would end up with really long case names: CaptureFileFormatDetector::FileFormat::Pcap?

[seladb]

I guess it's fine? It's all internal anyway...

[seladb]

We should add the following to get more coverage:

• Open a snoop file
• Open a file that is not any of the options
• Open pcap files with different magic numbers
• Assuming we add a version check for snoop and pcap file: create temp files with bogus data that has the magic number but wrong versions

[Dimi1010]

3d713ab adds the following tests:

• Pcap, PcapNG, Zst file with correct content + extension
• Pcap, PcanNG file with correct content + wrong extension
• Bogus content file with correct extension (pcap, pcapng, zst)
• Bogus content file with wrong extension (txt)

Haven't found a snoop file to add. Do we have any?

Open pcap files with different magic numbers

Do you mean Pcap content that has just its magic number changed? Because IMO it is reasonable to consider that invalid format and fail as regular bogus data.

Assuming we add a version check for snoop and pcap file: create temp files with bogus data that has the magic number but wrong versions

Pending on #1962 (comment) .

[seladb]

@Dimi1010 some CI tests fail...

[Dimi1010]

@Dimi1010 some CI tests fail...

@seladb I think I found the issue. According to ChatGPT the Winpcap's wpcap.dll does not actually support nanosecond precision files [1], due to being based on libpcap 1.0.x. Nanosecond precision pcaps were added in libpcap 1.5.

The NPcap sdk and drivers provide their own wpcap.dll where they do support nanosec precision.

The tests we have on nanosecond precision pcap files ("nanosecs.pcap") currently are flawed. We don't use a static base base to compare to. We write a packet with the PcapFileWriterDevice configured to write nanoseconds precision and then attempt to read that with PcapFileReaderDevice. The issue with that is that the writer has 0 error reporting if its configured to write nanosecond precision but it can't due to PCAP_TSTAMP_PRECISION_NANO not being defined and just uses pcap_open_dead which uses default precision.

Due to the above the current nanosecond test in the master branch passes with Winpcap, even though it doesn't actually write / read a nanosecond precision pcap.

The new tests use a static copy of nanoseconds.pcap generated from Npcap for base image to compare to. Due to that, the a PcapFileWriterDevice with the Winpcap backend fails to read that and fails the test due to open() failure.

Edit:
[1] - Confirmed that by looking at the Winpcap DLL API. It does not have functions like pcap_open_dead_with_tstamp_precision, etc.

[seladb]

@Dimi1010 some CI tests fail...

@seladb I think I found the issue. According to ChatGPT the Winpcap's wpcap.dll does not actually support nanosecond precision files [1], due to being based on libpcap 1.0.x. Nanosecond precision pcaps were added in libpcap 1.5.

The NPcap sdk and drivers provide their own wpcap.dll where they do support nanosec precision.

The tests we have on nanosecond precision pcap files ("nanosecs.pcap") currently are flawed. We don't use a static base base to compare to. We write a packet with the PcapFileWriterDevice configured to write nanoseconds precision and then attempt to read that with PcapFileReaderDevice. The issue with that is that the writer has 0 error reporting if its configured to write nanosecond precision but it can't due to PCAP_TSTAMP_PRECISION_NANO not being defined and just uses pcap_open_dead which uses default precision.

Due to the above the current nanosecond test in the master branch passes with Winpcap, even though it doesn't actually write / read a nanosecond precision pcap.

The new tests use a static copy of nanoseconds.pcap generated from Npcap for base image to compare to. Due to that, the a PcapFileWriterDevice with the Winpcap backend fails to read that and fails the test due to open() failure.

Edit: [1] - Confirmed that by looking at the Winpcap DLL API. It does not have functions like pcap_open_dead_with_tstamp_precision, etc.

Maybe we can remove pcap files that have nanoseconds precision from this PR and replace them with other pcap files to make the tests pass?

[Dimi1010]

Maybe we can remove pcap files that have nanoseconds precision from this PR and replace them with other pcap files to make the tests pass?

Then, we don't have coverage for the magic number for nanosecond pcap.

See #1977. It is a fix for the underlying issue.

[Dimi1010]

Decided to return Unknown instead of PcapNG, if Zst is not supported in the binary.
This will in turn, return nullptr for reader device. I think that is better than returning a PcapNGDevice that can't be opened.

Maybe we can also do something similar for PcapReaderDevice's nanosecond format files, if the environment can't read them?

Any thoughts @seladb ?

[seladb]

Yeah, I agree that it's the correct behavior 👍

[seladb]

Yeah, I agree that it's the correct behavior 👍

[seladb]

Maybe add another test for the snoop format?

[seladb]

Can we shorten the test names to fit into 35 characters? The current output doesn't look good:

TestLoggerMultiThread              : PASSED
TestIFileReaderDeviceFactory_Pcap_MicroPrecision: PASSED
TestIFileReaderDeviceFactory_Pcap_NanoPrecision: PASSED
TestIFileReaderDeviceFactory_PcapNG: PASSED
TestIFileReaderDeviceFactory_PcapNG_ZST: PASSED
TestIFileReaderDeviceFactory_Invalid: PASSED
TestPcapFileReadWrite              : PASSED
TestPcapFileMicroPrecision         : PASSED
TestPcapFileNanoPrecision          : PASSED

[Dimi1010]

Do we have a reason to stick to 35 chars output? Perhaps we can up it to something like 50~80?
I can reduce the names, but it would hurt the specificity of the test name.

[Dimi1010]

Somewhat shortened them, but also increased the width to 45.
Should be fine now?

4f52f59 & 41fe188

[seladb]

I asked ChatGPT, here is its suggestions:

TestIFileReaderDeviceFactory_Pcap_MicroPrecision
→ TestReaderFactory_Pcap_Micro

TestIFileReaderDeviceFactory_Pcap_NanoPrecision
→ TestReaderFactory_Pcap_Nano

TestIFileReaderDeviceFactory_PcapNG
→ TestReaderFactory_PcapNG

TestIFileReaderDeviceFactory_PcapNG_ZST
→ TestReaderFactory_PcapNG_ZST

TestIFileReaderDeviceFactory_Invalid
→ TestReaderFactory_Invalid

[seladb]

In addition to test a real pcap file, maybe we can add syntethic files that have a different magic number to test all options?
We don't have to put them in PcapExample/file_heuristics, instead we can create vectors with the content std::vector<uint8_t> and save them to temp files

[Dimi1010]

Hmm, what would be the purpose? Just to test that it returns nullptr?
Doesn't TestIFileReaderDeviceFactory_Invalid already handle that?

[seladb]

I mean the other possible magic numbers of a valid pcap file. Since it's not easy to find such pcap files, we can generate synthetic files that are not actually valid, but will look valid for the sake of the test

[seladb]

The extension doesn't matter to determine if it's a Zstd file, so we probably don't need both files

[Dimi1010]

Fair enough. I will remove the zstd file. I think the .zst is the more common extension?

Edit: #1962 (comment)

[seladb]

Ditto: since the extension doesn't matter, do we need all 4 files?

[Dimi1010]

Technically this verifies that the extension doesn't matter? I guess this can be said about #1962 (comment) too.

[seladb]

I don't think it's really needed...