Ask Your Question
0

Using Tshark to remove malformed packets

asked 2019-03-16 20:36:59 +0000

lancer6238 gravatar image

Hi all,

I want to use tcprewrite to change the MAC address of the packets in my pcap file, but whenever I tried to do so, I get the error message "Fatal Error: Error rewriting packets". I narrowed it down to 1 specific packet, and on Wireshark, it is indicated as "malformed". (Other malformed packets in the same pcap did not affect tcprewrite, but this packet did.)

Since "malformed" is not an actual protocol, I can't use tshark on my Linux server to remove them first. Is there any other way to remove such malformed packets?

Thank you.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-03-17 00:01:10 +0000

Guy Harris gravatar image

"malformed" is not an actual protocol

...but _ws.malformed is a valid named field; try using !_ws.malformed as a filter to display only the non-malformed packet.

(What does Wireshark display as the contents of that packet? Does it have source and destination MAC addresses? If so, you might want to report a bug in tcprewrite.)

edit flag offensive delete link more

Comments

Is "_ws.malformed" only valid in Wireshark? Can I use it in tshark too?

lancer6238 gravatar imagelancer6238 ( 2019-03-17 03:04:46 +0000 )edit

Is "_ws.malformed" only valid in Wireshark? Can I use it in tshark too?

Wireshark and TShark use the exact same code to dissect packets (as in "the code comes from the exact same file", in most if not all cases - libwireshark is a shared library), so, no, it's not only valid in Wireshark, and you can use it in TShark.

Guy Harris gravatar imageGuy Harris ( 2019-03-17 16:10:36 +0000 )edit

Thanks! This worked.

lancer6238 gravatar imagelancer6238 ( 2019-03-18 04:51:05 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-03-16 20:36:59 +0000

Seen: 1,779 times

Last updated: Mar 17 '19

Related questions

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

CIoT R13 support

How do I change the interface on Tshark?

Tshark TCP stream assembly

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2