First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

packet block queue option length 8 is not 4

  • retag add tags

I can't open *.cap file appear error : "The capture file appears to be damaged or corrupt."(pcapng_read_packet_block: packet block queue option length 8 is not 4)image description

cheng hui's avatar
3
cheng hui
asked 2021-05-08 07:26:25 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The list of options for the Enhanced Packet Block says that the length of the epb_queue option - i.e., the packet block queue option - is 4 bytes.

That's also what the pull request to add that option (and two other options) to the pcapng spec said the length of the queue option is.

And it's what the code to read and write those options, as submitted by the same person who submitted the change to the specification, expects when reading and writes when writing.

So the first thing to do is to find out what program wrote that file, and find out who maintains that program, and tell them that the packet block queue option length should be 4, not 8, and point them to the section of the pcapng specification I mentioned in the first paragraph. If you don't know what program it is, but you can make either the entire capture file or the first 1024 bytes of the capture file available to us (which probably means making it public!), we might be able to determine the program (if it's kind enough to write out an shb_userappl string option in the Section Header Block indicating what program it was).

What Wireshark could do is simply ignore the queue option, for now; that's what it does for some other incorrectly-sized options. Ideally, however, there should be a way for Wireshark's file-reading code to report warnings - or recoverable errors - i.e. cases where the file is not a valid pcapng file but where we can recover by just discarding the bad part. Those might pop up in a list when Wireshark finishes reading the file, or in a list of warnings when TShark or other tools finish reading the file (so that they're not lost in the middle of normal output).

Guy Harris's avatar
19.9k
Guy Harris
answered 2021-05-08 09:38:11 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks you very much!!!

cheng hui's avatar cheng hui (2021-05-10 03:33:23 +0000) edit
more
  • delete

I found out the reason. In "[https://github.com/wireshark/wireshark/commit/d96e72ee2d1dddf67a2ed2093fd7c1d3ee2c73c5#diff-ede204f7a9517af0c8da334e3cd31681f217a1dc13f15317b9945d37d520bp953], there is a "support new Packet support" option in "Enhanced": How do you add a "support new for Packet support_info" option* = g_strdup_printf("pcapng_read_packet_block: packet block packet id option length %u is not 8"," The version before 3.2.4 can work

cheng hui's avatar cheng hui (2021-05-10 11:31:48 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer