Getting error "The capture file appears to be damaged or corrupt. (pcap: File has 1847605831-byte packet, bigger than maximum of 65535)"

Question

I am getting error when i am trying to dump a packet in pcap file.

 {    
    unsigned char *ofilename = "packet.pcap";

    pcap_t *fp;
    pcap_dumper_t *dumpfile;

    const struct pcap_pkthdr *header;

    fp = pcap_open_dead(DLT_RAW,256);

    if(fp != NULL)
    {
        dumpfile = pcap_dump_open(fp, ofilename);

        if(dumpfile == NULL)
        {
            printf("\nError opening output file\n");
            return;
        }

        pcap_dump((u_char *)dumpfile,header,data);

        pcap_close(fp);
        pcap_dump_close(dumpfile); 
    }
}

HERE data is a u8 data[256].. its 256 byte data.. which has the packet bytes like this

FF FF FF FF FF FF 00 50 56 A8 11 39 81 00 0F FC 81 00 1F FC 08 06 00 01 08 00 06 04 00 01 00 50 56 A8 11 39 65 2B 01 0A 00 00 00 00 00 00 65 2B

But when i open packet.pcap i am getting "The capture file appears to be damaged or corrupt. (pcap: File has 1847605831-byte packet, bigger than maximum of 65535)"

Could someone pls help me on this whats going wrong

Answer 1

Kindly install "pcapfix" on Linux and run it on the corrupt file as follows

$ pcapfix -d 'file / file path here'

This will fix it.

Answer 2

Try something such as

{    
    unsigned char *ofilename = "packet.pcap";

    pcap_t *fp;
    pcap_dumper_t *dumpfile;

    struct pcap_pkthdr header;

    fp = pcap_open_dead(DLT_RAW,256);

    if(fp != NULL)
    {
        dumpfile = pcap_dump_open(fp, ofilename);

        if(dumpfile == NULL)
        {
            printf("\nError opening output file\n");
            return;
        }


        header.caplen = 256; /* or however many bytes actually contain packet data */
        header.len = 256; /* or however many bytes actually contain packet data */
        gettimefoday(&header.ts);  /* I'm assuming this is on some flavor of UN*X */

        pcap_dump((u_char *)dumpfile,&header,data);

        pcap_close(fp);
        pcap_dump_close(dumpfile); 
    }
}

For one thing, just because a function takes an argument of type "{something} *", that doesn't mean you should pass to it a variable of type "{something} *". You must pass it a value of type "{something} *", but it must be a valid value, i.e. it must point to something.

An uninitialized variable of type "{something} ``*", which is what you have in your code, doesn't point to anywhere valid.

However, if you declare a variable of type "{something}", rather than "{something} *", you can use the & operator on that variable to get a value of type "{something} *" that points to the variable.

Then, as indicated, you have to give that variable a value if you're passing it to pcap_dump(). You have to set the len and caplen members of a struct pcap_pkthdr; the caplen member must be equal to the actual number bytes of packet data (which might be less than the size of the array if the packet isn't, in your case, exactly 256 bytes long), and the len member must be at least that value; len would only be bigger than caplen if the packet came from a capture done with a "snapshot length" value that discarded everything in the packet past a certain point, which isn't the case here, so len should be equal to caplen.

You probably also want to set the time stamp of the packet; I'm assuming you're running on some form of UN*X here, so you can use gettimeofday() to get the current time. If this is Windows with WinPcap, you'll probably have to do something else.

(header must not be const here, as you have to set it. It doesn't have to be const; it's const in the declaration of pcap_dump(), but that just means that pcap_dump() won't change it, so you can pass it a pointer to something that's const; you don't have to pass it something that'sconst`.)