Re: multiple pcap files from stdin

[George Bakos <gbakos () ists dartmouth edu>]

tcpslice is a separate utility that isn't actively maintained, although
some packagers do bundle it with tcpdump. IMHO, mergecap is a better
choice for merging, while tcpslice performs more like a database query
tool, using timestamps as key fields. 

One critical limitaion when merging dumpfiles is a fatal inability to
handle pcap files with fewer than two packets. ISTS's version of Shadow,
shadowias-1.8 (intrusion analysis system), makes up for this limitayion by
first excluding empty dumpfiles, then cloning the existing record in
single-packet files, effectively creating two-packet files with start &
end times acceptable to tcpslice. Again, if mergecap is available, it is
the preferred utility.

There will be a posting here shortly announcing availablility of shadowias-1.8

Cheers.

On Sat, 19 Apr 2003 11:11:24 -0700 (PDT)
"Steve Bonds" <pow7yec02 () sneakemail com> wrote:

> On Sat, 19 Apr 2003, Michael L. Artz dragon-at-october29.net |TCPdump Workers| wrote:
>
> > Is there a way for me to pipe multiple pcap files to tcpdump on stdin, 
> > such as:
> >
> > cat file1.pcap file2.pcap | tcpdump -r -
>
> The utility "tcpslice", included with tcpdump will do this for you.  It
> can also slice up a single capture based on timestamps.
>
> In your example you would use:
>
> tcpslice file1.pcap file2.pcap | tcpdump -r -
>
>   -- Steve
>
>
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe


-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe