Hello; I have used wireshark to capture a full days worth of data; however, when I try to open the file, I receive the following error. The capture file appears to be damaged or corrupt. (pcap: File has 1313056966-byte packet, bigger than maximum of 65535), Is there a work around so I can view the entire file ? Thanks Ian asked 29 Aug '11, 11:41  sehguh edited 29 Feb '12, 19:10  cmaynard ♦♦ |
4 Answers:
The usual cause of this error is the file being mangled by transferring it over FTP in ASCII mode instead of BINARY mode. If you did transfer the file by FTP, please transfer the file again, now using BINARY mode. answered 29 Aug '11, 16:08  SYN-bit ♦♦ my file was names .txt and file size got changed during transfer. Renamed it to pcap and wollla :) (16 May '13, 23:38) imdeepakg Whatever program you used to transfer the file may have assumed that, because the file's name ended in Changing the name and copying it again may have caused the program to transfer it byte-by-byte rather than trying to convert between Windows and UN*X text file format. (17 May '13, 00:17) Guy Harris ♦♦ |
maybe you could use "pcapfix" ... it tries to repair broken / corrupted pcap files... answered 20 Apr '12, 07:58  creeq |
Unfortunately, no - if the file is corrupt, perhaps due to a Wireshark bug, there's no way to read past the bad packet. There might be a Wireshark bug when reading the packet; if you're not using the latest version of Wireshark (1.6.1, currently), try installing that and see whether it can read it. answered 29 Aug '11, 13:55  Guy Harris ♦♦ |
... or you can use editcap to cut the capture into parts, which then can, or cannot be read. answered 29 Aug '11, 14:36  Jaap ♦ |
I too is facing this problem.
Running Wireshark 1.6.7, WinPcap 4.1.2 on Windows 7 x64 intel PRO/1000 PM nic. I capture using tshark with this string: "C:\Program Files\Wireshark\tshark" -a duration:60 -B 2 -i 1 -n -q -w D:\wireshark\ny_c\udfald\capture.pcap
When opening the capture.pcap file (on the same machine, no ftp transfers!) I get the following error: The capture file appears to be damaged or corrupt. (pcap: File has 39931111361-byte packet, bigger than maximum of 65535)
I click "OK" and the file opens just fine. I filter the file using "frame.len > 1514" and there is nothing?! Should I expect to see the 39931111361-byte packet, or not?
Regards Anders
Uploaded the file to http://f00l.de/pcapfix/. Below is the last lines of the pcapfix report.
[+] Packet #19422 at position 9571953 (1335214033 | 262752 | 1514 | 1514). [-] Corrupted packet #19423 at position 9573483 (2985547892 | 1583189366 | 4270389735 | 4251964125). [*] Recovering... [-] FAILED! Unable to recover pcap file.
To be continuded...
In wireshark the last packet I can view, is #19422.
So the answer to my question is - No, I shouldn't expect to see the 39931111361-byte packet!
Been trying to use editcap, but had no luck. I tried to delete packet #19423, and to capture packet #1-19422. In both cases, I get this error message: : File contains a record that's not valid. (pcap: File has 4270389735-byte packet, bigger than maximum of 65535)
your pcapfix-output was very helpful for me... i improved the detection algorithm the tool is using... please try this version to repair your file... i hope it works this time...
ONLINE: http://f00l.de/hacking/pcapfix-0.4rc3.php OFFLINE: http://f00l.de/pcapfix/pcapfix-0.4rc3.tar.gz
Thanks! That did it. These are the last lines of my repaired file:
""[+] POSSIBLE Packet #93952 at position 65590147 (1335214073 | 81395 | 66 | 66). [+] SUCCESS.
Your pcap file has been successfully repaired (49 corrupted packet(s)). Wrote 93952 packets to file fixed_phpUe2tRN.""
And it has helped me reveal my problem - Spanning-tree!
Thanks again:)