Ask Your Question
0

I get "the captured file appears to have been cut short in the middle" reading a file from tcpdump if I kill it while it's capturing

asked 2020-03-30 07:06:36 +0000

liuml8 gravatar image

updated 2020-03-30 16:52:09 +0000

Guy Harris gravatar image

Wireshark tool always show an error prompt with "the captured file appears to have been cut short in the middle of a packet " when I try to open the captured PCAP packet ,I have no idea what' s happen , I tired to do a fix by pcapfix tool then the error prompt gone ,could anyone answer me what's mean for the error ,How to resolve it ,whether My packet exist a cut in it ,

thank you very much in advance ,

edit retag flag offensive close merge delete

Comments

How are you capturing the traffic? Are you doing it in Wireshark or in some other program?

Guy Harris gravatar imageGuy Harris ( 2020-03-30 08:07:43 +0000 )edit

Hi , appreciate you quick reply , I captured the file with tcpdump ,belows are my steps to run it 1: push the tcpdump file to myphone/data direcotry and grant the file 777 permission (adb shell chmod 777 /data/tcpdump) 2:Run the commands series :tcpdump -i any -s 0 -w /sdcard/ip.pcap & , 3: After 25 hours gone ,Pull out the file ip.pcap for analysing , then the error prompt while I open ip.pcap with wireshake , I have no idea to check which fragment be cut short in the captured file ,How to prevent this problem when I perform to capture pcap packet ,

liuml8 gravatar imageliuml8 ( 2020-03-30 08:25:50 +0000 )edit

Do you stop tcpdump before 'pulling out the file ip.pcap'?

Jaap gravatar imageJaap ( 2020-03-30 11:13:35 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2020-03-30 11:42:11 +0000

SYN-bit gravatar image

tcpdump writes the pcap file in blocks of a certain size. This means that during the capturing, the file ends in the middle of a packet. If you copy the file while tcpdump is still capturing, the last packet in the file will not be completely written yet, hence the error message in Wireshark.

If you stop tcpdump before copying the file, the remaining buffer will be written to disk and all packets will be complete.

edit flag offensive delete link more

Comments

thank you very much , Before i pulled out the PCAP files ,I killed the process first by “Kill -9 PID ”, is that a normal stop for tcpdump tools ?

liuml8 gravatar imageliuml8 ( 2020-03-30 15:29:03 +0000 )edit

"-9" is pretty harsh. See if it works better with a "-2" or "-15".
Usage of signals with kill

Chuckc gravatar imageChuckc ( 2020-03-30 16:06:29 +0000 )edit

If you do a "kill -9", you tell the program to drop everything and quit. This means it never got the chance to save the last bits in memory to disk, hence the last packet was truncated. You should just do a normal kill on the process without -9 and then it should close normally, flushing the last data to disk.

SYN-bit gravatar imageSYN-bit ( 2020-03-30 16:48:04 +0000 )edit

"-9" is pretty harsh.

Where "pretty harsh" means will not work - it will immediately stop tcpdump, not giving it an opportunity to do anything before exiting and, in particular, not giving it an opportunity to write out the last blocks of data.

I.e., @bubbasnmp is 100% correct; do what he says. You MUST use "-2" ("-INT") or "-15" ("-TERM"); those are caught by tcpdump, and it will stop capturing and finish writing out the capture file.

Guy Harris gravatar imageGuy Harris ( 2020-03-30 16:51:09 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-03-30 07:06:36 +0000

Seen: 47,107 times

Last updated: Mar 30 '20