Re: tcpdump No Append Mode

[Sake Blok <sake.blok () SYN-bit nl>]

On 27 dec 2010, at 12:09, Manmohan Brahma wrote:

> Generally what all i used to do is go through all the pcap files and search
> for my IP and Subnet.
>
> What all i wanted to do is append my backscattered data in one pcap file for
> further analysis.
>
> With tcpdump -w backsfile.pcap it passes all the backscattered data  to
> baksfile.pcap but in the next iteration it overwrites the same file.

I'm not aware of any tcpdump options that would allow you to do that. However, the utility "mergecap" can merge two or 
more tracefiles for you. Either appended or merged based on timestamps. If you need you can edit the timestamps in the 
sourcefile(s) with the utility "editcap". Both "mergecap" and "editcap" are part of the Wireshark suite. See: 
www.wireshark.org.

Hope this helps (and that it's not violating the etiquette on this mailing-list),


Met vriendelijke groet,
Kind Regards,

Sake Blok
Consultant / Trainer / Troubleshooter

SYN-bit - Deep Traffic Analysis - http://www.SYN-bit.nl

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.