Hi Jefferson, I tried this method, but it hangs tcpdump.
Don On 3/19/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote: > On 03/20/2006 12:12 AM, Stephen Donnelly wrote: > [top-posted rat's nest cleaned up] > > On Sun, 2006-03-19 at 20:43 -0800, Don Morrison wrote: > >>Here's the problem. I'm dealing with corrupted pcap files, where the > >>last packet was partially written, but it's not of interest and all I > >>want to do is truncate the last packet. My assumption is that > >>libpcap's API will not allow me to deal with this since programs that > >>are dependent on it (tcpdump, ethereal) hang when attempting to open > >>any such file. Is this assumption incorrect? > > > > That sounds quite likely. This may well be a case where you need to edit > > the file directly, and it seems unlikely that the compatibility issues I > > mentioned would be a problem. > > The trivial way to fix a truncated pcap file: > > tcpdump -r broken.pcap -w clean.pcap > > I suspect Ethereal's editcap and mergecap might accomplish pretty much > the same thing. > > -- > Jefferson Ogata <[EMAIL PROTECTED]> > NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]> > "Never try to retrieve anything from a bear."--National Park Service > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. > - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
