0

I have a packet capture captured through a special switch that appends timestamps just before FCS. These are generally referred as "trailer timestamps".

However, after doing so, the FCS at the end of the packet is not updated. Hence, when i load the packet capture into wireshark, all the packets are reported as having incorrect frame check sequence.

Is there a utility like editcap etc.. that i can use to remove, say, last x bytes of each packet from a pcap?

Sandeep
  • 18,356
  • 16
  • 68
  • 108

3 Answers3

1

Yes, editcap can remove the last x bytes of each packet. From the editcap man page:

-C [offset:]<choplen>

    Sets the chop length to use when writing the packet data. Each packet is 
    chopped by <choplen> bytes of data. Positive values chop at the packet
    beginning while negative values chop at the packet end.

Example: Remove the last 4 bytes of each packet

editcap.exe -C -4 foo.pcap foo_chopped.pcap

Of course doing this will then result in each packet being indicated with:

[Packet size limited during capture: Ethertype truncated]

... which is of course a misleading message as the Ethertype isn't truncated, just the Ethernet frame as the FCS has been removed in this case. Nonetheless, this is a rather harmless indication and so this solution may fit your needs.

Alternatively, you could more simply just disable Ethernet checksum validation. Do this via Edit -> Preferences -> Protocols -> Ethernet -> Validate the Ethernet checksum if possible:deslect -> OK.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
  • I need ethernet checksum validation. Because i am trying to debug some RX errors on a port. So, either of the solutions won't work for me. However i wrote my own application using pcapplusplus plugin to do the needful. Good to know about `editcap` feature. Thank you. – Sandeep Mar 04 '22 at 04:40
  • It seems we can use negative offset with editcap to treat it as index from the end. But there is some bug and editcap segfaults when i try to give negative offset.. – Sandeep Mar 04 '22 at 04:51
  • If there's a bug in `editcap` that causes a segfault under these conditions, then I may be to blame as I authored some of this functionality. The best way to resolve it is to open a [Wireshark Issue](https://gitlab.com/wireshark/wireshark/-/issues?sort=created_date&state=opened), but before doing so, you should ensure that you're working with the latest version in case there was a known bug that was already fixed. – Christopher Maynard Mar 04 '22 at 17:53
1

Please file an issue for this on the Wireshark issue list; it might make sense to treat frames with capture-switch trailers specially.

user16139739
  • 862
  • 3
  • 5
0

I wrote my own application using https://github.com/seladb/PcapPlusPlus

Basically you can use pcapplusplus and iterate over each RawPacket and do something like

rawPacket.removeData(rawPacket.getRawDataLen() - FCS_LEN - bytesToRemove, bytesToRemove);
Sandeep
  • 18,356
  • 16
  • 68
  • 108