Remove trailer timestamp from the captured packets

Question

I have a packet capture captured through a special switch that appends timestamps just before FCS. These are generally referred as "trailer timestamps".

However, after doing so, the FCS at the end of the packet is not updated. Hence, when i load the packet capture into wireshark, all the packets are reported as having incorrect frame check sequence.

Is there a utility like editcap etc.. that i can use to remove, say, last x bytes of each packet from a pcap?

Answer 1

Yes, editcap can remove the last x bytes of each packet. From the editcap man page:

-C [offset:]<choplen>

    Sets the chop length to use when writing the packet data. Each packet is 
    chopped by <choplen> bytes of data. Positive values chop at the packet
    beginning while negative values chop at the packet end.

Example: Remove the last 4 bytes of each packet

editcap.exe -C -4 foo.pcap foo_chopped.pcap

Of course doing this will then result in each packet being indicated with:

[Packet size limited during capture: Ethertype truncated]

... which is of course a misleading message as the Ethertype isn't truncated, just the Ethernet frame as the FCS has been removed in this case. Nonetheless, this is a rather harmless indication and so this solution may fit your needs.

Alternatively, you could more simply just disable Ethernet checksum validation. Do this via Edit -> Preferences -> Protocols -> Ethernet -> Validate the Ethernet checksum if possible:deslect -> OK.

Answer 2

Please file an issue for this on the Wireshark issue list; it might make sense to treat frames with capture-switch trailers specially.

Answer 3

I wrote my own application using https://github.com/seladb/PcapPlusPlus

Basically you can use pcapplusplus and iterate over each RawPacket and do something like

rawPacket.removeData(rawPacket.getRawDataLen() - FCS_LEN - bytesToRemove, bytesToRemove);