pcapfix v1.1.7 README
Pcapfix is a tool to repair your damaged or corrupted pcap and pcapng files. It is written in C and released under the GNU General Public License.
To fix your pcap files the tool first checks for an intact pcap global header and repairs it if there are some corrupted bytes. It there seems to be no global header at all, pcapfix adds a self-created one at the beginning of the file. In a second step the tool tries to find pcap packet headers inside the file, below the global header. It checks if the values are correct (or seem to be correct) and tries to repair a packet if there is something wrong.
To fix your pcapng files the tool loops through all packet headers that can be found in the file. It checks for mandatory Section Header Block and Interface Description Block and creates them if missing. Pcapfix checks for correct block sizes and valid option fields. If something is wrong, invalid fields are repaired (if possible) or skipped and adjusted to finally get a proper pcapng file.
Please send any further wishes, feature requests or problems in compiling and execution to ruport@f00l.de. Additionally You may send me pcap/pcapng files that could not be repaired too in order to improve pcapfix and get your file repaired.
For further information visit the pcapfix homepage at http://f00l.de/pcapfix/.
./pcapfix [OPTIONS] filename
OPTIONS: -d , --deep-scan Deep Scan (default = 0) (pcap only!)
-s , --soft-mode Soft mode (packet detection)
-n , --pcapng Force File Format to PCAPNG
-o
Output file name ................ If you want to perform the reparation process on the input file without creating a separate output file - e.g. in case you are out of space, you can use the -o option and give the same name as the input file.
WARNING: This process is DANGEROUS and may destroy your data. You should only use this option if you know what you are doing and accept the risk of losing the input file.
Deep Scan Option ................
In classic pcap files, pcapfix will only scan the first 262144 bytes (maximum packet length) for a proper first packet. If you want to force packet detection even above this limit (e.g. because your file has been heavily destroyed) you can use the deep scan option (-d).
This option is not necessary for pcapng files because the whole file is arranged in blocks that are 'unlimited' by default. In result pcapfix will always scan the whole pcapng file for further blocks.
Soft Mode .........
There are programs that breach some pcap conventions when writing files. Ignoring those rules do not break the pcap file but they make it difficult for pcapfix to identify the packets in case of broken files.
By default pcapfix uses hard mode. If you encounter problems when repairing files, try to switch to soft mode (-s). Pcapfix will then try to find the packets in a more tolerant way.
PCAPNG Format .............
Pcapfix will try to identify the file format to repair (pcap / pcapng) before doing any further checks. If the header itself is corrupted, it will assume the format to be classic pcap. To change this behaviour you can force the tool to do a pcapng-repair by supplying -n (--pcapng) option.
Verbosity .........
You can use multiple -v options to increase verbosity. An verbosity of 2 will result in very much output data during package search.
ASCII-mode transfered Files (FTP) .................................
Pcapfix is able to repair classic pcap files that have been transfered in ascii-mode via FTP. In those files a proper pcap structure will be created only to make them readable by wireshark etc. The data inside the packets (and some pcap headers) might still be corrupted. To repair those packets a deeper look inside the packet structure (e.g. checksum) will be necessary.
Data Link Types ...............
You can make pcapfix change / select your data link type by supplying -t option. Although you may select a data link type number between 0 and 255, only the following types are assigned: If the data link type field is corrupt, pcapfix will select LINKTYPE_ETHERNET by default.
See http://www.tcpdump.org/linktypes.html for futher information.
NUMBER LINK_TYPE
0 LINKTYPE_NULL 1 LINKTYPE_ETHERNET 6 LINKTYPE_TOKEN_RING 7 LINKTYPE_ARCNET_BSD 8 LINKTYPE_SLIP 9 LINKTYPE_PPP 10 LINKTYPE_FDDI 50 LINKTYPE_PPP_HDLC 51 LINKTYPE_PPP_ETHER 100 LINKTYPE_ATM_RFC1483 101 LINKTYPE_RAW 104 LINKTYPE_C_HDLC 105 LINKTYPE_IEEE802_11 107 LINKTYPE_FRELAY 108 LINKTYPE_LOOP 113 LINKTYPE_LINUX_SLL 114 LINKTYPE_LTALK 117 LINKTYPE_PFLOG 119 LINKTYPE_PRISM_HEADER 122 LINKTYPE_IP_OVER_FC 123 LINKTYPE_SUNATM 127 LINKTYPE_IEEE802_11_RADIO 129 LINKTYPE_ARCNET_LINUX 138 LINKTYPE_APPLE_IP_OVER_IEEE1394 139 LINKTYPE_MTP2_WITH_PHDR 140 LINKTYPE_MTP2 141 LINKTYPE_MTP3 142 LINKTYPE_SCCP 143 LINKTYPE_DOCSIS 144 LINKTYPE_LINUX_IRDA 147-162 LINKTYPE_USER0-LINKTYPE-USER15 163 LINKTYPE_IEEE802_11_RADIO_AVS 166 LINKTYPE_PPP_PPPD 169 LINKTYPE_GPRS_LLC 177 LINKTYPE_LINUX_LAPD 187 LINKTYPE_BLUETOOTH_HCI_H4 189 LINKTYPE_USB_LINUX 192 LINKTYPE_PPI 195 LINKTYPE_IEEE802_15_4 196 LINKTYPE_SITA 197 LINKTYPE_ERF 201 LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR 202 LINKTYPE_AX25_KISS 203 LINKTYPE_LAPD 204 LINKTYPE_PPP_WITH_DIR 205 LINKTYPE_C_HDLC_WITH_DIR 206 LINKTYPE_FRELAY_WITH_DIR 209 LINKTYPE_IPMB_LINUX 215 LINKTYPE_IEEE802_15_4_NONASK_PHY 220 LINKTYPE_USB_LINUX_MMAPPED 224 LINKTYPE_FC_2 225 LINKTYPE_FC_2_WITH_FRAME_DELIMS 226 LINKTYPE_IPNET 227 LINKTYPE_CAN_SOCKETCAN 228 LINKTYPE_IPV4 229 LINKTYPE_IPV6 230 LINKTYPE_IEEE802_15_4_NOFCS 231 LINKTYPE_DBUS 235 LINKTYPE_DVB_CI 236 LINKTYPE_MUX27010 237 LINKTYPE_STANAG_5066_D_PDU 239 LINKTYPE_NFLOG 240 LINKTYPE_NETANALYZER 241 LINKTYPE_NETANALYZER_TRANSPARENT 242 LINKTYPE_IPOIB 243 LINKTYPE_MPEG_2_TS 244 LINKTYPE_NG40 245 LINKTYPE_NFC_LLCP
Copyright 2012-2021 Robert Krause
Pcapfix is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version.
Pcapfix is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with Pcapfix. If not, see http://www.gnu.org/licenses/.