Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Wireshark can be instructed to save X bytes of each packet by specifying a "snaplength". When doing so, it does record the original packet-length in the pcap(ng) header of the packet. In the resulting file, the frame.len will be the original packet length and frame.cap_len will be set to X when the packet was larger than X (and it will be set to the frame length if it was not truncated).

Please be aware that the headers up to L4 can be different in size, so you either have to set X to a bare minimum to not get any payload data (and you will loose some L4 header information on some packets) or you can set it so that it will always capture the full L4 headers, but then you do get some of the payload data.

I don't know of a tool that can do dynamic slicing based on the protocol while capturing. There are however tools that can slice after a certain layer when post processing the data, but that would not fit your requirement IMHO.