This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Damaged capture file

0

I was trying to capture the GNS3 serial traffic with Wireshark (ver 1.6.5). But every time the same error message is showing up when i tried to open the cap file. The error message is "The capture file appears to be damaged or corrupt (pcap: File has 67109120-bye packet, bigger than maximum of 65535.). Just wondering how is this possible? cap file is only 10 KB size?

Thomas, Technical Trainer, http://www.joera.in

asked 06 Jul '12, 01:48

joera's gravatar image

joera
1111
accept rate: 0%

converted to question 06 Jul '12, 07:48

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

In pcap files, the packet size is a value written to the packet header each packet has stored just in front of the actual packet bytes. So if the write process writes a funny number into that space you might end up with the error message you see, and it has nothing to do with the actual file size. I'd say your file is indeed corrupt, but I can't say how it happened. What application did you capture the data with? Was it really Wireshark? If so, this is probably an issue you should report in the bug tracker.

answered 06 Jul '12, 08:32

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

And:

  1. If the file is being captured with Wireshark, was it the same Wireshark, on the same machine, that's being used to open it?

  2. If the file isn't being captured with Wireshark, is it being opened by Wireshark running on the same machine?

  3. If the capturing program and the opening program aren't running on the same machine, how is the file being transferred between the machines?

Some forms of file transfer can, if transferring between Windows and UN*X, damage files if they're transferring the file as text.

(06 Jul '12, 10:07) Guy Harris ♦♦