Corrupt files

[Xavier Brouckaert <xbr () info ucl ac be>]

Hi,

I have several corrupted pcap files.  The error message looks like this
when I try to reread the trace with tethereal :

$ tethereal -r asax_24_juin_13h47.cap -w asax_24_juin_13h47-2.cap
tethereal: "asax_24_juin_13h47.cap" appears to be damaged or corrupt.
(pcap: File has 536022498-byte packet, bigger than maximum of 65535)

In this trace, it appears at the packet number 3452006.

The system making the capture is a x86 PC with Debian/stable, libpcap
0.7.2-5, tcpdump 3.7.2-3 (security risk, i know but i didn't know at the
time of the capture).  The Ethernet controller is a 3Com Corporation
3c905B 100BaseTX [Cyclone] (rev 30)

I have tried to capture with both tcpdump and tethereal, but the problem
remains.

When reading the trace file with snort, snort stops at the bogus packet.

When reading the trace file with nprobe, nprobe continuously writes
"Error while reading packets: 'bogus savefile header'".

The trace file contains only malicious traffic.  I don't know if a
particular packet can break a capture file or if this is a bug in
libpcap or in the kernel or in the ethernet driver or ...

Any idea out there ?

Thank you,
Xavier

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.