how to export a stripped capture file to k12 ?

asked 2021-12-22 07:31:01 +0000

PT
1

Wireshark got wrong packet length displayed if I open a k12 text file that was I exported to k12 from a stripped pcap file (ex: using tcpdump -s <small_len>).

Is that a bug? Or would you wanna implement a parameter in editcap or checkbox in Wireshark to fill more |00| to k12 for a stripped capture file?

Just a suggestion. Or is there any other solution to my problem?

answered 2021-12-24 11:12:03 +0000

Guy Harris
19890 ●3 ●634 ●207

Or is there any other solution to my problem?

Export the file to a format that supports the notion of a packet having an "actual length" and a "captured length".

k12 text files are NOT such a format. That is the cause of your problem; it is not something that the Wireshark developer's can fix (we don't define that format, Tektronix did).

One such format is called "pcap format". Another such format is called "pcapng format". Wireshark is capable of reading and writing both those formats.

edit flag offensive delete link

Comments

If I wanna fill many 0x00 in it to keep Wireshark can reload K12 file correctly. (I mean, use 0x00 to keep captured length = 'actual' length) What can I do? To write a program by myself?

PT ( 2022-01-04 09:31:10 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

how to export a stripped capture file to k12 ?

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

how to export a stripped capture file to k12 ? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

how to export a stripped capture file to k12 ?