Re: multiple pcap files from stdin

[Guy Harris <gharris () sonic net>]

On Sat, Apr 19, 2003 at 11:24:05AM -0400, Michael L. Artz wrote:
> Is there a way for me to pipe multiple pcap files to tcpdump on stdin, 
> such as:
>
> cat file1.pcap file2.pcap | tcpdump -r -

No.

> I am getting the error 'pcap_loop: truncated dump file" just before 
> tcpdump begins processing file2.  I don't know much about the libpcap 
> output format, but I assume that there is some sort of header on each 
> file,

Yes.

> and that pcap_loop tries to treat the header as a packet and bombs 
> out.

Yes.

> Is there any way to get around this?  Perhaps some sort of filter 
> program that I can run?

At least with the current tcpdump format, with a 24-byte file header, if
you're on a UNIX where

        dd bs=N count=0 skip=1

just reads N bytes and discards them, the command

        (cat file1.pcap; (dd bs=24 count=0 skip=1; cat) <file2.pcap) | \
            tcpdump -r -

would work.  If you want to process more than 2 files, add more

        ; (dd bs=24 count=0 skip=1; cat) <fileN.pcap

to the parenthesized list.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe