Getting Started

Introduction Registration Capture PCAPs Anonymize PCAPs Upload Feature comparision

PCAP Browser

Overview Search Mass Actions Basic Information Connection view Comments Tags DNS View Indices Capture Point Visualization

Indexing

Defaut Indexer Reindexing Settings

Analyze

Overview Packet List Filter Bar Decode Hex View Explain Field Edit PCAP Graph View Statistics Decryption

Settings

Overview Profile Indexer Roles Tags

Account Management

Profile Deletion

Help

Application errors

Encyclopedia

Initial Round Trip Time Server Name Indication Packet Slicing PCAPng

Packet Slicing

Packet slicing can be configured while capturing due to the following restrictions

  • limited disk space
  • limited disk I/O performance
  • legal / privacy requirements
  • limited network I/O (e.g. by packet broker or smart tap)

It can also be retroactively performed for example by using tools like editcap or from within PacketSafari using edit PCAP.

The consequence of a sliced trace file is that you won't be able to see all the payload of the PCAP.

In most cases you will still be able to perform a basic analysis on layers 2 (Ethernet), 3 (IPv4/IPv6/ARP/DHCP/STP) and 4 (TCP/UDP/ICMP) if your packet slicing is between 64 (if you get lucky) and 128. Usually, it is not enough to capture all layer 7 information and with some protocols that have large headers. Even 512 bytes might not be enough information to be able to analyze packets.

Packet slicing examples

You can use editcap (comes with Wireshark to do packet slicing) to retroactively slice an already existing PCAP.

editcap -s 128 originalfile.pcapng slicedfile.pcapng

On this page