Wireshark-users: Re: [Wireshark-users] The capturefile appears to be damaged or corrupt. (pcap: F

From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Date: Mon, 17 May 2010 13:17:49 -0700


--------------------------------------------------
From: "Sake Blok" <sake@xxxxxxxxxx>
Sent: Monday, May 17, 2010 1:02 PM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Cc: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] The capturefile	appears	to	be	damaged	orcorrupt.(pcap: Fileshas	109736-byte packet, bigger than maximum of 65535)

Gianluca,

I have checked the code in dumpcap and if I understand things correctly, in the function capture_loop_dispatch, a call is made to pcap_dispatch. In this call, capture_loop_cb is supplied as packet-handler.

When I check capture_loop_cb, it will call libpcap_write_packet and libpcap_write_packet will actually write the pcap-header to the output file as follows:

       rec_hdr.incl_len = phdr->caplen;
       rec_hdr.orig_len = phdr->len;
       nwritten = fwrite(&rec_hdr, 1, sizeof rec_hdr, fp);

the phdr struct is passed on from capture_loop_cb to libpcap_write_packet unaltered. So in my understanding pcap_dispatch must have supplied a wrong value of phdr->caplen for it to to faultly written to file. However this contradicts with the fact that the whole packet is indeed written after the header, because the following code should have trimmed the data to phr->caplen:

      nwritten = fwrite(pd, 1, phdr->caplen, fp);

This is what I was expecting. In the corrupted file, what the is value of the "len" field?

GV



So I'm puzzled...

... and also not too familiar with this part of the code and/or the WinPcap libraries...

Cheers,
Sake




On 17 mei 2010, at 20:07, Gianluca Varenni wrote:

It's my understanding that dumpcap uses its own custom code to create PCAP files. The only case that might cause a corrupted capture file is that when a packet is received with pcap_next_ex (or whatever other function is used by dumpcap), pcap_pkthdr::len < pcap_pkthdr::caplen, and even in this case,
I'm not sure if this would cause a corrupted file.

Have a nice day
GV

--------------------------------------------------
From: "Sake Blok" <sake@xxxxxxxxxx>
Sent: Monday, May 17, 2010 10:44 AM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Subject: Re: [Wireshark-users] The capturefile appears to be damaged orcorrupt.(pcap: Fileshas 109736-byte packet, bigger than maximum of 65535)

Hi Joseph,

If you look at the last packet of the tracefile that can be read by
Wireshark (frame 1407), you can see that the capture length is set to 98
bytes, while there were 102 bytes on the wire. However, you were not using
a snap length and the tracefile actually contains all 102 bytes. This
looks like a bug in WinPcap. Which version of WinPcap are you using? I'm
not sure but I believe there were some issues with earlier 64 bit versions
of WinPcap.

Cheers,


Sake

On 17 mei 2010, at 16:25, Joseph Laibach wrote:

Here is one of the files that loads and tells me the file is corrupt.

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Joseph
Laibach
Sent: Friday, May 14, 2010 3:32 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged or
corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of
65535)

So I made the changes and once the network traffic starts picking up I
get corrupted files again. Traffic is about 60MBit/sec.

Here is the command I'm running now:

C:\"Program Files"\Wireshark\dumpcap.exe -i
\Device\NPF_{21741AFC-E45E-46A6-9740-9E233E4FF91D} -w d:\SFTI_capture -b
files:20000 -b filesize:8192 -B 256

Thanks again

Joe

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Joseph
Laibach
Sent: Friday, May 14, 2010 11:47 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged or
corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of
65535)

Thanks for catching it. I should be using the -b filesize:8192 instead.
I'll make the changes and see what happens.

Thanks

Joe

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Friday, May 14, 2010 11:36 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged or
corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of
65535)

Hmmm... reading back all the mails I see that you use:

dumpcap ... -b files:10000 -a filesize:8192 ...

Why are you mixing -b and -a options?  "-a" options are for automatic
finishing the capturing and "-b" options are for creating a ringbuffer.
Which of the two were you planning to use?

If sticking to one of these two options does not solve the issue, are you
able to share a file that is giving the error?

