Extracting data from a corrupted zip file with jar or repairing it

I received a zip file containing data captured with tcpdump on a Linux system. When I tried to open the zip file on my MacBook Pro laptop running OS X El Capitan by double-clicking on the file within the Finder, I saw an "unable to expand" error message stating "Error 2 - No such file or directory." A Microsoft Windows user who downloaded the same zip file reported that he was unable to open it, either. When I tried to unzip the file from a Terminal window using the unzip utility, I saw an "End-of-central directory signature not found" error message.

$ file AS2_Captures.zip
AS2_Captures.zip: Zip archive data, at least v2.0 to extract
$ unzip AS2_Captures.zip 
Archive:  AS2_Captures.zip
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of AS2_Captures.zip or
        AS2_Captures.zip.zip, and cannot find AS2_Captures.zip.ZIP, period.

But I was able to uncompress the zip file and extract data from it using the Java archive (jar) utility on the system, though it also displayed an error message.

$ which jar
$ ls
$ jar -xvf AS2_Captures.zip 
java.io.EOFException: Unexpected end of ZLIB input stream
	at java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:240)
	at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)
	at java.util.zip.ZipInputStream.read(ZipInputStream.java:194)
	at java.util.zip.ZipInputStream.closeEntry(ZipInputStream.java:140)
	at sun.tools.jar.Main.extractFile(Main.java:1072)
	at sun.tools.jar.Main.extract(Main.java:981)
	at sun.tools.jar.Main.run(Main.java:311)
	at sun.tools.jar.Main.main(Main.java:1288)
$ ls -lgh
total 318192
-rw-r--r--@ 1 ABC\Domain Users    38M Sep 27 22:51 AS2_Captures.zip
-rw-r--r--  1 ABC\Domain Users   117M Sep 29 22:03 OSC_AS2_0

When I opened the file in Wireshark, I saw the message "The capture file appears to have been cut short in the middle of a packet." But Wireshark displayed the captured data.

After extracting data with the jar tool, I then attempted to fix the zip file that I had downloaded using the zip utility on the system. You can use zip -F zipfilename.zip --out repairedfilename.zip to attempt to repair a corrupted zip file.





Fix the zip archive. The −F option can be used if some portions of the archive are missing, but requires a reasonably intact central directory. The input archive is scanned as usual, but zip will ignore some problems. The resulting archive should be valid, but any inconsistent entries will be left out.

When doubled as in −FF, the archive is scanned from the beginning and zip scans for special signatures to identify the limits between the archive members. The single −F is more reliable if the archive is not too much damaged, so try this option first.

If the archive is too damaged or the end has been truncated, you must use −FF. This is a change from zip 2.32, where the −F option is able to read a truncated archive. The −F option now more reliably fixes archives with minor damage and the −FF option is needed to fix archives where −F might have been sufficient before.

Neither option will recover archives that have been incorrectly transferred in ascii mode instead of binary. After the repair, the −t option of unzip may show that some files have a bad CRC. Such files cannot be recovered; you can remove them from the archive using the −d option of zip.

Note that −FF may have trouble fixing archives that include an embedded zip archive that was stored (without compression) in the archive and, depending on the damage, it may find the entries in the embedded archive rather than the archive itself. Try −F first as it does not have this problem.

But that didn't work.

$ zip -F AS2_Captures.zip --out AS2_Captures_Fixed.zip
Fix archive (-F) - assume mostly intact archive
	zip warning: bad archive - missing end signature
	zip warning: (If downloaded, was binary mode used?  If not, the
	zip warning:  archive may be scrambled and not recoverable)
	zip warning: Can't use -F to fix (try -FF)

zip error: Zip file structure invalid (AS2_Captures.zip)

I then tried the -FF option and it was able to create a repaired zip file from which I was able to extract a file that was 117MB, the same size file as I had obtained with the jar utility.

$ zip -FF AS2_Captures --out AS2_Captures_Fixed.zip
Fix archive (-FF) - salvage what can
	zip warning: Missing end (EOCDR) signature - either this archive
                     is not readable or the end is damaged
Is this a single-disk archive?  (y/n): y
  Assuming single-disk archive
Scanning for entries...
 copying: OSC_AS2_0  (51608934 bytes)
$ ls
AS2_Captures.zip	AS2_Captures_Fixed.zip
$ unzip AS2_Captures_Fixed.zip
Archive:  AS2_Captures_Fixed.zip
  inflating: OSC_AS2_0  
  error:  invalid compressed data to inflate
$ ls -lhg
total 396488
-rw-r--r--@ 1 ABC\Domain Users    38M Sep 27 22:51 AS2_Captures.zip
-rw-------  1 ABC\Domain Users    38M Sep 29 22:32 AS2_Captures_Fixed.zip
-rw-r--r--  1 ABC\Domain Users   117M Sep 26 14:01 OSC_AS2_0