mergecap problem?

[Julio Talaverano <delaflota () yahoo com>]

Hi,

I wanted to merge two tcpdump capture files captured by tcpdump on 

a checkpoint R70 cluster (two nodes).
I interrupted the capture after a while.
Then  I wanted to merge them in wireshark (I know, they are then not sorted by timestamp - was only a try).
By adding the second file Whireshark says here:

"<firstly loaded capture's file name> appears to have been cut short in the middle of a packet".


Here I don't know whether the merging has been done by just ignoring the incomplete packet, 

which is what I would expect.
(Additional question: is there a way to sort the entries by timestamp?).

When I then wanted to mergecap them (mergecap -w out.pcapng  in*.pcapng) the command 
said: 

"Less data was read than was expected".
Out from two input files, 21,300 KB and 194 KB it made an output file of  3,196 KB in size.
Is it possible to merge the files regardless of the one incomplete packet, by simply ignoring it?

Do I have any other options?

Thanks

Jukio
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers