From c6d20c3de023a580b66a50a0192ff158978132a5 Mon Sep 17 00:00:00 2001
From: iczero <iczero4@gmail.com>
Date: Mon, 15 Dec 2025 15:56:00 -0800
Subject: [PATCH] in `parse_pcap`, handle big endian and modified pcap headers

---
 src/pcap/capture.rs | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/pcap/capture.rs b/src/pcap/capture.rs
index 0e3f2a6..7c01edc 100644
--- a/src/pcap/capture.rs
+++ b/src/pcap/capture.rs
@@ -3,6 +3,7 @@ use crate::capture::Capture;
 use crate::error::PcapError;
 use crate::linktype::Linktype;
 use crate::pcap::{parse_pcap_frame, parse_pcap_header, LegacyPcapBlock, PcapHeader};
+use crate::{parse_pcap_frame_be, parse_pcap_frame_modified};
 use nom::combinator::complete;
 use nom::multi::many0;
 use nom::{IResult, Needed, Parser as _};
@@ -121,6 +122,15 @@ impl Capture for PcapCapture<'_> {
 /// Note: this requires the file to be fully loaded to memory.
 pub fn parse_pcap(i: &[u8]) -> IResult<&[u8], PcapCapture<'_>, PcapError<&[u8]>> {
     let (i, header) = parse_pcap_header(i)?;
-    let (i, blocks) = many0(complete(parse_pcap_frame)).parse(i)?;
+    let parse = if !header.is_modified_format() {
+        if header.is_bigendian() {
+            parse_pcap_frame_be
+        } else {
+            parse_pcap_frame
+        }
+    } else {
+        parse_pcap_frame_modified
+    };
+    let (i, blocks) = many0(complete(parse)).parse(i)?;
     Ok((i, PcapCapture { header, blocks }))
 }