Ask Your Question
0

editcap file splitting issue when little data

asked 2023-03-21 16:00:37 +0000

jimjamming gravatar image

updated 2023-03-21 17:37:51 +0000

Chuckc gravatar image

I am experiencing an issue with editcap that I was hoping someone could help with.  I have a very large pcap file say 20Gb that I split up into 1 sec .pcapng chunks.  The data captured in the large file represents a large amount of traffic flowing through a connection.  The data rate is equal to the line speed of the given connection.   I have found an occasional problem that occurs (sometimes) when the traffic source stops communicating.  When the traffic source is not operating I get very little data.  I would have expected that if a given 1 sec chunk contained no data I would either get an empty .pcapng file for the given time period or I would get no .pcapng at all.  I could live with either of these x2 scenarios.  However what I actually get is something quite different.  I have copied the file listing below with the file name, file size in bytes and how many bytes are shown in the given .pcapng file when opened in Wireshark. Consider the lines below where I am missing a 20230216074903.pcapng but then get x2  20230216074905 files.  I should say that this occurs only when the traffic source has stopped communicating on the network ie during period with very few packets per second say 0 to 3 per second.

The editcap command used is of the following format - "editcap Largefilepath.pcapng Smallfilepath.pcapng -i 1" in the example output below.

editcap Largefilepath.pcapng Smallfilepath.pcapng -i 1

C:\testdata\small_00877_20230216074901.pcapng   2284    19 packets
C:\testdata\small_00878_20230216074902.pcapng   912 6 packets
C:\testdata\small_00879_20230216074904.pcapng   388 1 packet
C:\testdata\small_00880_20230216074905.pcapng   296 Empty
C:\testdata\small_00881_20230216074905.pcapng   744 2 packets
C:\testdata\small_00882_20230216074908.pcapng   296 Empty
C:\testdata\small_00883_20230216074908.pcapng   388 1 packet
C:\testdata\small_00884_20230216074910.pcapng   296 Empty
C:\testdata\small_00885_20230216074910.pcapng   388 1 packet
C:\testdata\small_00886_20230216074910.pcapng   652 1 packet
C:\testdata\small_00887_20230216074912.pcapng   388 1 packet
C:\testdata\small_00888_20230216074914.pcapng   296 Empty
C:\testdata\small_00889_20230216074914.pcapng   388 1 packet
C:\testdata\small_00890_20230216074915.pcapng   296 Empty
C:\testdata\small_00891_20230216074915.pcapng   744 1 packet
C:\testdata\small_00892_20230216074918.pcapng   296 Empty
C:\testdata\small_00893_20230216074918.pcapng   388 1 packet
C:\testdata\small_00894_20230216074920.pcapng   296 Empty
C:\testdata\small_00895_20230216074920.pcapng   388 1 packet
C:\testdata\small_00896_20230216074920.pcapng   652 1 packet
C:\testdata\small_00897_20230216074922.pcapng   388 1 packet
C:\testdata\small_00898_20230216074924.pcapng   296 Empty
C:\testdata\small_00899_20230216074924.pcapng   388 1 packet
C:\testdata\small_00900_20230216074925.pcapng   296 Empty
C:\testdata\small_00901_20230216074925.pcapng   744 2 packets
C:\testdata\small_00902_20230216074928.pcapng   296 Empty
C:\testdata\small_00903_20230216074928.pcapng   388 1 packet
C:\testdata\small_00904_20230216074930.pcapng   296 Empty
C:\testdata\small_00905_20230216074930.pcapng   388 1 packet
C:\testdata\small_00906_20230216074930.pcapng   652 1 packet

I tried repeating the above but instead of 1 sec chunks I tried 2 sec and 5 secs. When I do this I get the same sort of issues albeit not always at the same points in time.

Has anyone got any experience of this or has an idea of what ... (more)

edit retag flag offensive close merge delete

Comments

It looks like you should be able to recreate the issue with a smaller test file of the first 30 packets or so?
Can you verify that it behaves the same with the smaller file and share the capture file?

Also update question with output of wireshark -v or Help->About Wireshark:Wireshark.

Chuckc gravatar imageChuckc ( 2023-03-21 16:31:40 +0000 )edit

Good shout with the smaller trace file. I will get that done tomorrow but I don't think I can attached it here - <60 points.

The output was as follows -

Wireshark 3.6.3 (v3.6.3-0-g6d348e4611e2)

Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2019 (VC++ 14.29, build 30139),
with Qt 5.15.2, with libpcap, with GLib 2.66.4, with zlib 1.2.11, with Lua
5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.44.0, with brotli, with LZ4 ...
(more)
jimjamming gravatar imagejimjamming ( 2023-03-21 16:40:54 +0000 )edit

I have tried to edit your "answers" back to comments, but one with all the files still exceeds the character limit for a comment.

