Re: pcap files with file header snaplen < packet

["Aaron Turner" <synfinatic () gmail com>]

On 11/30/06, Jefferson Ogata <Jefferson.Ogata () noaa gov> wrote:
> On 2006-12-01 01:28, Guy Harris wrote:
> > On Nov 30, 2006, at 1:08 PM, Aaron Turner wrote:
> >> Unfortunately, I don't know where or how these pcap files were
> >> generated, so I don't know what's causing this to happen or how
> >> widespread it is.  Could this of been a bug in earlier versions of
> >> libpcap??
> >
> > I don't know - it might have come from some vendor-"improved" version of
> > libpcap, or the bug might have been in the underlying packet capture
> > mechanism that libpcap used on whatever platform the packet was
> > captured, or it might have been written by something other than libpcap.
>
> Is it possible they were the result of combining multiple pcaps via
> something like mergecap?

I suppose anything is possible... however the most recent example of
this only had a single packet in the file.  Unfortunately, since I'm
getting access to the files via 3rd parties, it's nearly impossible
for me to say how or where these files came from.

-Aaron
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.