Ask Your Question

TCP analysis on packets captured with smaller snaplength

asked 2024-01-09 17:59:47 +0000

rr gravatar image

We are capturing packets and only first 100 Bytes are captured due to privacy reasons, but because of that TCP analysis becomes wrong, all TCp segments believe that previous segment is lost ( because of sequence numbers). Is there a way to modify the capture file i.e look at Ip.length and based on that add '00' to the packet bytes, so that analysis becomes correct? I know TCp checksum will be wrong but at least TCP analysis will be good

edit retag flag offensive close merge delete


Are there extra protocol layers before TCP?
100 bytes should be enough to capture the full TCP header and options.

Chuckc gravatar imageChuckc ( 2024-01-09 18:27:44 +0000 )edit

But for TCP analysis we need complete packet else TCP analysis becomes wrong in Wireshark

rr gravatar imagerr ( 2024-01-09 18:53:36 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2024-01-10 08:27:14 +0000

SYN-bit gravatar image

The TCP dissector usually works just fine without the payload, as long as you have the complete TCP header, which you should have unless there is some tunneling involved (eth:14, ip:20, tcp:20-60 => 54-94 bytes for eth/ip/tcp info). How are the packets sliced, by a libpcap library, resulting in "Frame 366: 534 bytes on wire, 100 bytes captured on interface en0, id 0" or by a packetbroker, resulting in: Frame 366: 100 bytes on wire, 100 bytes captured on interface en0, id 0", even though there were 534 bytes on the wire before slicing. AFAIK, Wireshark sometimes has problems handling the second case.

Of course a pcap file with an example of where TCP analysis fails in your case could be handy to determine what is going on and whether or not this is a bug.

edit flag offensive delete link more


Thanks @SYN-bit, this was really useful. I modified the bytes on wire and that resolved this issue

rr gravatar imagerr ( 2024-01-10 18:00:19 +0000 )edit

Glad my answer helped you in solving your issue.

I reopened the question and selected my answer as the one that answered the question. We keep questions open with a selected answer as a knowledge base for others :-)

SYN-bit gravatar imageSYN-bit ( 2024-01-10 23:26:05 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-01-09 17:59:47 +0000

Seen: 108 times

Last updated: Jan 09