Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The capturefile appears to be damaged or corrupt. (pcap: Fileshas 109736-byte packet, bigger than maximum of 65535)

From: "Gianluca Varenni" <gianluca.varenni () cacetech com>
Date: Mon, 17 May 2010 11:07:17 -0700
It's my understanding that dumpcap uses its own custom code to create PCAP 
files. The only case that might cause a corrupted capture file is that when 
a packet is received with pcap_next_ex (or whatever other function is used 
by dumpcap), pcap_pkthdr::len < pcap_pkthdr::caplen, and even in this case, 
I'm not sure if this would cause a corrupted file.

Have a nice day
GV

--------------------------------------------------
From: "Sake Blok" <sake () euronet nl>
Sent: Monday, May 17, 2010 10:44 AM
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Subject: Re: [Wireshark-users] The capturefile  appears to      be      damaged orcorrupt.(pcap: Fileshas       
109736-byte packet, bigger than maximum of 65535)


Hi Joseph,

If you look at the last packet of the tracefile that can be read by 
Wireshark (frame 1407), you can see that the capture length is set to 98 
bytes, while there were 102 bytes on the wire. However, you were not using 
a snap length and the tracefile actually contains all 102 bytes. This 
looks like a bug in WinPcap. Which version of WinPcap are you using? I'm 
not sure but I believe there were some issues with earlier 64 bit versions 
of WinPcap.

Cheers,


Sake

On 17 mei 2010, at 16:25, Joseph Laibach wrote:


Here is one of the files that loads and tells me the file is corrupt.

-----Original Message-----
From: wireshark-users-bounces () wireshark org 
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Joseph 
Laibach
Sent: Friday, May 14, 2010 3:32 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged or 
corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
65535)

So I made the changes and once the network traffic starts picking up I 
get corrupted files again. Traffic is about 60MBit/sec.

Here is the command I'm running now:

C:\"Program Files"\Wireshark\dumpcap.exe -i 
\Device\NPF_{21741AFC-E45E-46A6-9740-9E233E4FF91D} -w d:\SFTI_capture -b 
files:20000 -b filesize:8192 -B 256

Thanks again

Joe

-----Original Message-----
From: wireshark-users-bounces () wireshark org 
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Joseph 
Laibach
Sent: Friday, May 14, 2010 11:47 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged or 
corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
65535)

Thanks for catching it. I should be using the -b filesize:8192 instead. 
I'll make the changes and see what happens.

Thanks

Joe

-----Original Message-----
From: wireshark-users-bounces () wireshark org 
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Sake Blok
Sent: Friday, May 14, 2010 11:36 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged or 
corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
65535)

Hmmm... reading back all the mails I see that you use:

dumpcap ... -b files:10000 -a filesize:8192 ...

Why are you mixing -b and -a options?  "-a" options are for automatic 
finishing the capturing and "-b" options are for creating a ringbuffer. 
Which of the two were you planning to use?

If sticking to one of these two options does not solve the issue, are you 
able to share a file that is giving the error?

Cheers,
Sake



On 14 mei 2010, at 17:11, Joseph Laibach wrote:


I open the file on the host that is was captured on, or I copy it via a 
Windows file share. Either way it gives me the same error. I'm capturing 
stock Market multicast data, if that matters. The traffic is very bursty 
and the data rate is around 200mb/sec. I switched from a Broadcom NIC to 
Intel NIC to see if that would help but no luck on that change either.

-----Original Message-----
From: wireshark-users-bounces () wireshark org 
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Sake Blok
Sent: Friday, May 14, 2010 10:49 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged or 
corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
65535)

Did you open the file on the host on which it was captured? Or did you 
transfer the file from the capturing host to the host on which you try 
to read it? The error message that you get usually appears after the 
file has been transferred to another host with FTP in ASCII mode instead 
of BINARY mode.

