How to remove from a pcap file a packet which wrongly claims a size > 262144

asked 2022-06-10 11:47:30 +0000

updated 2022-06-12 18:10:33 +0000

There is a captured pcap file which appears to be corrupt:

tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

I tried to remove that packet from the trace with:

tshark -r file.pcap -R "ip.len<=65534" -2

but I get the same error:

0.000000 CS0 172.19.0.1 → 228.6.7.8 UDP 47549 46655 114 47549 → 46655 Len=86 ... 22622.071058 CS0 172.19.0.1 → 239.255.255.250 SSDP 52107 ssdp 200 M-SEARCH * HTTP/1.1 tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

Is there a workaround to sanitize the trace?

edit retag flag offensive close merge delete

Comments

One word: editcap

Jaap gravatar imageJaap ( 2022-06-10 13:20:46 +0000 )edit

One sentence: Use a binary transfer mode when sending the file between systems. Ascii transfer will change the CR/LF sequences and is often the cause of these errors.

SYN-bit gravatar imageSYN-bit ( 2022-06-10 13:28:33 +0000 )edit

Two answers: @Jaap: same issue: editcap -s 65534 file.pcap file.pcap.new editcap: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

@SYN-bit: this file does not come from a transfer, but was saved directly by ulogd.

actionmystique@gmail.com gravatar image[email protected] ( 2022-06-10 17:15:12 +0000 )edit

what version of ulogd?

Jaap gravatar imageJaap ( 2022-06-10 18:25:16 +0000 )edit

2.0.7-1+b2. I'll try to downgrade to see if the old version behaves correctly.

actionmystique@gmail.com gravatar image[email protected] ( 2022-06-10 18:35:34 +0000 )edit