Using Tshark to remove malformed packets

2019-03-16

lancer6238

Hi all,

I want to use tcprewrite to change the MAC address of the packets in my pcap file, but whenever I tried to do so, I get the error message "Fatal Error: Error rewriting packets". I narrowed it down to 1 specific packet, and on Wireshark, it is indicated as "malformed". (Other malformed packets in the same pcap did not affect tcprewrite, but this packet did.)

Since "malformed" is not an actual protocol, I can't use tshark on my Linux server to remove them first. Is there any other way to remove such malformed packets?

Thank you.

2019-03-17

Guy Harris

"malformed" is not an actual protocol

...but _ws.malformed is a valid named field; try using !_ws.malformed as a filter to display only the non-malformed packet.

(What does Wireshark display as the contents of that packet? Does it have source and destination MAC addresses? If so, you might want to report a bug in tcprewrite.)

Is "_ws.malformed" only valid in Wireshark? Can I use it in tshark too?

lancer6238 ( 2019-03-17 )

Is "_ws.malformed" only valid in Wireshark? Can I use it in tshark too?

Wireshark and TShark use the exact same code to dissect packets (as in "the code comes from the exact same file", in most if not all cases - libwireshark is a shared library), so, no, it's not only valid in Wireshark, and you can use it in TShark.

Guy Harris ( 2019-03-17 )

Thanks! This worked.

lancer6238 ( 2019-03-18 )

