Wireshark-users: Re: [Wireshark-users] The capturefile appears to be damaged or corrupt. (pcap: F
From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 17 May 2010 22:02:59 +0200
Gianluca,

I have checked the code in dumpcap and if I understand things correctly, in the function capture_loop_dispatch, a call is made to pcap_dispatch. In this call, capture_loop_cb is supplied as packet-handler.

When I check capture_loop_cb, it will call libpcap_write_packet and libpcap_write_packet will actually write the pcap-header to the output file as follows:

        rec_hdr.incl_len = phdr->caplen;
        rec_hdr.orig_len = phdr->len;
        nwritten = fwrite(&rec_hdr, 1, sizeof rec_hdr, fp);

the phdr struct is passed on from capture_loop_cb to libpcap_write_packet unaltered. So in my understanding pcap_dispatch must have supplied a wrong value of phdr->caplen for it to to faultly written to file. However this contradicts with the fact that the whole packet is indeed written after the header, because the following code should have trimmed the data to phr->caplen:

       nwritten = fwrite(pd, 1, phdr->caplen, fp); 

So I'm puzzled...

... and also not too familiar with this part of the code and/or the WinPcap libraries...

Cheers,
Sake




On 17 mei 2010, at 20:07, Gianluca Varenni wrote:

> It's my understanding that dumpcap uses its own custom code to create PCAP 
> files. The only case that might cause a corrupted capture file is that when 
> a packet is received with pcap_next_ex (or whatever other function is used 
> by dumpcap), pcap_pkthdr::len < pcap_pkthdr::caplen, and even in this case, 
> I'm not sure if this would cause a corrupted file.
> 
> Have a nice day
> GV
> 
> --------------------------------------------------
> From: "Sake Blok" <sake@xxxxxxxxxx>
> Sent: Monday, May 17, 2010 10:44 AM
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] The capturefile	appears	to	be	damaged	orcorrupt.(pcap: Fileshas	109736-byte packet, bigger than maximum of 65535)
> 
>> Hi Joseph,
>> 
>> If you look at the last packet of the tracefile that can be read by 
>> Wireshark (frame 1407), you can see that the capture length is set to 98 
>> bytes, while there were 102 bytes on the wire. However, you were not using 
>> a snap length and the tracefile actually contains all 102 bytes. This 
>> looks like a bug in WinPcap. Which version of WinPcap are you using? I'm 
>> not sure but I believe there were some issues with earlier 64 bit versions 
>> of WinPcap.
>> 
>> Cheers,
>> 
>> 
>> Sake
>> 
>> On 17 mei 2010, at 16:25, Joseph Laibach wrote:
>> 
>>> Here is one of the files that loads and tells me the file is corrupt.
>>> 
>>> -----Original Message-----
>>> From: wireshark-users-bounces@xxxxxxxxxxxxx 
>>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Joseph 
>>> Laibach
>>> Sent: Friday, May 14, 2010 3:32 PM
>>> To: Community support list for Wireshark
>>> Subject: Re: [Wireshark-users] The capture file appears to be damaged or 
>>> corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
>>> 65535)
>>> 
>>> So I made the changes and once the network traffic starts picking up I 
>>> get corrupted files again. Traffic is about 60MBit/sec.
>>> 
>>> Here is the command I'm running now:
>>> 
>>> C:\"Program Files"\Wireshark\dumpcap.exe -i 
>>> \Device\NPF_{21741AFC-E45E-46A6-9740-9E233E4FF91D} -w d:\SFTI_capture -b 
>>> files:20000 -b filesize:8192 -B 256
>>> 
>>> Thanks again
>>> 
>>> Joe
>>> 
>>> -----Original Message-----
>>> From: wireshark-users-bounces@xxxxxxxxxxxxx 
>>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Joseph 
>>> Laibach
>>> Sent: Friday, May 14, 2010 11:47 AM
>>> To: Community support list for Wireshark
>>> Subject: Re: [Wireshark-users] The capture file appears to be damaged or 
>>> corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
>>> 65535)
>>> 
>>> Thanks for catching it. I should be using the -b filesize:8192 instead. 
>>> I'll make the changes and see what happens.
>>> 
>>> Thanks
>>> 
>>> Joe
>>> 
>>> -----Original Message-----
>>> From: wireshark-users-bounces@xxxxxxxxxxxxx 
>>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
>>> Sent: Friday, May 14, 2010 11:36 AM
>>> To: Community support list for Wireshark
>>> Subject: Re: [Wireshark-users] The capture file appears to be damaged or 
>>> corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
>>> 65535)
>>> 
>>> Hmmm... reading back all the mails I see that you use:
>>> 
>>> dumpcap ... -b files:10000 -a filesize:8192 ...
>>> 
