Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#425 closed enhancement (fixed)

tcprewrite truncates packets

Reported by: aturner Owned by: aturner
Priority: high Milestone: 3.4.4
Component: libtcpedit Version: 3.4.3
Keywords: Cc:
Operating System: Add to FAQ?: yes
Hardware: All
Output of tcpreplay -V:

Description (last modified by aturner)

tcprewrite --portmap=8888:80 --infile=in.pcap --outfile=out.pcap

will truncate each packet to <=96 bytes.


For everyone reading this ticket, let me explain what is really going on here. There were some versions of libpcap (reportedly found in older versions of Red Hat Linux) which contained a bug resulting in it created invalid pcap files. This bug, causes applications which use libpcap to read the pcap file to only see part of the packet. Applications like Wireshark which have their own pcap library often can see the entire packet.

Long story short, there is nothing wrong with tcpreplay, tcprewrite, etc it's a problem with your pcap file. To fix the problem, locate the 2 bytes at offset 16 (0x10) and change them to read 0xFFFF. This will repair the file so libpcap/tcprewrite/tcpreplay/etc can process it correctly.

example of broken file:

xxd broken.pcap | head -3
0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000  ................
0000010: 6000 0000 0100 0000 1b6f 954b ca25 0e00  `........o.K.%..
0000020: 4a00 0000 4a00 0000 0000 5e00 0101 0015  J...J.....^.....

example of fixed file:

xxd fixed.pcap | head -3
0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000  ................
0000010: ffff 0000 0100 0000 1b6f 954b ca25 0e00  .........o.K.%..
0000020: 4a00 0000 4a00 0000 0000 5e00 0101 0015  J...J.....^.....

Change History (6)

comment:1 Changed 7 years ago by aturner

  • Resolution set to invalid
  • Status changed from new to closed

Invalid. source pcap had a broken pcap_header which specified the snaplen was 96 bytes even though per-packet header caplen was larger.

comment:2 Changed 7 years ago by aturner

  • Resolution invalid deleted
  • Status changed from closed to reopened
  • Type changed from defect to enhancement

Opening ticket so I can warn users when this might happen. Affects tcpreplay, tcprewrite, tcpprep.

comment:3 Changed 7 years ago by aturner

(In [2427]) use the newish pcap_snapshot() function to warn users when the
pcap file snaplen < 65535 which could indicate a truncated packet
situation. refs #425

comment:4 Changed 7 years ago by aturner

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [2428]) add checking for snapshot lenght to trunk. basically a manual merge of r2427
from branches/3.4. fixes #425

comment:5 Changed 7 years ago by aturner

  • Add to FAQ? set
  • Description modified (diff)

comment:6 Changed 7 years ago by aturner

  • Description modified (diff)
Note: See TracTickets for help on using tickets.