Wireshark mailing list archives
How to skip unrecognizable packets when processing pcap files
From: Ye Deng <yedeng0 () gmail com>
Date: Sun, 18 Sep 2011 23:45:12 -0400
Hello all, I have a serious issue when using "mergecap" and "editcap" tools for my project. e.g. If I try to merge many pcap files captured at my home, I sometimes got errors saying, "mergecap: Error reading my_pcap_file12: File contains a record that's not valid (pcap: File has 16793778-byte packet, bigger than maximum of 65535)". My question is: Is there any existing tool (e.g. an "improved mergecap") that can skip the unrecognizable packets, and process the resting valid packets? After I did some researches online, I found it may be caused by file transfers using HTTP/FTP in some text mode. Please search "corrupt" on this webpage below. http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html Therefore, I think the pcap-next-generation-dump-file can deal with this issue. But I tried it in Wireshark, and got an assertion failure, which shows that it is still unfinished... Would someone answer my question? I will appreciate a lot if someone helps me for this. Regards, Deng
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How to skip unrecognizable packets when processing pcap files Ye Deng (Sep 18)
- Re: How to skip unrecognizable packets when processing pcap files Guy Harris (Sep 19)