tcprewrite truncates packets

[aturner]

tcprewrite --portmap=8888:80 --infile=in.pcap --outfile=out.pcap

will truncate each packet to <=96 bytes.

---

For everyone reading this ticket, let me explain what is really going on here. There were some versions of libpcap (reportedly found in older versions of Red Hat Linux) which contained a bug resulting in it created invalid pcap files. This bug, causes applications which use libpcap to read the pcap file to only see part of the packet. Applications like Wireshark which have their own pcap library often can see the entire packet.

Long story short, there is nothing wrong with tcpreplay, tcprewrite, etc it's a problem with your pcap file. To fix the problem, locate the 2 bytes at offset 16 (0x10) and change them to read 0xFFFF. This will repair the file so libpcap/tcprewrite/tcpreplay/etc can process it correctly.

example of broken file:

xxd broken.pcap | head -3
0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000  ................
0000010: 6000 0000 0100 0000 1b6f 954b ca25 0e00  `........o.K.%..
0000020: 4a00 0000 4a00 0000 0000 5e00 0101 0015  J...J.....^.....

example of fixed file:

xxd fixed.pcap | head -3
0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000  ................
0000010: ffff 0000 0100 0000 1b6f 954b ca25 0e00  .........o.K.%..
0000020: 4a00 0000 4a00 0000 0000 5e00 0101 0015  J...J.....^.....

[aturner]

Invalid. source pcap had a broken pcap_header which specified the snaplen was 96 bytes even though per-packet header caplen was larger.

[aturner]

Opening ticket so I can warn users when this might happen. Affects tcpreplay, tcprewrite, tcpprep.

[aturner]

(In [2427]) use the newish pcap_snapshot() function to warn users when the pcap file snaplen < 65535 which could indicate a truncated packet situation. refs #425

[aturner]

(In [2428]) add checking for snapshot lenght to trunk. basically a manual merge of r2427 from branches/3.4. fixes #425