PCAPs exported from Malware Analysis Appliance may contain incorrect capture- and packet length values
book
Article ID: 168409
calendar_today
Updated On:
Products
Malware Analysis Software - MA
Issue/Introduction
While analyzing PCAP files exported from MAA, in some situations libpcap may complain that packet length does not match snap length.
The snaplen parameter of the pcap file is set to 1500, but packets in the file may have caplen or pktlen greater than 1500.
Cause
This is due to a bug in Malware Analysis Appliance versions prior to v4.2.4.
Resolution
To resolve this issue, upgrade the MAA to version 4.2.4.
Workaround
For PCAPs that are currently broken by this bug, you can fix the file by manually editing the snaplen of the PCAP file header to be 1514.
A procedure for doing so is outside the scope of this document.
Feedback