Identify and insert missing packets in a PCAP file

Question

I have a lot of pcap files containing traces of different JPEG images being transmitted. Each of those images is divided into a couple hundred of packets of base64 encoded data. I have written a program to extract those images.

The problem is that here and there one or a few of these packets are missing.

I would like to recover as much of those images as possible. Currently the extracting software stops whenever a packet is missing and I end up with partial images. When opened in an image viewer, they look normal on the top, but then as soon as a packet is missing the rest of the image is grey due to the missing data.

So I would like to write a program that modifies a pcap file and inserts a dummy packet into the trace whenever a piece of an image is missing. This way, only the portion of the image that is really missing would be greyed out.

What would be an easy way to achieve this? I would appreciate any hints for useful tools/formats etc.

Thanks!

I can easily identify the locations in Wireshark where it would look as follows when following a TCP stream:

...
OJuOhptqVqcJAMzxzXGm7OlhdtuxWB4YtvGVYvd6V4gvUIQNkT7/AErZWaXLy4SpZ2IIA+1V
uHWJbtkPLB3XpXt7bVqMHsi3Cyn06TAI69P61nujdGNdEvCrMW[1368 bytes missing in capture file].eioyN6ANH4fMB3M7YUApIaUTP0r0Hgv8FlIUncjaenvXA/DEBzNSEn4fKUDP
zFegMOZKWkaSIjnt7VTMvgUviY8pvKrpkhBcTISeT0+1cLflTiidyeK7r4g2wfyret7nRpcC
...

But is there a way to automate it? Maybe some other file format that is easier to parse and modify?

Answer 1

You could render what you have into txt, edit it, and then use text2pcap to convert back to pcap.