Recovering corrupt packet captures

asked 2019-11-20 15:17:23 +0000

VadimZakharine gravatar image

updated 2019-11-20 15:21:06 +0000


as I've been porting to Python and publishing my earlier work related to recovering IPv4 packets from binary files, I started wondering about the subject of recovering corrupt packet capture files. Not just the last packet captured in the file truncated, but conditions when Wireshark hit a format error and stops processing the capture file well before its end. Any interest from the community? In my own experience I had a few critical problems where the capture file was corrupt and no backup copies were available, so I wrote a couple utilities for recovering the files. Still, maybe it was just my luck?

The example with my script for recovering IPv4 is at


edit retag flag offensive close merge delete


Any interest from the community?

From the Help page:

How questions, answers and comments work
This site is for asking and answering questions, not for open-ended discussions. We encourage everyone to use “question” space for asking and “answer” for answering.

I don't believe this question fits the format of this site very well, and I would therefore suggest that you solicit feedback about this topic on the wireshark-dev and/or wireshark-user mailing lists instead.

cmaynard gravatar imagecmaynard ( 2019-11-20 16:35:15 +0000 )edit

Looking for simple yes/no answers from the user community actually: no point in developing the code of no practical interest. But probably you meant list wireshark-users instead?

VadimZakharine gravatar imageVadimZakharine ( 2019-11-20 18:44:28 +0000 )edit

Well, this is just one person's opinion, but I think anything that helps to improve the product is welcome, and I'd say this fits the bill. How exactly corrupt packets/files are recovered is another matter though. Or perhaps you somehow find a way to simply skip corrupted packets and move on to the next packet? Does that include corrupt pcap files only or corrupt pcapng files too? If pcapng files are corrupted and you're able to somehow "fix" them, then it would probably be a good idea to add packet comments so the user is aware that a packet was manipulated in some way. There are probably many more considerations to be made though, which is why I suggested bringing up the topic on a forum more suitable to discussions than this Q/A forum.

cmaynard gravatar imagecmaynard ( 2019-11-20 21:05:44 +0000 )edit

See also pcapfix.

Guy Harris gravatar imageGuy Harris ( 2019-11-20 21:55:38 +0000 )edit

Yes, with another corrupt packet trace I got for my analysis:

$ tshark -r capture.cap
tshark: The file "capture.cap" appears to be damaged or corrupt.
(pcap: File has 3223977984-byte packet, bigger than maximum of 262144)
1 0.000000 Xerox_00:00:00 -> 00:00:00_00:00:00 0x2d50 Ethernet II
2 -1574219254.528535 0f:00:00:00:00:00 -> da:00:00:00:00:00 LLC I, N(R)=0, N(S)=0; DSAP 0x70 Group, SSAP ISO 8208 (X.25 over 802.2) Command[Packet size limited during capture]


Utility pcapfix did work quite well.

Thank you, Guy.

VadimZakharine gravatar imageVadimZakharine ( 2019-12-02 12:20:06 +0000 )edit