while we captured the packet, we want wireshark cut off the packet when the packet len is larger than frame.cap_len, is there any config in wireshark ui or commands parameter? asked 22 Nov '16, 01:25  neil_hao edited 22 Nov '16, 01:26 |
2 Answers:
Go This instruction applies to Qt version of Wireshark. For GTK+ (legacy) Wireshark, the exact layout may differ, but the functionality is available too. answered 22 Nov '16, 04:28  sindy edited 22 Nov '16, 04:29 |
By definition the packet is 'cut short' to the capture length, as this is the amount of octets captured for that frame. If you seek to have the 'reported length', ie. length incurred from a packet header field, changed then that is not possible. Wireshark shows you the frame data as it is, without modification, and is capable of handling 'cut short' packets. answered 22 Nov '16, 01:46  Jaap ♦ we do not want modify ie in packet header field, but we want cut short the captured data packet len while we capture some pcap file . such as when the frame.cap_len is 128, we only want wireshark save the packets as 128 bytes. but in some sense. wireshark may save packets larger than 128 bytes by default configration. (22 Nov '16, 03:51) neil_hao 1 You've got things the wrong way around. frame.cap_len is the result of a capture action, not the cause of it. If you want to limit the amount of octets captured by Wireshark then go to menu Capture | Options..., and in the dialog set the value in the column 'snaplen' of your capture interface to the value you desire. 'Default' represents the value of 65535. (22 Nov '16, 04:31) Jaap ♦ |
And if @Jaap has understood you better than me - Wireshark does not allow to truncate already captured packets when saving the capture to a file. The truncation must be done already while capturing. To reduce packet length in an existing capture file, a command-line command
editcap -C 128:65535 infile outfilemay be the way to do that.