Change frame/tcp length on sliced packets
Hi,
We are slicing packets on our packet broker ant 256 TCP bytes. And when we export files and try to read cpature with Wireshark it is all messed up, because Wireshark is interpreting sequence numbers using wrong TCP length.
Total IP length field in packets is correct so it is possible to recalculate and fix packet capture. TraceWrangler does the trick by using "Fix frame size meta data" option. Problem that TraceWrangler is Windows application and I can not use it for automating export in linux.
I have tried editcap -L but it seems does not do anything. Also tried tcpwrewrite --fixlen=pad/trunc, but also nothing gets edited.
Any idea how I could fix packet captures to make them properly readable in Wireshark?
Frame 71: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits)
Ethernet II, Src: 02:11:11:64:11:91 (02:11:11:64:11:91), Dst: 02:11:11:64:55:88 (02:11:11:64:55:88)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1302
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x28 (DSCP: AF11, ECN: Not-ECT)
0010 10.. = Differentiated Services Codepoint: Assured Forwarding 11 (10)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 1092
[Expert Info (Error/Protocol): IPv4 total length exceeds packet length (296 bytes)]
[IPv4 total length exceeds packet length (296 bytes)]
[Severity level: Error]
[Group: Protocol]
Identification: 0x7d18 (32024)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 255
Protocol: TCP (6)
Header checksum: 0xfb71 [validation disabled]
[Header checksum status: Unverified]
Source: 1.1.1.1
Destination: 2.2.2.2
Transmission Control Protocol, Src Port: 443, Dst Port: 59038, Seq: 2319763168, Ack: 462873003, Len: 256