Re: [tcpdump-workers] pcap file format documentation
Offhand I'd say this has nothing to do with truncation, since the truncated packet shouldn't be included in the clean pcap file. My guess would be that you've found a bug in one of ethereal's protocol dissectors. Jefferson, I finally got a chance to work on this. You are correct, there was no truncation. I wrote a quick script to read through them all, and all payload sizes match up, and there are no partial headers in the file, so my next step will be to look at the Ethereal Dissectors. Thanks for the help. Hopefully, I'll be allowed to send in the patch. Regards, Don - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Offhand I'd say this has nothing to do with truncation, since the truncated packet shouldn't be included in the clean pcap file. My guess would be that you've found a bug in one of ethereal's protocol dissectors. Relax guys :) I'll send you the answer when I have time to fix it, jeez. ;) I only had like 30 minutes to look at the problem today. The reason why I suspect truncation is the following. When I use tethereal in my script, it cannot both output the text summary lines and write to file at the same time. Instead of hacking my own version of tethereal, I did (not showing all options here:) tethereal -i eth0 -w - | tee filename | tethereal -i - I think when this pipeline gets torn down, sometimes, a partial packet is written. Could it instead be a crashing dissector? Sure could be...I will then poke a stick at the hornet's nest that is the Ethereal mailing list. ;) - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Hi Jefferson, Sorry, I have been home sick with the flu for 3 days. I will get to this tomorrow hopefully. Don On 3/23/06, Jefferson Ogata [EMAIL PROTECTED] wrote: On 03/20/2006 04:18 AM, Don Morrison wrote: [top posting fixed YET again] On 3/20/06, Jefferson Ogata [EMAIL PROTECTED] wrote: On 03/20/2006 02:01 AM, Don Morrison wrote: [top posting fixed again] I tried this method, but it hangs tcpdump. That would be a bug in tcpdump. Why don't you send an example pcap file along that does this (or post it to a web or FTP site and send a URL), and state what version of tcpdump you are using. The files are at work, so I'll have to reply in the morning. -Don Don, did you want to point us at one of your problem files? -- Jefferson Ogata [EMAIL PROTECTED] NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED] Never try to retrieve anything from a bear.--National Park Service - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] pcap file format documentation
Hello, Is there documentation describing the pcap file formats (other than the libpcap source)? Thanks, Don - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
