I received a zip file containing data captured with tcpdump on a Linux system. When I tried to open the zip file on my MacBook Pro laptop running OS X El Capitan by double-clicking on the file within the Finder, I saw an "unable to expand" error message stating "Error 2 - No such file or directory." A Microsoft Windows user who downloaded the same zip file reported that he was unable to open it, either. When I tried to unzip the file from a Terminal window using the unzip utility, I saw an "End-of-central directory signature not found" error message.
$ file AS2_Captures.zip AS2_Captures.zip: Zip archive data, at least v2.0 to extract $ unzip AS2_Captures.zip Archive: AS2_Captures.zip End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive. unzip: cannot find zipfile directory in one of AS2_Captures.zip or AS2_Captures.zip.zip, and cannot find AS2_Captures.zip.ZIP, period. $
But I was able to uncompress the zip file and extract data from it using the Java archive (jar) utility on the system, though it also displayed an error message.
$ which jar /usr/bin/jar $ ls AS2_Captures.zip $ jar -xvf AS2_Captures.zip java.io.EOFException: Unexpected end of ZLIB input stream at java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:240) at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158) at java.util.zip.ZipInputStream.read(ZipInputStream.java:194) at java.util.zip.ZipInputStream.closeEntry(ZipInputStream.java:140) at sun.tools.jar.Main.extractFile(Main.java:1072) at sun.tools.jar.Main.extract(Main.java:981) at sun.tools.jar.Main.run(Main.java:311) at sun.tools.jar.Main.main(Main.java:1288) $ ls -lgh total 318192 -rw-r--r--@ 1 ABC\Domain Users 38M Sep 27 22:51 AS2_Captures.zip -rw-r--r-- 1 ABC\Domain Users 117M Sep 29 22:03 OSC_AS2_0 $
When I opened the file in Wireshark, I saw the message "The capture file appears to have been cut short in the middle of a packet." But Wireshark displayed the captured data.
After extracting data with the jar tool, I then attempted to fix the
zip file that I had downloaded using the
zip utility on the system.
You can use zip -F zipfilename.zip --out repairedfilename.zip
to attempt to repair a corrupted zip file.
−F |
−−fix
−FF |
−−fixfix
Fix the zip archive. The −F option can be used if some portions of the archive are missing, but requires a reasonably intact central directory. The input archive is scanned as usual, but zip will ignore some problems. The resulting archive should be valid, but any inconsistent entries will be left out.
When doubled as in −FF, the archive is scanned from the beginning and zip scans for special signatures to identify the limits between the archive members. The single −F is more reliable if the archive is not too much damaged, so try this option first.
If the archive is too damaged or the end has been truncated, you must use −FF. This is a change from zip 2.32, where the −F option is able to read a truncated archive. The −F option now more reliably fixes archives with minor damage and the −FF option is needed to fix archives where −F might have been sufficient before.
Neither option will recover archives that have been incorrectly transferred in ascii mode instead of binary. After the repair, the −t option of unzip may show that some files have a bad CRC. Such files cannot be recovered; you can remove them from the archive using the −d option of zip.
Note that −FF may have trouble fixing archives that include an embedded zip archive that was stored (without compression) in the archive and, depending on the damage, it may find the entries in the embedded archive rather than the archive itself. Try −F first as it does not have this problem.
But that didn't work.
$ zip -F AS2_Captures.zip --out AS2_Captures_Fixed.zip Fix archive (-F) - assume mostly intact archive zip warning: bad archive - missing end signature zip warning: (If downloaded, was binary mode used? If not, the zip warning: archive may be scrambled and not recoverable) zip warning: Can't use -F to fix (try -FF) zip error: Zip file structure invalid (AS2_Captures.zip) $
I then tried the -FF
option and it was able to create a repaired
zip file from which I was able to extract a file that was 117MB, the same size
file as I had obtained with the jar utility.
$ zip -FF AS2_Captures --out AS2_Captures_Fixed.zip Fix archive (-FF) - salvage what can zip warning: Missing end (EOCDR) signature - either this archive is not readable or the end is damaged Is this a single-disk archive? (y/n): y Assuming single-disk archive Scanning for entries... copying: OSC_AS2_0 (51608934 bytes) $ ls AS2_Captures.zip AS2_Captures_Fixed.zip $ unzip AS2_Captures_Fixed.zip Archive: AS2_Captures_Fixed.zip inflating: OSC_AS2_0 error: invalid compressed data to inflate $ ls -lhg total 396488 -rw-r--r--@ 1 ABC\Domain Users 38M Sep 27 22:51 AS2_Captures.zip -rw------- 1 ABC\Domain Users 38M Sep 29 22:32 AS2_Captures_Fixed.zip -rw-r--r-- 1 ABC\Domain Users 117M Sep 26 14:01 OSC_AS2_0 $