tcpdump mailing list archives
Re: Corrupt files
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Fri, 25 Jun 2004 12:48:20 -0400
Xavier Brouckaert wrote:
I have several corrupted pcap files. The error message looks like this when I try to reread the trace with tethereal :
This usually happens to me when I have a disk full condition while capturing. Captures stop getting flushed to disk until some space is cleared, and when they restart a header is no longer in the right place because a lot of buffered data was lost.
If this is what happened and the data is valuable to you you can make the best of it by locating the next valid packet header by hand and stripping out the bogus info in the middle. This is not as hard as it might seem at first.
-- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Corrupt files Xavier Brouckaert (Jun 25)
- Re: Corrupt files Jefferson Ogata (Jun 25)
- Re: Corrupt files Xavier Brouckaert (Jun 25)
- Re: Corrupt files Guy Harris (Jun 25)
- Re: Corrupt files Marco van den Bovenkamp (Jun 25)
- Re: Corrupt files Jefferson Ogata (Jun 26)
- Re: Corrupt files Xavier Brouckaert (Jun 25)
- Re: Corrupt files Jefferson Ogata (Jun 25)