Re: pcap files with file header snaplen < packet

["Harley Stenzel" <hstenzel () users sourceforge net>]

On 12/1/06, Jefferson Ogata <Jefferson.Ogata () noaa gov> wrote:

> Is it possible they were the result of combining multiple pcaps via
> something like mergecap?

It would seem that for something like this to be generally usefull, a
capture station identifier would be needed.  I suppose a source-file
identifier could also do the trick.

Consider multiple captures on multiple stations involving the same
connections.  Also consider multiple nics on the same host.  Without
some way of knowing where the capture came from, for many applications
a merged capture looses important data.

--Harley
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.