Using Tshark to remove malformed packets

Hi all,

I want to use tcprewrite to change the MAC address of the packets in my pcap file, but whenever I tried to do so, I get the error message "Fatal Error: Error rewriting packets". I narrowed it down to 1 specific packet, and on Wireshark, it is indicated as "malformed". (Other malformed packets in the same pcap did not affect tcprewrite, but this packet did.)

Since "malformed" is not an actual protocol, I can't use tshark on my Linux server to remove them first. Is there any other way to remove such malformed packets?

Thank you.

"malformed" is not an actual protocol

...but _ws.malformed is a valid named field; try using !_ws.malformed as a filter to display only the non-malformed packet.

(What does Wireshark display as the contents of that packet? Does it have source and destination MAC addresses? If so, you might want to report a bug in tcprewrite.)

19.9k

Guy Harris

answered 2019-03-17 00:01:10 +0000

edit flag offensive 0 remove flag delete link

Comments

Is "_ws.malformed" only valid in Wireshark? Can I use it in tshark too?

lancer6238 (2019-03-17 03:04:46 +0000) edit

Is "_ws.malformed" only valid in Wireshark? Can I use it in tshark too?

Wireshark and TShark use the exact same code to dissect packets (as in "the code comes from the exact same file", in most if not all cases - libwireshark is a shared library), so, no, it's not only valid in Wireshark, and you can use it in TShark.

Guy Harris (2019-03-17 16:10:36 +0000) edit

Thanks! This worked.

lancer6238 (2019-03-18 04:51:05 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Using Tshark to remove malformed packets edit

Comments

1 Answer

Comments