Captures can be posted to a shared location and then a link to the capture posted back here as a comment.

grahamb gravatar imagegrahamb ( 2023-03-21 17:43:40 +0000 )edit

Also worth trying with an up to date version of Wireshark, e.g. 4.0.4

grahamb gravatar imagegrahamb ( 2023-03-21 17:44:58 +0000 )edit

19067: editcap issue when splitting files with periods of little activity

Chuckc gravatar imageChuckc ( 2023-05-13 11:59:17 +0000 )edit
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2023-03-21 17:43:45 +0000

Chuckc gravatar image

This can be recreated with current Wireshark (4.0.4) and a capture made with a icmp capture filter with a pause between pings to a remote site.

I'm not sure if this is an Enhancement Request or a bug. I couldn't find an existing issue (open or closed) related to this. Feel free to open a new issue on the Wireshark Gitlab issues page. Include which of the results is your preference if it were to be implemented.

I would have expected that if a given 1 sec chunk contained no data I would either get an empty .pcapng file for the given time period or I would get no .pcapng at all. I could live with either of these x2 scenarios.

ask_wireshark$ editcap.exe -v
Editcap (Wireshark) 4.0.4 (v4.0.4-0-gea14d468d9ca).

Copyright 1998-2023 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with Intel(R) Core(TM)
i5-4300U CPU @ 1.90GHz (with SSE4.2), with 12191 MB of physical memory, with
GLib 2.72.3, with PCRE2 10.40 2022-04-14, with LC_TYPE=C, binary plugins
supported.

ask_wireshark$ editcap.exe -V -i 1 230321_31069_editcap_intervals.pcapng 230321_foo.pcapng
File 230321_31069_editcap_intervals.pcapng is a Wireshark/... - pcapng capture file.
Packet: 1
Packet: 2
Continuing writing in file 230321_foo_00001_20230321122028.pcapng
Packet: 3
Packet: 4
Continuing writing in file 230321_foo_00002_20230321122029.pcapng
Packet: 5
Packet: 6
Continuing writing in file 230321_foo_00003_20230321122030.pcapng
Packet: 7
Packet: 8
Continuing writing in file 230321_foo_00004_20230321122044.pcapng
Continuing writing in file 230321_foo_00005_20230321122044.pcapng
Continuing writing in file 230321_foo_00006_20230321122044.pcapng
Continuing writing in file 230321_foo_00007_20230321122044.pcapng
Continuing writing in file 230321_foo_00008_20230321122044.pcapng
Continuing writing in file 230321_foo_00009_20230321122044.pcapng
Continuing writing in file 230321_foo_00010_20230321122044.pcapng
Continuing writing in file 230321_foo_00011_20230321122044.pcapng
Continuing writing in file 230321_foo_00012_20230321122044.pcapng
Continuing writing in file 230321_foo_00013_20230321122044.pcapng
Continuing writing in file 230321_foo_00014_20230321122044.pcapng
Continuing writing in file 230321_foo_00015_20230321122044.pcapng
Continuing writing in file 230321_foo_00016_20230321122044.pcapng
Continuing writing in file 230321_foo_00017_20230321122044.pcapng
Packet: 9
Packet: 10
Continuing writing in file 230321_foo_00018_20230321122045.pcapng
Packet: 11
Packet: 12
Continuing writing in file 230321_foo_00019_20230321122046.pcapng
Packet: 13
Packet: 14
Continuing writing in file 230321_foo_00020_20230321122047.pcapng
Packet: 15
Packet: 16
Continuing writing in file 230321_foo_00021_20230321122054.pcapng
Continuing writing in file 230321_foo_00022_20230321122054.pcapng
Continuing writing in file 230321_foo_00023_20230321122054.pcapng
Continuing writing in file 230321_foo_00024_20230321122054.pcapng
Continuing writing in file 230321_foo_00025_20230321122054.pcapng
Continuing writing in file 230321_foo_00026_20230321122054.pcapng
Continuing writing in file 230321_foo_00027_20230321122054.pcapng
Packet: 17
Packet: 18
Continuing writing in file 230321_foo_00028_20230321122055.pcapng
Packet: 19
Packet: 20
Continuing writing in file 230321_foo_00029_20230321122056.pcapng
Packet: 21
Packet: 22
Continuing writing in file 230321_foo_00030_20230321122057.pcapng
Packet: 23 ...
(more)
edit flag offensive delete link more
add a comment
0