>>> Why are you mixing -b and -a options?  "-a" options are for automatic 
>>> finishing the capturing and "-b" options are for creating a ringbuffer. 
>>> Which of the two were you planning to use?
>>> 
>>> If sticking to one of these two options does not solve the issue, are you 
>>> able to share a file that is giving the error?
>>> 
>>> Cheers,
>>> Sake
>>> 
>>> 
>>> 
>>> On 14 mei 2010, at 17:11, Joseph Laibach wrote:
>>> 
>>>> I open the file on the host that is was captured on, or I copy it via a 
>>>> Windows file share. Either way it gives me the same error. I'm capturing 
>>>> stock Market multicast data, if that matters. The traffic is very bursty 
>>>> and the data rate is around 200mb/sec. I switched from a Broadcom NIC to 
>>>> Intel NIC to see if that would help but no luck on that change either.
>>>> 
>>>> -----Original Message-----
>>>> From: wireshark-users-bounces@xxxxxxxxxxxxx 
>>>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
>>>> Sent: Friday, May 14, 2010 10:49 AM
>>>> To: Community support list for Wireshark
>>>> Subject: Re: [Wireshark-users] The capture file appears to be damaged or 
>>>> corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
>>>> 65535)
>>>> 
>>>> Did you open the file on the host on which it was captured? Or did you 
>>>> transfer the file from the capturing host to the host on which you try 
>>>> to read it? The error message that you get usually appears after the 
>>>> file has been transferred to another host with FTP in ASCII mode instead 
>>>> of BINARY mode.
>>>> 
>>>> (FYI dumpcap writes libpcap based files which can not contain packets 
>>>> larger than 65535 bytes, so the file is most probably corrupted somehow)
>>>> 
>>>> Cheers,
>>>> Sake
>>>> 
>>>> On 14 mei 2010, at 16:36, Joseph Laibach wrote:
>>>> 
>>>>> Is there a way to remove the 65535 maximum from the reading of a 
>>>>> capture?
>>>>> 
>>>>> Thanks
>>>>> 
>>>>> Joe
>>>>> 
>>>>> -----Original Message-----
>>>>> From: wireshark-users-bounces@xxxxxxxxxxxxx 
>>>>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Joseph 
>>>>> Laibach
>>>>> Sent: Tuesday, May 11, 2010 11:36 AM
>>>>> To: Community support list for Wireshark
>>>>> Subject: Re: [Wireshark-users] The capture file appears to be damaged 
>>>>> or corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
>>>>> 65535)
>>>>> 
>>>>> I'm running version 1.2.7 64bit.
>>>>> 
>>>>> -----Original Message-----
>>>>> From: wireshark-users-bounces@xxxxxxxxxxxxx 
>>>>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
>>>>> Sent: Tuesday, May 11, 2010 11:29 AM
>>>>> To: Community support list for Wireshark
>>>>> Subject: Re: [Wireshark-users] The capture file appears to be damaged 
>>>>> or corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 
>>>>> 65535)
>>>>> 
>>>>> But what release of Wireshark are you using?
>>>>> 
>>>>> Thanks,
>>>>> Jaap
>>>>> 
>>>>> Send from my iPhone
>>>>> 
>>>>> On 11 mei 2010, at 16:37, Joseph Laibach <jlaibach@xxxxxxxxxxxxx> 
>>>>> wrote:
>>>>> 
>>>>>> I am having an issue with some of the capture files. Some captures
>>>>>> files spit back an error that the capture file appears to be damaged
>>>>>> or corrupt. The capture is running on a Windows 2003 Sever R2 64bit,
>>>>>> with 2 gigs of memory and a Inetl Xeon 2.33ghz processor.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> I am capturing with dumpcap. The syntax I am using is as follows: C:
>>>>>> \"Program Files"\Wireshark\dumpcap.exe -i \Device\NPF_
>>>>>> {ECC9D35A-826A-4A4F-B634-656EAD4EC7C9} -w d:\SFTI_capture -b files:
>>>>>> 10000 -a filesize:8192 -B 128 -s 10000000
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> I added the -s 10000000 to try and fix the large byte packet issue b
>>>>>> ut that hasn't worked.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Anyone have any suggestions on how to eliminated the corruption of
>>>>>> capture files?
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Thanks
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Joe Laibach
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> This communication is for informational purposes only.  It is not
>>>>>> intended as an offer or solicitation or as an official
>>>>>> confirmation.  Market prices and other information are not
>>>>>> guaranteed as to completeness or accuracy and are subject to change
>>>>>> without notice.  Schonfeld Group reserves the right to monitor and
>>>>>> review the content of all messages sent to or from this e-mail
>>>>>> address.
>>>>>> ___________________________________________________________________________
