PCAPs exported from Malware Analysis Appliance may contain incorrect capture- and packet length values

book

Article ID: 168409

calendar_today

Updated On:

Products

Malware Analysis Software - MA

Issue/Introduction

While analyzing PCAP files exported from MAA, in some situations libpcap may complain that packet length does not match snap length.

The snaplen parameter of the pcap file is set to 1500, but packets in the file may have caplen or pktlen greater than 1500.

Cause

This is due to a bug in Malware Analysis Appliance versions prior to v4.2.4.

Resolution

To resolve this issue, upgrade the MAA to version 4.2.4.

Workaround

For PCAPs that are currently broken by this bug, you can fix the file by manually editing the snaplen of the PCAP file header to be 1514.

A procedure for doing so is outside the scope of this document.