I have a very specific need regarding pcap files generated by wireshark or similar: I need to test quickly if specific pcap file is damaged. Say, if first 100 packets are written correctly to it.
I have tshark
available on hosts where files will be used.
The problem: we're using a lot of pcap files and unfortunately some of them get corrupted for reasons I won't get into. I need to do quick sanity check of a file before it being tcpreplay
ed. I don't need to eliminate absolute 100% of them, just obviously and grossly corrupted ones.
One possibility is to check if there are Errors at the Expert Information output, particularly in the Malformed Group. The idea being that corrupted files will sooner or later produce something impossible to dissect correctly, which means a malformed thing.
For example:
tshark -r pcapfile -z expert,error -q
Errors (9)
=============
Frequency Group Protocol Summary
5 Malformed IEEE 802.11 Malformed Packet (Exception occurred)
1 Malformed IEEE 802.11 Tag Length is longer than remaining payload
1 Protocol DHCPv6 This message type is not permitted to use OPTION_CLIENT_FQDN
1 Malformed SSH Malformed Packet (Exception occurred)
1 Malformed ISIS LSP short E/IS reachability (4 vs 10)