(FYI dumpcap writes libpcap based files which can not contain packets 
larger than 65535 bytes, so the file is most probably corrupted somehow)

Cheers,
Sake

On 14 mei 2010, at 16:36, Joseph Laibach wrote:


Is there a way to remove the 65535 maximum from the reading of a 
capture?

Thanks

Joe

-----Original Message-----
From: wireshark-users-bounces () wireshark org 
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Joseph 
Laibach
Sent: Tuesday, May 11, 2010 11:36 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged 
or corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
65535)

I'm running version 1.2.7 64bit.

-----Original Message-----
From: wireshark-users-bounces () wireshark org 
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Jaap Keuter
Sent: Tuesday, May 11, 2010 11:29 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged 
or corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
65535)

But what release of Wireshark are you using?

Thanks,
Jaap

Send from my iPhone

On 11 mei 2010, at 16:37, Joseph Laibach <jlaibach () schonfeld com> 
wrote:


I am having an issue with some of the capture files. Some captures
files spit back an error that the capture file appears to be damaged
or corrupt. The capture is running on a Windows 2003 Sever R2 64bit,
with 2 gigs of memory and a Inetl Xeon 2.33ghz processor.



I am capturing with dumpcap. The syntax I am using is as follows: C:
\"Program Files"\Wireshark\dumpcap.exe -i \Device\NPF_
{ECC9D35A-826A-4A4F-B634-656EAD4EC7C9} -w d:\SFTI_capture -b files:
10000 -a filesize:8192 -B 128 -s 10000000



I added the -s 10000000 to try and fix the large byte packet issue b
ut that hasn't worked.



Anyone have any suggestions on how to eliminated the corruption of
capture files?



Thanks



Joe Laibach




This communication is for informational purposes only.  It is not
intended as an offer or solicitation or as an official
confirmation.  Market prices and other information are not
guaranteed as to completeness or accuracy and are subject to change
without notice.  Schonfeld Group reserves the right to monitor and
review the content of all messages sent to or from this e-mail
address.
___________________________________________________________________________




Sent via:    Wireshark-users mailing list 
<wireshark-users () wireshark org



Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list 
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe



This communication is for informational purposes only.  It is not 
intended as an offer or solicitation or as an official confirmation. 
Market prices and other information are not guaranteed as to 
completeness or accuracy and are subject to change without notice. 
Schonfeld Group reserves the right to monitor and review the content of 
all messages sent to or from this e-mail address.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list 
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe



This communication is for informational purposes only.  It is not 
intended as an offer or solicitation or as an official confirmation. 
Market prices and other information are not guaranteed as to 
completeness or accuracy and are subject to change without notice. 
Schonfeld Group reserves the right to monitor and review the content of 
all messages sent to or from this e-mail address.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list 
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list 
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe



This communication is for informational purposes only.  It is not 
intended as an offer or solicitation or as an official confirmation. 
Market prices and other information are not guaranteed as to 
completeness or accuracy and are subject to change without notice. 
Schonfeld Group reserves the right to monitor and review the content of 
all messages sent to or from this e-mail address.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list 
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe



This communication is for informational purposes only.  It is not 
intended as an offer or solicitation or as an official confirmation. 
Market prices and other information are not guaranteed as to completeness 
or accuracy and are subject to change without notice.  Schonfeld Group 
reserves the right to monitor and review the content of all messages sent 
to or from this e-mail address.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe



This communication is for informational purposes only.  It is not 
intended as an offer or solicitation or as an official confirmation. 
Market prices and other information are not guaranteed as to completeness 
or accuracy and are subject to change without notice.  Schonfeld Group 
reserves the right to monitor and review the content of all messages sent 
to or from this e-mail address.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe



This communication is for informational purposes only.  It is not 
intended as an offer or solicitation or as an official confirmation. 
Market prices and other information are not guaranteed as to completeness 
or accuracy and are subject to change without notice.  Schonfeld Group 
reserves the right to monitor and review the content of all messages sent 
to or from this e-mail address.
<SFTI_capture_09969_20100517094319>___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe 


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: