wiresharkpcaptshark

Checking if pcap file is damaged (with tshark or possibly something else)


I have a very specific need regarding pcap files generated by wireshark or similar: I need to test quickly if specific pcap file is damaged. Say, if first 100 packets are written correctly to it.

I have tshark available on hosts where files will be used.

The problem: we're using a lot of pcap files and unfortunately some of them get corrupted for reasons I won't get into. I need to do quick sanity check of a file before it being tcpreplayed. I don't need to eliminate absolute 100% of them, just obviously and grossly corrupted ones.


Solution

  • One possibility is to check if there are Errors at the Expert Information output, particularly in the Malformed Group. The idea being that corrupted files will sooner or later produce something impossible to dissect correctly, which means a malformed thing.

    For example:

    tshark -r pcapfile -z expert,error -q
    
    Errors (9)
    =============
       Frequency      Group           Protocol  Summary
               5  Malformed        IEEE 802.11  Malformed Packet (Exception occurred)
               1  Malformed        IEEE 802.11  Tag Length is longer than remaining payload
               1   Protocol             DHCPv6  This message type is not permitted to use OPTION_CLIENT_FQDN
               1  Malformed                SSH  Malformed Packet (Exception occurred)
               1  Malformed           ISIS LSP  short E/IS reachability (4 vs 10)