Re: pcap file format documentation

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

On 03/20/2006 12:12 AM, Stephen Donnelly wrote:
[top-posted rat's nest cleaned up]
> On Sun, 2006-03-19 at 20:43 -0800, Don Morrison wrote:
> > Here's the problem.  I'm dealing with corrupted pcap files, where the
> > last packet was partially written, but it's not of interest and all I
> > want to do is truncate the last packet.  My assumption is that
> > libpcap's API will not allow me to deal with this since programs that
> > are dependent on it (tcpdump, ethereal) hang when attempting to open
> > any such file.  Is this assumption incorrect?
>
> That sounds quite likely. This may well be a case where you need to edit
> the file directly, and it seems unlikely that the compatibility issues I
> mentioned would be a problem.

The trivial way to fix a truncated pcap file:

tcpdump -r broken.pcap -w clean.pcap

I suspect Ethereal's editcap and mergecap might accomplish pretty much
the same thing.

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.