PCAPs exported from Malware Analysis Appliance may contain incorrect capture- and packet length values

Article Id: 168409

Status: Published

Updated On: 13-05-2017 11:41

Legacy Id: TECH245036

Products:

Malware Analysis Software - MA

Issue/Introduction:

While analyzing PCAP files exported from MAA, in some situations libpcap may complain that packet length does not match snap length.

The snaplen parameter of the pcap file is set to 1500, but packets in the file may have caplen or pktlen greater than 1500.

Cause:

This is due to a bug in Malware Analysis Appliance versions prior to v4.2.4.

Resolution:

To resolve this issue, upgrade the MAA to version 4.2.4.

Workaround

For PCAPs that are currently broken by this bug, you can fix the file by manually editing the snaplen of the PCAP file header to be 1514.

A procedure for doing so is outside the scope of this document.