pcapfix

pcapfix tries to repair your broken pcap and pcapng files.

To fix your pcap files the tool first checks for an intact pcap global header and repairs it if there are some corrupted bytes. It there seems to be no global header at all, pcapfix adds a self-created one at the beginning of the file. In a second step the tool tries to find pcap packet headers inside the file, below the global header. It checks if the values are correct (or seem to be correct) and tries to repair a packet if there is something wrong.

To fix your pcapng files the tool loops through all packet headers that can be found in the file. It checks for mandatory Section Header and Interface Description Block and creates them if missing. Pcapfix checks for correct block sizes and valid option fields. If something is wrong, invalid fields are repaired (if possible) or skipped and adjusted to finally get a proper pcapng file.

Why?

Sometimes your captured pcap files get cut off or are being corrupted in other ways. Also some capture the flag challenges deal with damaged pcap files periodically. Therefore this tool has been written!

Algorithm

pcapfix will first step through the packets respectively blocks top down until it recognizes corrupted data by checking field validity and using plausibility checks. After that the tool will brute force further pcap packet headers respectively block headers by reading the file byte by byte. If another proper packet or block is found, pcapfix restores the data in between by adding a well-formed pcap packet header or skips it if unusable.

Online Version

If you have any problems in compiling pcapfix or are not able to use it on your platform, tell me about this to improve pcapfix. As long as your problems remain you can use the online version of pcapfix too.

It is available HERE.

What it looks like...

Reparation of pcapng file with broken name resolution block

Verbose reparation of pcap file including two corrupted packets

text output

What you can do to help

You can help out by telling me your futher wishes and features you would like pcapfix to have got. Furthermore you can send me bug reports and error messages or any broken pcap files if pcapfix is not able to repair them correctly. Last but not least, if there are any other file formats you would to have repaired and there is no tool available yet, then tell me about your idea!