answered 2023-03-21 17:21:46 +0000

jimjamming gravatar image

updated 2023-03-21 17:41:10 +0000

grahamb gravatar image

I have taken a fresh trace file where I transmitted a single packet once per second (this was the lowest it would let me set it to). The trace lasts for ~1min and then I run editcap on the original .pcapng file. I see that I get the same sort of issues as I did previously. Unfortunately I cannot upload the file as I have < 60 points. You can see something is going on around the 17:07:11/13 second mark as an example, the list of the output files is as follows; 

c:\Testdata\small_00000_20230321170628.pcapng
c:\Testdata\small_00001_20230321170629.pcapng
c:\Testdata\small_00002_20230321170631.pcapng
c:\Testdata\small_00003_20230321170632.pcapng
c:\Testdata\small_00004_20230321170632.pcapng
c:\Testdata\small_00005_20230321170633.pcapng
c:\Testdata\small_00006_20230321170634.pcapng
c:\Testdata\small_00007_20230321170635.pcapng
c:\Testdata\small_00008_20230321170636.pcapng
c:\Testdata\small_00009_20230321170637.pcapng
c:\Testdata\small_00010_20230321170639.pcapng
c:\Testdata\small_00011_20230321170639.pcapng
c:\Testdata\small_00012_20230321170640.pcapng
c:\Testdata\small_00013_20230321170641.pcapng
c:\Testdata\small_00014_20230321170643.pcapng
c:\Testdata\small_00015_20230321170644.pcapng
c:\Testdata\small_00016_20230321170645.pcapng
c:\Testdata\small_00017_20230321170645.pcapng
c:\Testdata\small_00018_20230321170646.pcapng
c:\Testdata\small_00019_20230321170647.pcapng
c:\Testdata\small_00020_20230321170649.pcapng
c:\Testdata\small_00021_20230321170649.pcapng
c:\Testdata\small_00022_20230321170650.pcapng
c:\Testdata\small_00023_20230321170652.pcapng
c:\Testdata\small_00024_20230321170653.pcapng
c:\Testdata\small_00025_20230321170654.pcapng
c:\Testdata\small_00026_20230321170655.pcapng
c:\Testdata\small_00027_20230321170656.pcapng
c:\Testdata\small_00028_20230321170656.pcapng
c:\Testdata\small_00029_20230321170657.pcapng
c:\Testdata\small_00030_20230321170658.pcapng
c:\Testdata\small_00031_20230321170700.pcapng
c:\Testdata\small_00032_20230321170701.pcapng
c:\Testdata\small_00033_20230321170702.pcapng
c:\Testdata\small_00034_20230321170702.pcapng
c:\Testdata\small_00035_20230321170703.pcapng
c:\Testdata\small_00036_20230321170704.pcapng
c:\Testdata\small_00037_20230321170705.pcapng
c:\Testdata\small_00038_20230321170707.pcapng
c:\Testdata\small_00039_20230321170708.pcapng
c:\Testdata\small_00040_20230321170708.pcapng
c:\Testdata\small_00041_20230321170710.pcapng
c:\Testdata\small_00042_20230321170711.pcapng
c:\Testdata\small_00043_20230321170711.pcapng
c:\Testdata\small_00044_20230321170713.pcapng
c:\Testdata\small_00045_20230321170713.pcapng
c:\Testdata\small_00046_20230321170715.pcapng
c:\Testdata\small_00047_20230321170716.pcapng
c:\Testdata\small_00048_20230321170717.pcapng
c:\Testdata\small_00049_20230321170718.pcapng
c:\Testdata\small_00050_20230321170719.pcapng
c:\Testdata\small_00051_20230321170720.pcapng
c:\Testdata\small_00052_20230321170721.pcapng
c:\Testdata\small_00053_20230321170721.pcapng
c:\Testdata\small_00054_20230321170723.pcapng
c:\Testdata\small_00055_20230321170724.pcapng
c:\Testdata\small_00056_20230321170725.pcapng
c:\Testdata\small_00057_20230321170725.pcapng
c:\Testdata\small_00058_20230321170727.pcapng
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-03-21 16:00:37 +0000

Seen: 336 times

Last updated: Mar 21 '23

Related questions

how to use editcap to split the btmon captured file

editcap.exe returns "File mycapturefile.pcapng is a Wireshark/... - pcapng capture file"

Changing Interface Name via Editcap

Splitting Syslog dissector message columns

editcap and per-file comments in pcapng files...

How to split file json real time tshark?

How can i remove packet headers with script

Change frame/tcp length on sliced packets

Editcap not found on mac osx

splitting pcap file with editcap