I'm trying to extract data from compressed bytes from network capture file (PCAP.)
Data from some of these packets don't have ZLIB header (the first 2 bytes, where lower 4 bits of first byte is always 8) and hence gave exception when I tried to decompress it using ZlibStream. Data with headers seem to work fine.
As I understand that ZLIB is just a header and footer over DEFLATE, I pass these data without headers to DeflateStream. This time DeflateStream doesn't throw any error, it just gave wrong data (but it gave correct length) ...
This is a sample data. The C# code sample uses DotNetZip:
byte[] test3 = new byte[] { 0x1a, 0x6d, 0xf, 0x8d, 0xb6, 0x87, 0x46, 0xdb, 0x43, 0xa3, 0xed, 0xa1, 0xd1,
0xf6, 0xd0, 0x68, 0x7b, 0x68, 0xb4, 0x3d, 0x34, 0xda, 0x1e, 0xb2, 0x44, 0x3a, 0x39, 0x6f, 0x24,
0xae, 0x1f, 0x2, 0x0, 0x0, 0x0, 0xff, 0xff };
static void UncompressData(byte[] data)
{
if ((data[0] & 0x0F) != 0x08)
{
var uncompressed = DeflateStream.UncompressBuffer(data);
Console.WriteLine("Uncompressed Deflate data : {0} => {1} bytes", data.Length, uncompressed.Length);
}
else
{
var uncompressed = ZlibStream.UncompressBuffer(data);
Console.WriteLine("Uncompressed ZLIB data : {0} => {1} bytes", data.Length, uncompressed.Length);
}
}
I tested with C#'s System.IO.Compression.DeflateStream, Ionic.Zlib.DeflateStream (from DotNetZip), and Java's java.util.zip.Inflater. All gave similar array full of 0s ..
Any idea on what could be missing here? Is is possible that ZLIB/DEFLATE is stateful and the decompression required data from all prior packets?
Thank you.
