Packet capture and Wireshark

  • After downloading a packet capture and open it with wireshark, it seems data are corrupted. Wireshark said :

    The capture file appears to be damaged or corrupt.
    (pcap: File has 1701323325-byte packet, bigger than maximum of 65535)

    Always reproductible. All capture settings are default values. Never append with Pfsense v1.2.3.

  • Rebel Alliance Developer Netgate

    I do packet captures on 1.2.3 systems all the time and they work fine for me.

    Is this a full install or embedded? If it's embedded, install the "Packet Capture Fix" package and see if that makes a difference.

  • Sorry for my bad english. Packet captures works fine for me too on 1.2.3. This error occur on V2 Beta 4 (today snapshoot).
    It's a full install.

  • Rebel Alliance Developer Netgate

    It works for me on 2.0 as well. Are you on i386 or amd64?

  • i386. Today I downgrade to this snapshoot :
    Same problem. Wireshark is Version 1.2.9 on Win XP SP3.
    I'm not sure : under certain amount (4 ou 5 lines in Pfsense GUI) of datas it seem to work.
    This Pfsense is installed on a vm (Vmware ESX 3.5). Only wan interface is active. Pfsense + Squid 2.x + Lightsquid + Squidguard installed for testing as a proxy.

  • I update Wireshark to the latest release. Same thing.
    Looking at Wireshark after error message, the last frame displayed is always http:

    2 2010-12-15 21:15:13.709145 HTTP Continuation or non-HTTP traffic

    HTTP Continuation or non-HTTP traffic is always displayed in info field

    The header is :

    Frame 2: 1314 bytes on wire (10512 bits), 1314 bytes captured (10512 bits)
    Ethernet II, Src: 00:0c:29:c5:2c:76 (00:0c:29:c5:2c:76), Dst: 00:50:04:48:f6:e0 (00:50:04:48:f6:e0)
    Internet Protocol, Src: (, Dst: (
    Transmission Control Protocol, Src Port: http (80), Dst Port: dlms-cosem (4059), Seq: 1, Ack: 1, Len: 1260

Log in to reply