parsing pcap through paramiko and named_pipe results in bad magic exception about kamene HOT 4 CLOSED

Hmm it seems it's not looking at the first 4 bytes of the pcap, for this run i got:
bad magic: b'T\xe8\xc2\xdb'

While the pcap has:
00000000h: A1 B2 C3 D4 00 02 00 04 00 00 00 00 00 00 00 00 ; ¡²ÃÔ............
00000010h: 00 00 FF FF 00 00 00 7F 54 E8 C2 DB 00 01 24 6A ; ..ÿÿ...�TèÂÛ..$j

What happens is that in: scapy/utils.py:537 RawPcapReader()
It does this:
try:
self.f = gzip.open(filename,"rb")
magic = self.f.read(4)
except IOError:
self.f = open(filename,"rb")
magic = self.f.read(4)

Problem is that gzip.open, to detect if it is actually a gzip, consumes what it expects to be the header.
Since i'm trying to read from a pipe/stream, it's not seekable .. so the consumed header is gone .. and the next 4 bytes are read from the next part of the stream.

Edit:
However the python2 scapy code seems to be the same ..

from kamene.

Whoops accidently closed it .. sorry

from kamene.

On python2.7 gzip.open when reading from named pipe generates different exception even before reading 4 bytes:

Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.7/gzip.py", line 261, in read
self._read(readsize)
File "/usr/lib/python2.7/gzip.py", line 288, in _read
pos = self.fileobj.tell() # Save current position
IOError: [Errno 29] Illegal seek

from kamene.

I changed utils.py code to:
try:
if not stat.S_ISREG(os.stat(filename).st_mode):
raise IOError("GZIP detection works only for regular files")
self.f = gzip.open(filename,"rb")
magic = self.f.read(4)
except IOError:
self.f = open(filename,"rb")
magic = self.f.read(4)
It should work now for your case. You should check it using latest code from git.
Possible future improvement would be reading gzip over pipe, but I did not have any good ideas how to do it in a nice way.

from kamene.