tcpdump mailing list archives
Re: pcap files with file header snaplen < packet
From: "Harley Stenzel" <hstenzel () users sourceforge net>
Date: Mon, 4 Dec 2006 11:32:55 -0500
On 12/4/06, Jefferson Ogata <Jefferson.Ogata () noaa gov> wrote:
Not sure I follow your response. It's not a proposal--mergecap exists as part of wireshark ne ethereal. There are other tools for doing this as well. Yes, something is lost, but something is gained. I use tools of this ilk to merge together multiple capture files that were collected on multiple identical, synchronized hosts that receive load-balanced monitor traffic.
I think we're in complete agreement. My comment is simply *If* your use of a capture file is not sensitive to where the observation was made, then merging is an option. Moreover, other uses of merged files are broken because the merge process causes the source of the information to be lost.
I was merely suggesting that perhaps one of the several tools available for this purpose doesn't properly set snaplen on its output file to the max of all input snaplens.
Absolutely. Looking forward, however, it would be helpful if the libpcap file format provided a way to tag the source of the captured packet, so that merged files do not loose information. This information would be very helpful to me in the types of situations I debug. Would it be helpful to others? --Harley - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- pcap files with file header snaplen < packet header caplen Aaron Turner (Nov 30)
- Re: pcap files with file header snaplen < packet header caplen Guy Harris (Nov 30)
- Re: pcap files with file header snaplen < packet header caplen Aaron Turner (Nov 30)
- Re: pcap files with file header snaplen < packet Jefferson Ogata (Nov 30)
- Re: pcap files with file header snaplen < packet Aaron Turner (Nov 30)
- Re: pcap files with file header snaplen < packet Harley Stenzel (Dec 04)
- Re: pcap files with file header snaplen < packet Jefferson Ogata (Dec 04)
- Re: pcap files with file header snaplen < packet Harley Stenzel (Dec 04)
- Re: pcap files with file header snaplen < packet Gerald Combs (Dec 04)
- Re: pcap files with file header snaplen < packet Harley Stenzel (Dec 04)
- Re: pcap files with file header snaplen < packet Gianluca Varenni (Dec 04)
- Re: pcap files with file header snaplen < packet Guy Harris (Dec 04)
- Re: pcap files with file header snaplen < packet header caplen Guy Harris (Nov 30)
- Re: pcap files with file header snaplen < packet Aaron Turner (Dec 04)
- Re: pcap files with file header snaplen < packet Jefferson Ogata (Dec 05)
- Re: pcap files with file header snaplen < packet Aaron Turner (Dec 05)
- Re: pcap files with file header snaplen < packet Jefferson Ogata (Dec 05)
- Re: pcap files with file header snaplen < packet Aaron Turner (Dec 05)