Ask Your Question
0

How to remove from a pcap file a packet which wrongly claims a size > 262144

asked 2022-06-10 11:47:30 +0000

actionmystique@gmail.com gravatar image

updated 2022-06-12 18:10:33 +0000

There is a captured pcap file which appears to be corrupt:

tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

I tried to remove that packet from the trace with:

tshark -r file.pcap -R "ip.len<=65534" -2

but I get the same error:

0.000000 CS0 172.19.0.1 → 228.6.7.8 UDP 47549 46655 114 47549 → 46655 Len=86 ... 22622.071058 CS0 172.19.0.1 → 239.255.255.250 SSDP 52107 ssdp 200 M-SEARCH * HTTP/1.1 tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

Is there a workaround to sanitize the trace?

edit retag flag offensive close merge delete

Comments

One word: editcap

Jaap gravatar imageJaap ( 2022-06-10 13:20:46 +0000 )edit

One sentence: Use a binary transfer mode when sending the file between systems. Ascii transfer will change the CR/LF sequences and is often the cause of these errors.

SYN-bit gravatar imageSYN-bit ( 2022-06-10 13:28:33 +0000 )edit

Two answers: @Jaap: same issue: editcap -s 65534 file.pcap file.pcap.new editcap: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

@SYN-bit: this file does not come from a transfer, but was saved directly by ulogd.

actionmystique@gmail.com gravatar image[email protected] ( 2022-06-10 17:15:12 +0000 )edit

what version of ulogd?

Jaap gravatar imageJaap ( 2022-06-10 18:25:16 +0000 )edit

2.0.7-1+b2. I'll try to downgrade to see if the old version behaves correctly.

actionmystique@gmail.com gravatar image[email protected] ( 2022-06-10 18:35:34 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2022-11-09 17:17:58 +0000

actionmystique@gmail.com gravatar image

Here's the solution to fix a corrupted pcap file: pcapfix -d file.pcap It works perfectly!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-06-10 11:47:30 +0000

Seen: 1,913 times

Last updated: Nov 09 '22