Re: Corrupt files

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

Marco van den Bovenkamp wrote:
> Xavier Brouckaert wrote:
> > How do you do that ?  Is there a tool for this ? editcap cannot remove 
> > a single broken packet.
>
> No? Assuming it doesn't choke on the bogus packet, and you know its' 
> sequence number, something like 'editcap <original file> <fixed file> <# 
> of bogus packet>' should do it...

Not really.

The problem is usually that what follows some packet is not a valid packet 
header, for whatever reason -- in my case usually a transient disk full 
condition. You can't skip a packet if the header is invalid; you don't know how 
many bytes to skip to find the next valid packet header.

If you know where the problem is, though, you can split the file on various 
boundaries (say, using tail +NNNNc) until you find a valid packet header at the 
beginning.

Or if you open the file in a hex editor you'll have no problem finding a valid 
packet header, especially for captured ethernet data. The link headers are 
unmistakable.

Once you've found a sync point, you just need to strip out the data from the 
start of the problem area to your sync point.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.