Re: pcap file format documentation

["Don Morrison" <donmorrison () gmail com>]

Hi Jefferson,

I tried this method, but it hangs tcpdump.

Don

On 3/19/06, Jefferson Ogata <Jefferson.Ogata () noaa gov> wrote:
> On 03/20/2006 12:12 AM, Stephen Donnelly wrote:
> [top-posted rat's nest cleaned up]
> > On Sun, 2006-03-19 at 20:43 -0800, Don Morrison wrote:
> > > Here's the problem.  I'm dealing with corrupted pcap files, where the
> > > last packet was partially written, but it's not of interest and all I
> > > want to do is truncate the last packet.  My assumption is that
> > > libpcap's API will not allow me to deal with this since programs that
> > > are dependent on it (tcpdump, ethereal) hang when attempting to open
> > > any such file.  Is this assumption incorrect?
> >
> > That sounds quite likely. This may well be a case where you need to edit
> > the file directly, and it seems unlikely that the compatibility issues I
> > mentioned would be a problem.
>
> The trivial way to fix a truncated pcap file:
>
> tcpdump -r broken.pcap -w clean.pcap
>
> I suspect Ethereal's editcap and mergecap might accomplish pretty much
> the same thing.
>
> --
> Jefferson Ogata <Jefferson.Ogata () noaa gov>
> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
> "Never try to retrieve anything from a bear."--National Park Service
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.