Uncategorized / March 24, 2016

Correct Display of Sliced Packets in Wireshark

The trouble with sliced packets – this is a general statement – is that whilst the packet is sliced it does not include any data within packet/frame to indicate that slicing has occurred. As such protocol analysers will – as designed – show that the packet is corrupted in some way. This is because (for example) the checksum for the IP Layer (a.k.a. Header Checksum) is now incorrect because you have effectively sliced the payload (or more) off.

There is a little known setting within Wireshark where you can use the “snaplen” feature to limit the size of packets. This is Wireshark terminology for slicing, so it allows you to display only the first “x” number byes in packets.

What’s good about this feature is that Wireshark displays the packets with the assumption that they are already sliced, so for example you can see that the below frame packet is 1067 bytes in length (the IP packet is 1053 bytes), however as Wireshark has a snaplen setting set to 64 bytes, only 64 bytes are recorded:


In the above you can see that whilst the packet is sliced at 64 bytes (see bytes values at the bottom), Wireshark still correctly displays the packet as an SSL packet and does not complain about CRC and/or length errors.

To enable this setting, open Wireshark:


Double click on the interface (highlighted in the above in red for my example) which shows the “Edit Interface Settings” like so:


Again, highlighted in red you can see the setting “Limit each packet to” which I have, for this example, set to 64 bytes. Now you can start your capture in the usual way.

If you’re using Wireshark version 2, this has changed and is – in my experience – difficult to find. To save you the hassle, you can set this by first clicking the Capture Options button (highlighted in red below) on the toolbar (alternatively you can use Ctrl+K):


This brings up the Capture Interfaces window, and it displays the Snaplen (in bytes) in a column; for example, the below highlighted in red shows my “Local Area Connection” interface with a Snaplen setting of 9000 bytes:


It’s not immediately obvious how to change this setting, so to save you the pain, you just double click on the value which then allows you to change it (in the below example highlighted in red you can see that I’m in the process of changing the snaplen to 64 bytes):


You should know that if you’re using the tshark (i.e. CLI wireshark) program that it is also referred to as “snaplen”.

I thought those of you not aware of it might be interested as it’s a great way of showing the power of slicing without the “packets looking weird”.

Back to top