Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Here is a quick little guide for fixing corrupted capture files using Wireshark.
Fixing Corrupted Capture Files – Introduction
From time to time, I’ll have to stop airodump in the middle of a capture.
This will often result in some malformed packets that cause aircrack to throw out some errors.
Rays-MacBook-Pro:_test doyler$ aircrack-ng target_main_2017_Nov_07-15\:41\:35-01.cap Opening target_main_2017_Nov_07-15:41:35-01.cap Invalid packet capture length 52096164 - corrupted file? Read 49741 packets.
Normally this isn’t a huge issue, but can cause issues from time to time.
Packets of Length > 0
The first issue that I’ve run into is that some packets end up being too large. As in the above example, one of the packets ended up being 52096164 bytes long. This can either be caused by an FTP transfer that was improperly captured, or some other malformed fields in the packet.
In this case, I found that pcapfix does a great job of finding and fixing the errors.
Rays-MacBook-Pro:_test doyler$ ~/tools/pcapfix-1.1.0/pcapfix target_main_2017_Nov_07-15\:41\:35-01.cap pcapfix 1.1.0 (c) 2012-2014 Robert Krause [*] Reading from file: target_main_2017_Nov_07-15:41:35-01.cap [*] Writing to file: fixed_target_main_2017_Nov_07-15:41:35-01.cap [*] File size: 18856502 bytes. [+] This is a PCAP file. [*] Analyzing Global Header... [+] The global pcap header seems to be fine! [*] Analyzing packets... [*] Progress: 20.01 % [*] Progress: 40.00 % [*] Progress: 60.00 % [+] CORRECTED Packet #49741 at position 12373506 (1510099337 | 698432 | 1574 | 1574). [+] CORRECTED Packet #54515 at position 14105550 (1510099411 | 996853 | 327 | 327). [*] Progress: 80.01 % [+] CORRECTED Packet #67789 at position 17608747 (1510099601 | 999420 | 42 | 42). [*] Progress: 100.00 % [*] Wrote 70652 packets to file. [!] This corruption seems to be a result of an ascii-mode transferred pcap file via FTP. [!] The pcap structure of those files can be repaired, but the data inside might still be corrupted! [+] SUCCESS: 3 Corruption(s) fixed!
Running the new file through aircrack worked just fine, and there were no errors.
Rays-MacBook-Pro:_test doyler$ aircrack-ng fixed_target_main_2017_Nov_07-15\:41\:35-01.cap Opening fixed_target_main_2017_Nov_07-15:41:35-01.cap Read 70652 packets.
0 Length Packets
Another common issue that I’ve found is captures with packets of length 0.
rays-mbp:Captures doyler$ aircrack-ng target_main_2017_Nov_07-17\:47\:51-01.cap -w ~/tools/cracking/rockyou.txt Opening target_main_2017_Nov_07-17:47:51-01.cap Invalid packet capture length 0 - corrupted file?
First, I would verify that the file type was correct (this was unnecessary).
rays-mbp:Captures doyler$ file target_main_2017_Nov_07-17\:47\:51-01.cap target_main_2017_Nov_07-17:47:51-01.cap: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535)
Next, I tried to use ivstools to convert the file to an ivs file. This was completely unnecessary, and wouldn’t have worked anyway since I was dealing with WPA2.
rays-mbp:Captures doyler$ ivstools --convert target_main_2017_Nov_07-17\:47\:51-01.cap test.ivs Opening target_main_2017_Nov_07-17:47:51-01.cap Creating test.ivs Corrupted file? Invalid packet length: 0.
Enter Wireshark
After a bit of research and looking at the capture files, I realized that I could fix them using Wireshark.
First, I opened the file and found the malformed packet.
Next, I marked the first packet and the last normal packet. To do this, you right-click on the packet and select “Mark/Unmark Packet”.
With the beginning and end packets marked, it was time to export the file. To do this, you go to File -> Export Specified Packets.
With the export window opened, I made sure to select the “First to last marked” option, as this would export everything but my malformed packet.
Attempting to Crack
Once I opened the fixed capture file in aircrack, there were no errors and it proceeded just fine!
Rays-MacBook-Pro:Captures doyler$ aircrack-ng target_main_2017_Nov_07-17\:47\:51-01-FIXED.cap -w ~/tools/cracking/rockyou.txt Opening target_main_2017_Nov_07-17:47:51-01-FIXED.cap Read 44829 packets. # BSSID ESSID Encryption 1 9C:D2:xx:xx:xx:xx HP-Print-45-Color LaserJet MFP No data - WEP or WPA 3 A4:6C:xx:xx:xx:50 TARGET_WIRELESS WPA (0 handshake)
Fixing Corrupted Capture Files – Conclusion
For the most part, a lot of tools can still work around these captures with corrupted packets. That said, it was nice to get them working without errors for anything that couldn’t.
If you know of a better solution for either of these issues, then definitely let me know!
I know I promised less wireless posts, but I’ve been on a lot of engagements for it recently.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
