Re: pcap file format documentation

["Jefferson Ogata" <Jefferson.Ogata () noaa gov>]

On 03/24/2006 04:35 PM, Don Morrison wrote:
> > > > The trivial way to fix a truncated pcap file:
> > > >
> > > > tcpdump -r broken.pcap -w clean.pcap
> > >
> > > I tried this method, but it hangs tcpdump.
> >
> > That would be a bug in tcpdump. Why don't you send an example pcap file
> > along that does this (or post it to a web or FTP site and send a URL),
> > and state what version of tcpdump you are using.
> >
> > You did run tcpdump with no options other than -r and -w, right?
>
> My apologies, what I said was incorrect.  Running the command does not
> crash tcpdump, but the outputfile ("clean.pcap") will crash Ethereal,
> so while both files are clean enough for tcpdump to display and not
> crash, not so for Ethereal.  

Offhand I'd say this has nothing to do with truncation, since the
truncated packet shouldn't be included in the clean pcap file. My guess
would be that you've found a bug in one of ethereal's protocol dissectors.

Just for grins, have you tried tethereal?

Also, have you identified exactly what packet ethereal/tethereal crashes
on? If so, extract just that packet from the pcap file into a separate
pcap and see if it still crashes ethereal.

There is at least one tool for noising up pcap files so it's fairly safe
to release to others without fear that it might contain private data.

>   Why am I using Ethereal? :) UMA decodes. 
> Unfortunately, I cannot send you the pcap file because it would be a
> violation of my contract with the telecom I work for.

Understood.

> Thanks very much for your help.

No problem.

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.