[Winpcap-users] The capture file appears to be damaged or corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 65535)

Gianluca Varenni gianluca.varenni at cacetech.com
Mon May 17 12:12:29 PDT 2010 

Joe,

as I wrote in my message on the wireshark-users mailing list, dumpcap uses its own code to create the PCAP files, as far as I know. It only uses WinPcap to receive the packets. The only case where you **might** have a similar issue (and it all depends on the code in dumpcap) is if the packet received by pcap_next_ex has a bogus header saying that the captured len is bigger than the original packet len. A simple ASSERT in the dumpcap code would show this. 

Have a nice day
GV




From: Joseph Laibach 
Sent: Monday, May 17, 2010 11:56 AM
To: 'winpcap-users at winpcap.org' 
Subject: [Winpcap-users] The capture file appears to be damaged or corrupt. (pcap: Files has 109736-byte packet, bigger than maximum of 65535)


WinPcap Version 4.1.1 

Windows 2003 Server R2 64bit

Intel(R) PRO/1000 PT Dual Port Server Adapter

 

I'm running into an issues when I analyze the captured traffic. I'm using Wireshark to read the files. It seems that the capture length is set to a smaller number of bytes than is on the wire. If I use a hex-editor to fix the "capture length" the file is readable until I hit the next occurrence. Is there anything that I can use at the command line to correct this issue or is there something that I'm doing wrong with the syntax

 

Here is the syntax of the capture that I am running:

 

C:\"Program Files"\Wireshark\dumpcap.exe -i \Device\NPF_{21741AFC-E45E-46A6-9740-9E233E4FF91D} -w d:\SFTI_capture -b files:20000 -b filesize:8192 -B 256

 

Thanks

 

Joe

This communication is for informational purposes only.  It is not intended as an offer or solicitation or as an official confirmation.  Market prices and other information are not guaranteed as to completeness or accuracy and are subject to change without notice.  Schonfeld Group reserves the right to monitor and review the content of all messages sent to or from this e-mail address.

--------------------------------------------------------------------------------


_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20100517/630a7c88/attachment.htm

More information about the Winpcap-users mailing list