This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Error in Pcap file

1

Hello; I have used wireshark to capture a full days worth of data; however, when I try to open the file, I receive the following error.

The capture file appears to be damaged or corrupt. (pcap: File has 1313056966-byte packet, bigger than maximum of 65535), Is there a work around so I can view the entire file ?

Thanks Ian

asked 29 Aug '11, 11:41

sehguh's gravatar image

sehguh
16112
accept rate: 0%

edited 29 Feb '12, 19:10

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

I too is facing this problem.

Running Wireshark 1.6.7, WinPcap 4.1.2 on Windows 7 x64 intel PRO/1000 PM nic. I capture using tshark with this string: "C:\Program Files\Wireshark\tshark" -a duration:60 -B 2 -i 1 -n -q -w D:\wireshark\ny_c\udfald\capture.pcap

When opening the capture.pcap file (on the same machine, no ftp transfers!) I get the following error: The capture file appears to be damaged or corrupt. (pcap: File has 39931111361-byte packet, bigger than maximum of 65535)

I click "OK" and the file opens just fine. I filter the file using "frame.len > 1514" and there is nothing?! Should I expect to see the 39931111361-byte packet, or not?

Regards Anders

(24 Apr '12, 02:23) Smakodak

Uploaded the file to http://f00l.de/pcapfix/. Below is the last lines of the pcapfix report.


[+] Packet #19422 at position 9571953 (1335214033 | 262752 | 1514 | 1514). [-] Corrupted packet #19423 at position 9573483 (2985547892 | 1583189366 | 4270389735 | 4251964125). [*] Recovering... [-] FAILED! Unable to recover pcap file.


To be continuded...

(25 Apr '12, 01:43) Smakodak

In wireshark the last packet I can view, is #19422.

So the answer to my question is - No, I shouldn't expect to see the 39931111361-byte packet!

Been trying to use editcap, but had no luck. I tried to delete packet #19423, and to capture packet #1-19422. In both cases, I get this error message: : File contains a record that's not valid. (pcap: File has 4270389735-byte packet, bigger than maximum of 65535)

(25 Apr '12, 01:43) Smakodak

your pcapfix-output was very helpful for me... i improved the detection algorithm the tool is using... please try this version to repair your file... i hope it works this time...

ONLINE: http://f00l.de/hacking/pcapfix-0.4rc3.php OFFLINE: http://f00l.de/pcapfix/pcapfix-0.4rc3.tar.gz

(25 Apr '12, 07:09) creeq

Thanks! That did it. These are the last lines of my repaired file:

""[+] POSSIBLE Packet #93952 at position 65590147 (1335214073 | 81395 | 66 | 66). [+] SUCCESS.

Your pcap file has been successfully repaired (49 corrupted packet(s)). Wrote 93952 packets to file fixed_phpUe2tRN.""

And it has helped me reveal my problem - Spanning-tree!

Thanks again:)

(26 Apr '12, 01:20) Smakodak

4 Answers:

2

The usual cause of this error is the file being mangled by transferring it over FTP in ASCII mode instead of BINARY mode. If you did transfer the file by FTP, please transfer the file again, now using BINARY mode.

answered 29 Aug '11, 16:08

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

my file was names .txt and file size got changed during transfer. Renamed it to pcap and wollla :)

(16 May '13, 23:38) imdeepakg

Whatever program you used to transfer the file may have assumed that, because the file's name ended in .txt, it was a text file, and transferred in it a mode that didn't preserve its contents (instead perhaps converting LF to CR-LF or vice versa, if it was copying between Windows and UN*X).

Changing the name and copying it again may have caused the program to transfer it byte-by-byte rather than trying to convert between Windows and UN*X text file format.

(17 May '13, 00:17) Guy Harris ♦♦

1

maybe you could use "pcapfix" ... it tries to repair broken / corrupted pcap files...

http://f00l.de/pcapfix/

answered 20 Apr '12, 07:58

creeq's gravatar image

creeq
161
accept rate: 0%

0

Unfortunately, no - if the file is corrupt, perhaps due to a Wireshark bug, there's no way to read past the bad packet. There might be a Wireshark bug when reading the packet; if you're not using the latest version of Wireshark (1.6.1, currently), try installing that and see whether it can read it.

answered 29 Aug '11, 13:55

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

... or you can use editcap to cut the capture into parts, which then can, or cannot be read.

answered 29 Aug '11, 14:36

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%