Re: pcap file format documentation

["Don Morrison" <donmorrison () gmail com>]

> > > The trivial way to fix a truncated pcap file:
> > >
> > > tcpdump -r broken.pcap -w clean.pcap
> >
> > I tried this method, but it hangs tcpdump.
>
> That would be a bug in tcpdump. Why don't you send an example pcap file
> along that does this (or post it to a web or FTP site and send a URL),
> and state what version of tcpdump you are using.
>
> You did run tcpdump with no options other than -r and -w, right?

Hi Jefferson,

My apologies, what I said was incorrect.  Running the command does not
crash tcpdump, but the outputfile ("clean.pcap") will crash Ethereal,
so while both files are clean enough for tcpdump to display and not
crash, not so for Ethereal.  Why am I using Ethereal? :) UMA decodes. 
Unfortunately, I cannot send you the pcap file because it would be a
violation of my contract with the telecom I work for.

Thanks very much for your help.

Regards,
Don
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.