>>>>> 
>>>>> 
>>>>>> Sent via:    Wireshark-users mailing list 
>>>>>> <wireshark-users@xxxxxxxxxxxxx
>>>>>>> 
>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>> 
>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>> ___________________________________________________________________________
>>>>> Sent via:    Wireshark-users mailing list 
>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>> 
>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>> 
>>>>> 
>>>>> 
>>>>> This communication is for informational purposes only.  It is not 
>>>>> intended as an offer or solicitation or as an official confirmation. 
>>>>> Market prices and other information are not guaranteed as to 
>>>>> completeness or accuracy and are subject to change without notice. 
>>>>> Schonfeld Group reserves the right to monitor and review the content of 
>>>>> all messages sent to or from this e-mail address.
>>>>> ___________________________________________________________________________
>>>>> Sent via:    Wireshark-users mailing list 
>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>> 
>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>> 
>>>>> 
>>>>> 
>>>>> This communication is for informational purposes only.  It is not 
>>>>> intended as an offer or solicitation or as an official confirmation. 
>>>>> Market prices and other information are not guaranteed as to 
>>>>> completeness or accuracy and are subject to change without notice. 
>>>>> Schonfeld Group reserves the right to monitor and review the content of 
>>>>> all messages sent to or from this e-mail address.
>>>>> ___________________________________________________________________________
>>>>> Sent via:    Wireshark-users mailing list 
>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>> 
>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>> 
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list 
>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>> 
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>> 
>>>> 
>>>> 
>>>> This communication is for informational purposes only.  It is not 
>>>> intended as an offer or solicitation or as an official confirmation. 
>>>> Market prices and other information are not guaranteed as to 
>>>> completeness or accuracy and are subject to change without notice. 
>>>> Schonfeld Group reserves the right to monitor and review the content of 
>>>> all messages sent to or from this e-mail address.
>>>> 
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list 
>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>> 
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> 
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> 
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> 
>>> 
>>> 
>>> This communication is for informational purposes only.  It is not 
>>> intended as an offer or solicitation or as an official confirmation. 
>>> Market prices and other information are not guaranteed as to completeness 
>>> or accuracy and are subject to change without notice.  Schonfeld Group 
>>> reserves the right to monitor and review the content of all messages sent 
>>> to or from this e-mail address.
>>> 
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> 
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> 
>>> 
>>> 
>>> This communication is for informational purposes only.  It is not 
>>> intended as an offer or solicitation or as an official confirmation. 
>>> Market prices and other information are not guaranteed as to completeness 
>>> or accuracy and are subject to change without notice.  Schonfeld Group 
>>> reserves the right to monitor and review the content of all messages sent 
>>> to or from this e-mail address.
>>> 
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> 
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> 
>>> 
>>> 
>>> This communication is for informational purposes only.  It is not 
>>> intended as an offer or solicitation or as an official confirmation. 
>>> Market prices and other information are not guaranteed as to completeness 
>>> or accuracy and are subject to change without notice.  Schonfeld Group 
>>> reserves the right to monitor and review the content of all messages sent 
>>> to or from this e-mail address.
>>> <SFTI_capture_09969_20100517094319>___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> 
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> 
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> 
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe