Re: pcap files with file header snaplen < packet

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

On 2006-12-04 15:03, Harley Stenzel wrote:
> On 12/1/06, Jefferson Ogata <Jefferson.Ogata () noaa gov> wrote:
> > Is it possible they were the result of combining multiple pcaps via
> > something like mergecap?
>
> It would seem that for something like this to be generally usefull, a
> capture station identifier would be needed.  I suppose a source-file
> identifier could also do the trick.

Not sure I follow your response. It's not a proposal--mergecap exists as
part of wireshark ne ethereal. There are other tools for doing this as
well. Yes, something is lost, but something is gained. I use tools of
this ilk to merge together multiple capture files that were collected on
multiple identical, synchronized hosts that receive load-balanced
monitor traffic.

I was merely suggesting that perhaps one of the several tools available
for this purpose doesn't properly set snaplen on its output file to the
max of all input snaplens.

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.