Cheers,
Sake



On 14 mei 2010, at 17:11, Joseph Laibach wrote:

I open the file on the host that is was captured on, or I copy it via a Windows file share. Either way it gives me the same error. I'm capturing stock Market multicast data, if that matters. The traffic is very bursty and the data rate is around 200mb/sec. I switched from a Broadcom NIC to
Intel NIC to see if that would help but no luck on that change either.

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Friday, May 14, 2010 10:49 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged or
corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of
65535)

Did you open the file on the host on which it was captured? Or did you
transfer the file from the capturing host to the host on which you try
to read it? The error message that you get usually appears after the
file has been transferred to another host with FTP in ASCII mode instead
of BINARY mode.

(FYI dumpcap writes libpcap based files which can not contain packets
larger than 65535 bytes, so the file is most probably corrupted somehow)

Cheers,
Sake

On 14 mei 2010, at 16:36, Joseph Laibach wrote:

Is there a way to remove the 65535 maximum from the reading of a
capture?

Thanks

Joe

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Joseph
Laibach
Sent: Tuesday, May 11, 2010 11:36 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged
or corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of
65535)

I'm running version 1.2.7 64bit.

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
Sent: Tuesday, May 11, 2010 11:29 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] The capture file appears to be damaged
or corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of
65535)

But what release of Wireshark are you using?

Thanks,
Jaap

Send from my iPhone

On 11 mei 2010, at 16:37, Joseph Laibach <jlaibach@xxxxxxxxxxxxx>
wrote:

I am having an issue with some of the capture files. Some captures
files spit back an error that the capture file appears to be damaged
or corrupt. The capture is running on a Windows 2003 Sever R2 64bit,
with 2 gigs of memory and a Inetl Xeon 2.33ghz processor.



I am capturing with dumpcap. The syntax I am using is as follows: C:
\"Program Files"\Wireshark\dumpcap.exe -i \Device\NPF_
{ECC9D35A-826A-4A4F-B634-656EAD4EC7C9} -w d:\SFTI_capture -b files:
10000 -a filesize:8192 -B 128 -s 10000000



I added the -s 10000000 to try and fix the large byte packet issue b
ut that hasn't worked.



Anyone have any suggestions on how to eliminated the corruption of
capture files?



Thanks



Joe Laibach




This communication is for informational purposes only.  It is not
intended as an offer or solicitation or as an official
confirmation.  Market prices and other information are not
guaranteed as to completeness or accuracy and are subject to change
without notice.  Schonfeld Group reserves the right to monitor and
review the content of all messages sent to or from this e-mail
address.
___________________________________________________________________________


Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx

Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



This communication is for informational purposes only.  It is not
intended as an offer or solicitation or as an official confirmation.
Market prices and other information are not guaranteed as to
completeness or accuracy and are subject to change without notice.
Schonfeld Group reserves the right to monitor and review the content of
all messages sent to or from this e-mail address.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



This communication is for informational purposes only.  It is not
intended as an offer or solicitation or as an official confirmation.
Market prices and other information are not guaranteed as to
completeness or accuracy and are subject to change without notice.
Schonfeld Group reserves the right to monitor and review the content of
all messages sent to or from this e-mail address.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



This communication is for informational purposes only.  It is not
intended as an offer or solicitation or as an official confirmation.
Market prices and other information are not guaranteed as to
completeness or accuracy and are subject to change without notice.
Schonfeld Group reserves the right to monitor and review the content of
all messages sent to or from this e-mail address.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



This communication is for informational purposes only.  It is not
intended as an offer or solicitation or as an official confirmation.
Market prices and other information are not guaranteed as to completeness
or accuracy and are subject to change without notice.  Schonfeld Group
reserves the right to monitor and review the content of all messages sent
to or from this e-mail address.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



This communication is for informational purposes only.  It is not
intended as an offer or solicitation or as an official confirmation.
Market prices and other information are not guaranteed as to completeness
or accuracy and are subject to change without notice.  Schonfeld Group
reserves the right to monitor and review the content of all messages sent
to or from this e-mail address.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



This communication is for informational purposes only.  It is not
intended as an offer or solicitation or as an official confirmation.
Market prices and other information are not guaranteed as to completeness
or accuracy and are subject to change without notice.  Schonfeld Group
reserves the right to monitor and review the content of all messages sent
to or from this e-mail address.
<SFTI_capture_09969_20100517094319>___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe