tcprewrite truncates packets
|Reported by:||aturner||Owned by:||aturner|
|Operating System:||Add to FAQ?:||yes|
|Output of tcpreplay -V:|
Description (last modified by aturner)
tcprewrite --portmap=8888:80 --infile=in.pcap --outfile=out.pcap
will truncate each packet to <=96 bytes.
For everyone reading this ticket, let me explain what is really going on here. There were some versions of libpcap (reportedly found in older versions of Red Hat Linux) which contained a bug resulting in it created invalid pcap files. This bug, causes applications which use libpcap to read the pcap file to only see part of the packet. Applications like Wireshark which have their own pcap library often can see the entire packet.
Long story short, there is nothing wrong with tcpreplay, tcprewrite, etc it's a problem with your pcap file. To fix the problem, locate the 2 bytes at offset 16 (0x10) and change them to read 0xFFFF. This will repair the file so libpcap/tcprewrite/tcpreplay/etc can process it correctly.
example of broken file:
xxd broken.pcap | head -3 0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000 ................ 0000010: 6000 0000 0100 0000 1b6f 954b ca25 0e00 `........o.K.%.. 0000020: 4a00 0000 4a00 0000 0000 5e00 0101 0015 J...J.....^.....
example of fixed file:
xxd fixed.pcap | head -3 0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000 ................ 0000010: ffff 0000 0100 0000 1b6f 954b ca25 0e00 .........o.K.%.. 0000020: 4a00 0000 4a00 0000 0000 5e00 0101 0015 J...J.....^.....
Change History (6)
comment:1 Changed 7 years ago by aturner
- Resolution set to invalid
- Status changed from new to closed
comment:2 Changed 7 years ago by aturner
- Resolution invalid deleted
- Status changed from closed to reopened
- Type changed from defect to enhancement
comment:4 Changed 7 years ago by aturner
- Resolution set to fixed
- Status changed from reopened to closed