Is there any way to disable this "cut short in the middle of a packet" notification? I don't care if it's been cut short. This popup keeps me from being able to merge files so it's driving me insane. asked 21 Sep '16, 13:15 awall |
One Answer:
No. It's reporting that the file appears to have been damaged; either 1) the file really was damaged, in which case you lost data from that file, or 2) there's a bug in Wireshark and it's mistakenly reporting that the file was damaged, in which case you will lose data in the merge process. If 1) is the case, run the file through editcap, or read it into Wireshark and then write it out; that will discard the damaged parts. Then do the merge using the resulting files. If 2) is the case, file a bug. answered 21 Sep '16, 13:46 Guy Harris ♦♦ With the IDS I am using, I only capture a certain number of bytes per alert (due to storage space), so almost every packet is cut short, but because of this warning box the inherent merge feature will not work. I don't get why there is no option to disable warnings. (21 Sep '16, 14:40) awall
A packet in a pcap or pcapng file (or other file formats that support a snapshot length) has two lengths - "length on the network" and "amount of data saved". A program that's not saving all the bytes of the packets it captures should give the full length of the packet as the "length on the network" and the number of bytes it actually saved as "amount of data saved"; if it does so, that will NOT cause a "The capture file appears to have been cut short in the middle of a packet." error. If, however, it writes out the full length of the packet as "amount of data saved", even though it doesn't actually save that many bytes, that file will be badly damaged to the point of unreadability, so that's presumably not what's happening here. So there's "cut short" in the sense I described above, and there's "cut short" in the sense of the "The capture file appears to have been cut short in the middle of a packet." error; the two are different. The "The capture file appears to have been cut short in the middle of a packet." error means that there's less data in the file for a packet than the "amount of data saved" says should be there, or that there isn't even a complete packet record header for the packet (the record header for a pcap file has the time stamp, the "length on the network", and the "amount of data saved"; for a pcapng file, it contains that information plus other information). That's the error you're getting. And, as I have indicated, it is an error, not a warning, so there's no good reason to disable it. If you're getting that error, the intrusion detection system you're using is failing to write out the entire record for the last packet; either it has a bug (as programs should not do that; they can, as I indicated, write out partial packet contents, but they must write out all of that partial content) or it's just running out of disk space. (21 Sep '16, 15:09) Guy Harris ♦♦ |
To my knowledge it can only be disabled by feeding Wireshark with properly closed files. What forces you to copy files before they have been closed and thus lose the last captured packets? Maybe use of ring buffers for capturing could solve it?