Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2022-06-10 11:47:30 +0000

actionmystique@gmail.com gravatar image

How to remove a packet which is too big from pcap file

There is a captured pcap file which appears to be corrupt:

tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

I tried to remove that packet from the trace with:

tshark -r filet.pcap -R "ip.len<=64555" -2

but I get the same error:

0.000000 CS0 172.19.0.1 → 228.6.7.8 UDP 47549 46655 114 47549 → 46655 Len=86 ... 22622.071058 CS0 172.19.0.1 → 239.255.255.250 SSDP 52107 ssdp 200 M-SEARCH * HTTP/1.1 tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

Is there a workaround to sanitize the trace?

How to remove a packet which is too big from pcap file

There is a captured pcap file which appears to be corrupt:

tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

I tried to remove that packet from the trace with:

tshark -r filet.pcap file.pcap -R "ip.len<=64555" -2

but I get the same error:

0.000000 CS0 172.19.0.1 → 228.6.7.8 UDP 47549 46655 114 47549 → 46655 Len=86 ... 22622.071058 CS0 172.19.0.1 → 239.255.255.250 SSDP 52107 ssdp 200 M-SEARCH * HTTP/1.1 tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

Is there a workaround to sanitize the trace?

How to remove a packet which is too big from pcap file

There is a captured pcap file which appears to be corrupt:

tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

I tried to remove that packet from the trace with:

tshark -r file.pcap -R "ip.len<=64555" "ip.len<=65534" -2

but I get the same error:

0.000000 CS0 172.19.0.1 → 228.6.7.8 UDP 47549 46655 114 47549 → 46655 Len=86 ... 22622.071058 CS0 172.19.0.1 → 239.255.255.250 SSDP 52107 ssdp 200 M-SEARCH * HTTP/1.1 tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

Is there a workaround to sanitize the trace?

How to remove a packet which is too big from pcap file

There is a captured pcap file which appears to be corrupt:

tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

I tried to remove that packet from the trace with:

tshark -r file.pcap -R "ip.len<=65534" -2

but I get the same error:

0.000000 CS0 172.19.0.1 → 228.6.7.8 UDP 47549 46655 114 47549 → 46655 Len=86 ... 22622.071058 CS0 172.19.0.1 → 239.255.255.250 SSDP 52107 ssdp 200 M-SEARCH * HTTP/1.1 tshark: The file "file.pcap" appears to be damaged or corrupt. (pcap: File has 20447488-byte packet, bigger than maximum of 262144)

Is there a workaround to sanitize the trace?