in my application i am open Tshark process and start capturing, when i want to finish to capturing i am kill the Tshark process so sometimes the capture file is corrupted and when i am trying to open this file i received the error the capture file appears to have been cut short in the middle of a packet - how to prevent this error there is a batter way to close the Tshark process to avoid this error ?
The capture file appears to have been cut short in the middle of a packet - how to prevent this error?
Try stopping the capture process with ctrl+c instead of killing the process.
Also, you can try using pcapfix to fix your corrupted packets, it may help making your existing files readable again.
i am open the process with windows = hidden so i don't see the windows, is it possible to stopping the capture process with ctrl+c ? –
Prunelle
If this is on UN*X, if you kill the process with kill -INTpid, then that will look just like a Ctrl+C. I'm not sure there's an equivalent on Windows.
Same problem when i use tshark to read FileCapture.
I find a solution in the tshark website and it's useful for me.
You can try to use "reordercap" to fix your packets. Here is usage:
reordercap your_source.pcap temp.pcap
However, I don not know if "reordercap" will have any effect on the packets. So be careful.
Here is the webpage of tshark: tshark webpage
I know this post is old, but in case anyone else runs across this:
The OP is probably running something like this:
tshark > capture.cap
And then killing it with CTRL+C. This will corrupt the file.
Instead of redirecting the output, use the -w option:
tshark -w capture.cap
Then you can kill it with CTRL+C and shouldn't have any corruption issues.
Running
tshark > capture.cap won't even produce a capture file that's readable by Wireshark - it'll produce a text file with dissections of the packets. –
Truculent © 2022 - 2024 — McMap. All rights reserved.