I get "the captured file appears to have been cut short in the middle" reading a file from tcpdump if I kill it while it's capturing

retag add tags

Wireshark tool always show an error prompt with "the captured file appears to have been cut short in the middle of a packet " when I try to open the captured PCAP packet ,I have no idea what' s happen , I tired to do a fix by pcapfix tool then the error prompt gone ,could anyone answer me what's mean for the error ,How to resolve it ,whether My packet exist a cut in it ,

thank you very much in advance ,

liuml8

asked 2020-03-30 07:06:36 +0000

19.9k

Guy Harris

updated 2020-03-30 16:52:09 +0000

edit flag offensive 0 remove flag close merge delete

Comments

How are you capturing the traffic? Are you doing it in Wireshark or in some other program?

Guy Harris (2020-03-30 08:07:43 +0000) edit

Hi , appreciate you quick reply , I captured the file with tcpdump ,belows are my steps to run it 1: push the tcpdump file to myphone/data direcotry and grant the file 777 permission （adb shell chmod 777 /data/tcpdump） 2：Run the commands series :tcpdump -i any -s 0 -w /sdcard/ip.pcap & , 3: After 25 hours gone ,Pull out the file ip.pcap for analysing , then the error prompt while I open ip.pcap with wireshake , I have no idea to check which fragment be cut short in the captured file ,How to prevent this problem when I perform to capture pcap packet ,

liuml8 (2020-03-30 08:25:50 +0000) edit

Do you stop tcpdump before 'pulling out the file ip.pcap'?

Jaap (2020-03-30 11:13:35 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

tcpdump writes the pcap file in blocks of a certain size. This means that during the capturing, the file ends in the middle of a packet. If you copy the file while tcpdump is still capturing, the last packet in the file will not be completely written yet, hence the error message in Wireshark.

If you stop tcpdump before copying the file, the remaining buffer will be written to disk and all packets will be complete.

18.5k

SYN-bit

answered 2020-03-30 11:42:11 +0000

edit flag offensive 0 remove flag delete link

Comments

thank you very much ， Before i pulled out the PCAP files ,I killed the process first by “Kill -9 PID ”， is that a normal stop for tcpdump tools ?

liuml8 (2020-03-30 15:29:03 +0000) edit

"-9" is pretty harsh. See if it works better with a "-2" or "-15".
Usage of signals with kill

Chuckc (2020-03-30 16:06:29 +0000) edit

If you do a "kill -9", you tell the program to drop everything and quit. This means it never got the chance to save the last bits in memory to disk, hence the last packet was truncated. You should just do a normal kill on the process without -9 and then it should close normally, flushing the last data to disk.

SYN-bit (2020-03-30 16:48:04 +0000) edit

"-9" is pretty harsh.

Where "pretty harsh" means will not work - it will immediately stop tcpdump, not giving it an opportunity to do anything before exiting and, in particular, not giving it an opportunity to write out the last blocks of data.

I.e., @bubbasnmp is 100% correct; do what he says. You MUST use "-2" ("-INT") or "-15" ("-TERM"); those are caught by tcpdump, and it will stop capturing and finish writing out the capture file.

Guy Harris (2020-03-30 16:51:09 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

I get "the captured file appears to have been cut short in the middle" reading a file from tcpdump if I kill it while it's capturing edit

Comments

1 Answer

Comments