How to skip unrecognizable packets when processing pcap files

[Ye Deng <yedeng0 () gmail com>]

Hello all,

I have a serious issue when using "mergecap" and "editcap" tools for my
project.
e.g. If I try to merge many pcap files captured at my home, I sometimes got
errors saying, "mergecap: Error reading my_pcap_file12: File contains a
record that's not valid (pcap: File has 16793778-byte packet, bigger than
maximum of 65535)".

My question is:
Is there any existing tool (e.g. an "improved mergecap") that can skip
the unrecognizable packets, and process the resting valid packets?

After I did some researches online, I found it may be caused by file
transfers using HTTP/FTP in some text mode.
Please search "corrupt" on this webpage below.
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
Therefore, I think the pcap-next-generation-dump-file can deal with this
issue.
But I tried it in Wireshark, and got an assertion failure, which shows that
it is still unfinished...

Would someone answer my question?
I will appreciate a lot if someone helps me for this.

Regards,
Deng

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe