Re: mergecap truncated files

[Guy Harris <guy () alum mit edu>]

On Jun 17, 2018, at 3:00 PM, Catalin Patulea <cat () vv carleton ca> wrote:

> I'm trying to merge a few pcap files, some of which are truncated. I'm
> getting this error:
> $ mergecap -a sip.pcap-201806* -w /tmp/out.pcap
> mergecap: Error reading sip.pcap-20180616-111355: Less data was read
> than was expected

That error message translates to "sip.pcap-20180616-111355 is truncated".

> at this point, mergecap stops processing any later files. I would
> prefer mergecap discard the truncated frame, and continue with next
> files. I understand this will potentially lose some data, this is
> appropriate for my application.
>
> Is there any way to configure mergecap for this?

No.

> If I write a patch
> for an optional new command-line flag, is it likely to be accepted?

Possibly, although this would be a feature useful only to handle files damaged by being truncated; there's nothing 
mergecap-specific about the issue of truncated files, so there's no particular reason why this should be a *mergecap* 
feature, and there's already a way to deal with truncated files - you could use editcap to read sip.pap-20180616-111355 
and write out a file containing all the complete packets in it, i.e. 

        for i in sip.pcap-201806*
        do
                editcap "$i" "$i".cleanedup
        done
        mergecap -a sip.pcap-201806*.cleanedup -w /tmp/out.pcap
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe