tcpdump mailing list archives
Re: Ringbuf pcap reading and "bogus savefile header" error
From: Guy Harris <guy () alum mit edu>
Date: Tue, 6 Dec 2016 23:43:35 -0800
On Dec 6, 2016, at 10:12 PM, Tugrul Erdogan <h.tugrul.erdogan () gmail com> wrote:
There is a pcap file which stores last X seconds of packets. And with each X seconds of a period, a new pcap file is created. I can successfully read the initial pcap file for X seconds with "tail -n+o -F <filename> | tcpdump -r - -nn".
To quote the Linux man page for tail: -n, --lines=K output the last K lines, instead of the last 10; or use -n +K to output lines starting with the Kth The word "lines" appears in that text. Pcap files do not have lines, so any program that processes a pcap file as if it had lines in it will almost certainly do something wrong with the file. tail -n+o or, if this is what you really meant: tail -n+0 processes the file it's reading as if it has lines in it, so it will almost certainly do something wrong with the file You could *try* doing tail -F <filename> | tcpdump -r - -nn but I'm not sure even *that* is guaranteed to treat the file as if it were a binary file - which is exactly what a pcap file is. _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Ringbuf pcap reading and "bogus savefile header" error Tugrul Erdogan (Dec 06)
- Re: Ringbuf pcap reading and "bogus savefile header" error Guy Harris (Dec 06)