tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pcap_loop error

From: Christian Kreibich <christian () whoop org>
Date: Wed, 21 Apr 2004 17:09:58 -0700
Hi,

in the pcap file format, each packet is prefixed by a little header
structure that tells pcap details about the following packet.

"truncated dump file" means that at the end of the trace, there's a pcap
packet header that states that a packet of a size follows that actually
is not fully contained in the trace file. It often happens when the
output buffer is not fully flushed when a program is terminated and is
pretty much harmless -- you'll just lose that incomplete last byte in
your output trace.

If your output file contains only 24 bytes, it means the filter held
back all packets and your output file is empty -- you shouldn't get an
error message on such a file though, as a pcap trace file containing no
packets is perfectly valid.

"bogus savefile header" means that a pcap header in front of a packet in
a trace contains obviously incorrect values. 

hth,
Christian.

On Wed, 2004-04-21 at 16:48, hela boucetta wrote:

hello,
I am using tcpdump to capture packets from the netwok. I need to divide traces to incoming and outgoing packets. So I 
wrote a filter file which contains IP adresses. when I use the command : tcpdump -r tracefile.dump -F filterfile -w 
traceIn.dump, I got the error message : pcap_loop:truncated dump file. with some trace files the generated file(with 
-w)containes only 24 bytes (I think it is the little header added by tcpdump to the begining of each file). Please, 
is there some one who may have experienced 
this before and can help me determine the cause of the error message!
is it possible that if the read trace file does'nt contain packets with the IP addresses mentioned in the filter 
expression, I will have this error?
with one file I have the folloing error: bogus save file header.
please any help to locate the problem!
best regards, hela. 

-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: