Use file content heuristics to decide file reader.

[Dimi1010]

The PR adds heuristics based on the file content that is more robust than deciding based on the file extension.

The new decision model scans the start of the file for its magic number signature. It then compares it to the signatures of supported file types [1] and constructs a reader instance based on the result.

A new function createReader and tryCreateReader has been added due to changes in the public API of the factory.
The functions differ in the error handling scheme, as createReader throws and tryCreateReader returns nullptr on error.

Method behaviour changes during erroneous scenarios:

Scenario	getReader	createReader	tryCreateReader
File not found	N/A	Throws exception	Return nullptr
Unsupported format	Return PcapFileDeviceReader	Throws exception	Return nullptr

[codecov]

Codecov Report

❌ Patch coverage is 89.20188% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.43%. Comparing base (e227b75) to head (af12d2f).

Files with missing lines	Patch %	Lines
Pcap++/src/PcapFileDevice.cpp	90.20%	12 Missing and 2 partials ⚠️
Tests/Pcap++Test/Tests/FileTests.cpp	85.48%	5 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##              dev    #1962      +/-   ##
==========================================
+ Coverage   83.41%   83.43%   +0.01%     
==========================================
  Files         311      311              
  Lines       55002    55197     +195     
  Branches    12098    12145      +47     
==========================================
+ Hits        45878    46051     +173     
- Misses       7889     7894       +5     
- Partials     1235     1252      +17     

Flag	Coverage Δ
alpine320	75.91% <76.10%> (-0.01%)	⬇️
fedora42	75.86% <76.31%> (+<0.01%)	⬆️
macos-13	81.56% <80.33%> (-0.01%)	⬇️
macos-14	81.56% <80.33%> (-0.01%)	⬇️
macos-15	81.58% <81.92%> (-0.01%)	⬇️
mingw32	70.66% <80.95%> (+0.06%)	⬆️
mingw64	70.63% <80.95%> (+0.18%)	⬆️
npcap	?
rhel94	75.89% <76.31%> (+0.01%)	⬆️
ubuntu2004	60.16% <59.49%> (-0.01%)	⬇️
ubuntu2004-zstd	60.26% <56.57%> (+0.01%)	⬆️
ubuntu2204	75.83% <76.31%> (+0.02%)	⬆️
ubuntu2204-icpx	60.62% <61.53%> (-0.01%)	⬇️
ubuntu2404	75.90% <76.10%> (+<0.01%)	⬆️
ubuntu2404-arm64	75.59% <76.10%> (+0.02%)	⬆️
unittest	83.43% <89.20%> (+0.01%)	⬆️
windows-2022	85.44% <87.61%> (+0.16%)	⬆️
windows-2025	85.47% <87.71%> (+0.12%)	⬆️
winpcap	85.47% <87.71%> (-0.08%)	⬇️
xdp	53.35% <0.00%> (-0.21%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[seladb]

We should add the following to get more coverage:

• Open a snoop file
• Open a file that is not any of the options
• Open pcap files with different magic numbers
• Assuming we add a version check for snoop and pcap file: create temp files with bogus data that has the magic number but wrong versions

[Dimi1010]

3d713ab adds the following tests:

• Pcap, PcapNG, Zst file with correct content + extension
• Pcap, PcanNG file with correct content + wrong extension
• Bogus content file with correct extension (pcap, pcapng, zst)
• Bogus content file with wrong extension (txt)

Haven't found a snoop file to add. Do we have any?

Open pcap files with different magic numbers

Do you mean Pcap content that has just its magic number changed? Because IMO it is reasonable to consider that invalid format and fail as regular bogus data.

Assuming we add a version check for snoop and pcap file: create temp files with bogus data that has the magic number but wrong versions

Pending on #1962 (comment) .

[seladb]

@Dimi1010 some CI tests fail...

[seladb]

In addition to test a real pcap file, maybe we can add syntethic files that have a different magic number to test all options?
We don't have to put them in PcapExample/file_heuristics, instead we can create vectors with the content std::vector<uint8_t> and save them to temp files

[Dimi1010]

Hmm, what would be the purpose? Just to test that it returns nullptr?
Doesn't TestIFileReaderDeviceFactory_Invalid already handle that?

[seladb]

I mean the other possible magic numbers of a valid pcap file. Since it's not easy to find such pcap files, we can generate synthetic files that are not actually valid, but will look valid for the sake of the test

[Dimi1010]

So, you want a spoofed pcap sample for just these:

// Libpcap 0.9.1 and later support reading a modified pcap format that contains an extended header.
// Format reference: https://wiki.wireshark.org/Development/LibpcapFileFormat#modified-pcap
0xa1'b2'cd'34,  // Alexey Kuznetzov's modified libpcap format
0x34'cd'b2'a1   // Alexey Kuznetzov's modified libpcap format (byte-swapped)

or for the byte swapped versions of micro and nano too?

[seladb]

I'd suggest we have spoofed pcap samples for all options

[Dimi1010]

Honestly, if we really want to do a unit test on every magic number, this would be easier to do by exposing CaptureFileFormatDetector in the header under internal and unit testing on the passed std::istream content directly than to have a spoofed pcap file.

[seladb]

Is it so hard to create those spoofed pcap files just for the tests? 🤔

[Dimi1010]

Tbf, no. I can have them done.

My idea is that the scenario would essentially test the content detection system and not the factory function creating the devices due to the fact that the devices would be "invalid." If the tests are done through factory function, it can't test to open the device, etc.

Having it done directly on the detection system would remove the requirements for external files as that operates on streams.

Of course, that comes with the tradeoff of having the detection system exposed in the headers as it needs to be referencable.

[seladb]

nit: this variable is not needed, we can just use EXAMPLE_SOLARIS_SNOOP

[Dimi1010]

I would prefer to have it to have a level of detachment from the global macro, if it needs to be changed later.

[seladb]

Let's add createReader() to the tests?

[Dimi1010]

Added tests for the scenarios that throw. The success branches should be covered by tryCreate 🤔 ?

af12d2f

[seladb]

I guess we can add one or two success cases, but not necessary