Re: pcap files with file header snaplen < packet

["Harley Stenzel" <hstenzel () users sourceforge net>]

On 12/4/06, Jefferson Ogata <Jefferson.Ogata () noaa gov> wrote:
> Not sure I follow your response. It's not a proposal--mergecap exists as
> part of wireshark ne ethereal. There are other tools for doing this as
> well. Yes, something is lost, but something is gained. I use tools of
> this ilk to merge together multiple capture files that were collected on
> multiple identical, synchronized hosts that receive load-balanced
> monitor traffic.

I think we're in complete agreement.

My comment is simply *If* your use of a capture file is not sensitive
to where the observation was made, then merging is an option.
Moreover, other uses of merged files are broken because the merge
process causes the source of the information to be lost.

> I was merely suggesting that perhaps one of the several tools available
> for this purpose doesn't properly set snaplen on its output file to the
> max of all input snaplens.

Absolutely.

Looking forward, however, it would be helpful if the libpcap file
format provided a way to tag the source of the captured packet, so
that merged files do not loose information.

This information would be very helpful to me in the types of
situations I debug.  Would it be helpful to others?

--Harley
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.