Packet Slicing
Packet slicing can be configured while capturing due to the following restrictions
- limited disk space
- limited disk I/O performance
- legal / privacy requirements
- limited network I/O (e.g. by packet broker or smart tap)
It can also be retroactively performed for example by using tools like editcap or from within PacketSafari using edit PCAP.
The consequence of a sliced trace file is that you won't be able to see all the payload of the PCAP.
In most cases you will still be able to perform a basic analysis on layers 2 (Ethernet), 3 (IPv4/IPv6/ARP/DHCP/STP) and 4 (TCP/UDP/ICMP) if your packet slicing is between 64 (if you get lucky) and 128. Usually, it is not enough to capture all layer 7 information and with some protocols that have large headers. Even 512 bytes might not be enough information to be able to analyze packets.
Packet slicing examples
You can use editcap (comes with Wireshark to do packet slicing) to retroactively slice an already existing PCAP.
editcap -s 128 originalfile.pcapng slicedfile.pcapng
What is SNI?
Server Name Indication (SNI) allows the server to host multiple TLS Certificates for multiple sites under a single IP address. It adds the hostname of the server in the TLS handshake as an extension in the CLIENT HELLO message. This way the server knows which website to present when using shared IPs.
PCAP NG