Fixing Corrupted Capture Files with Wireshark

Here is a quick little guide for fixing corrupted capture files using Wireshark.

Fixing Corrupted Capture Files – Introduction

From time to time, I’ll have to stop airodump in the middle of a capture.

This will often result in some malformed packets that cause aircrack to throw out some errors.

Rays-MacBook-Pro:_test doyler$ aircrack-ng target_main_2017_Nov_07-15\:41\:35-01.cap 
Opening target_main_2017_Nov_07-15:41:35-01.cap

Invalid packet capture length 52096164 - corrupted file?
Read 49741 packets.

Normally this isn’t a huge issue, but can cause issues from time to time.

Packets of Length > 0

The first issue that I’ve run into is that some packets end up being too large. As in the above example, one of the packets ended up being 52096164 bytes long. This can either be caused by an FTP transfer that was improperly captured, or some other malformed fields in the packet.

Fixing Corrupted Capture Files - Large Packet

In this case, I found that pcapfix does a great job of finding and fixing the errors.

Rays-MacBook-Pro:_test doyler$ ~/tools/pcapfix-1.1.0/pcapfix target_main_2017_Nov_07-15\:41\:35-01.cap 
pcapfix 1.1.0 (c) 2012-2014 Robert Krause

[*] Reading from file: target_main_2017_Nov_07-15:41:35-01.cap
[*] Writing to file: fixed_target_main_2017_Nov_07-15:41:35-01.cap
[*] File size: 18856502 bytes.
[+] This is a PCAP file.
[*] Analyzing Global Header...
[+] The global pcap header seems to be fine!
[*] Analyzing packets...
[*] Progress:  20.01 %
[*] Progress:  40.00 %
[*] Progress:  60.00 %
[+] CORRECTED Packet #49741 at position 12373506 (1510099337 | 698432 | 1574 | 1574).
[+] CORRECTED Packet #54515 at position 14105550 (1510099411 | 996853 | 327 | 327).
[*] Progress:  80.01 %
[+] CORRECTED Packet #67789 at position 17608747 (1510099601 | 999420 | 42 | 42).
[*] Progress: 100.00 %
[*] Wrote 70652 packets to file.
[!] This corruption seems to be a result of an ascii-mode transferred pcap file via FTP.
[!] The pcap structure of those files can be repaired, but the data inside might still be corrupted!
[+] SUCCESS: 3 Corruption(s) fixed!

Running the new file through aircrack worked just fine, and there were no errors.

Rays-MacBook-Pro:_test doyler$ aircrack-ng fixed_target_main_2017_Nov_07-15\:41\:35-01.cap 
Opening fixed_target_main_2017_Nov_07-15:41:35-01.cap
Read 70652 packets.

0 Length Packets

Another common issue that I’ve found is captures with packets of length 0.

rays-mbp:Captures doyler$ aircrack-ng target_main_2017_Nov_07-17\:47\:51-01.cap -w ~/tools/cracking/rockyou.txt
Opening target_main_2017_Nov_07-17:47:51-01.cap
Invalid packet capture length 0 - corrupted file?

First, I would verify that the file type was correct (this was unnecessary).

rays-mbp:Captures doyler$ file target_main_2017_Nov_07-17\:47\:51-01.cap 
target_main_2017_Nov_07-17:47:51-01.cap: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535)

Next, I tried to use ivstools to convert the file to an ivs file. This was completely unnecessary, and wouldn’t have worked anyway since I was dealing with WPA2.

rays-mbp:Captures doyler$ ivstools --convert target_main_2017_Nov_07-17\:47\:51-01.cap test.ivs
Opening target_main_2017_Nov_07-17:47:51-01.cap
Creating test.ivs
Corrupted file? Invalid packet length: 0.

Enter Wireshark

After a bit of research and looking at the capture files, I realized that I could fix them using Wireshark.

First, I opened the file and found the malformed packet.

Fixing Corrupted Capture Files - Malformed Packet

Next, I marked the first packet and the last normal packet. To do this, you right-click on the packet and select “Mark/Unmark Packet”.

Fixing Corrupted Capture Files - Marking Packet

With the beginning and end packets marked, it was time to export the file. To do this, you go to File -> Export Specified Packets.

Fixing Corrupted Capture Files - Export Packets

With the export window opened, I made sure to select the “First to last marked” option, as this would export everything but my malformed packet.

Fixing Corrupted Capture Files - Save Packets

Attempting to Crack

Once I opened the fixed capture file in aircrack, there were no errors and it proceeded just fine!

Rays-MacBook-Pro:Captures doyler$ aircrack-ng target_main_2017_Nov_07-17\:47\:51-01-FIXED.cap -w ~/tools/cracking/rockyou.txt
Opening target_main_2017_Nov_07-17:47:51-01-FIXED.cap
Read 44829 packets.
   #  BSSID              ESSID                     Encryption
   1  9C:D2:xx:xx:xx:xx  HP-Print-45-Color LaserJet MFP  No data - WEP or WPA
   3  A4:6C:xx:xx:xx:50  TARGET_WIRELESS             WPA (0 handshake)

Fixing Corrupted Capture Files – Conclusion

For the most part, a lot of tools can still work around these captures with corrupted packets. That said, it was nice to get them working without errors for anything that couldn’t.

If you know of a better solution for either of these issues, then definitely let me know!

I know I promised less wireless posts, but I’ve been on a lot of engagements for it recently.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.