damaged or corrupted pcapng needs recovery

asked 2025-04-22 08:49:00 +0000

thaker_anshuman gravatar image

updated 2025-04-22 08:52:15 +0000

I am loading a few recorded pcapng files in Wireshark. I have 10 pcapng files, out of which two are damaged or corrupted. The error message I get is, "pcapng total block lengths (first 1484 and second 0) don't match. Is there a way to recover such pcapng files?

Wireshark Version 3.6.1 (v3.6.1-0-ga0a473c7c1ba), Windows 10

edit retag flag offensive close merge delete

Comments

That version of Wireshark is obsolete, EOL was May 2024. Unlikely to help if the capture file is really damaged, but can you try a supported version of Wireshark?

grahamb gravatar imagegrahamb ( 2025-04-22 09:16:30 +0000 )edit

Shows the same error in a different version of Wireshark as well. Could this problem be because of the EPB or PB block? for example EPB at offset 48 bytes, PB at 60 (only 12 bytes later). Seems like the blocks are misaligned or overlapping. I would expect the EPB to contain the actual packet data, since it is captured using ethernet, I would expect EPB to be about 1400 bytes long. However, that's not the case.

thaker_anshuman gravatar imagethaker_anshuman ( 2025-04-22 09:40:53 +0000 )edit

You can try loading the capture as a file, View -> Reload as File Format/Capture (Ctrl + Shift + F) to examine the pcap blocks.

grahamb gravatar imagegrahamb ( 2025-04-22 09:44:23 +0000 )edit

This is really helpful. Thank you. It seems like for one of the EPB, the Block Length in trailer differs from the Block Length in the header.

thaker_anshuman gravatar imagethaker_anshuman ( 2025-04-22 09:56:04 +0000 )edit

19766: Wrong EPB lengths written if existing pcapng file has epb_hash options

Chuckc gravatar imageChuckc ( 2025-04-22 10:16:48 +0000 )edit
add a comment