Re: [tcpdump-workers] pcap files with file header snaplen < packet

On 12/4/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote: I was merely suggesting that perhaps one of the several tools available for this purpose doesn't properly set snaplen on its output file to the max of all input snaplens. That's likely the case. Of course I have to wonder why libpcap even

Re: [tcpdump-workers] pcap files with file header snaplen < packet

On Dec 4, 2006, at 2:41 PM, Gianluca Varenni wrote: - Original Message - From: "Harley Stenzel" <[EMAIL PROTECTED] > It certainly does, but it expired more than 2 years ago. Is it still active? Although the draft expired 2 yrs ago, and I released some update to the NTAR code ba

Re: [tcpdump-workers] pcap files with file header snaplen < packet

- Original Message - From: "Harley Stenzel" <[EMAIL PROTECTED]> To: Sent: Monday, December 04, 2006 1:30 PM Subject: Re: [tcpdump-workers] pcap files with file header snaplen < packet On 12/4/06, Gerald Combs <[EMAIL PROTECTED]> wrote: Harley Stenzel wrote: > Looking forward, howev

Re: [tcpdump-workers] pcap files with file header snaplen < packet

On 12/4/06, Gerald Combs <[EMAIL PROTECTED]> wrote: Harley Stenzel wrote: > Looking forward, however, it would be helpful if the libpcap file > format provided a way to tag the source of the captured packet, so > that merged files do not loose information. NTAR supports this: http://www.winpc

Re: [tcpdump-workers] pcap files with file header snaplen < packet

Harley Stenzel wrote: > Looking forward, however, it would be helpful if the libpcap file > format provided a way to tag the source of the captured packet, so > that merged files do not loose information. NTAR supports this: http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionpb -

Re: [tcpdump-workers] pcap files with file header snaplen < packet

On 12/4/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote: Not sure I follow your response. It's not a proposal--mergecap exists as part of wireshark ne ethereal. There are other tools for doing this as well. Yes, something is lost, but something is gained. I use tools of this ilk to merge together m

Re: [tcpdump-workers] pcap files with file header snaplen < packet

On 2006-12-04 15:03, Harley Stenzel wrote: > On 12/1/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote: >> Is it possible they were the result of combining multiple pcaps via >> something like mergecap? > > It would seem that for something like this to be generally usefull, a > capture station identif

Re: [tcpdump-workers] pcap files with file header snaplen < packet

On 12/1/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote: Is it possible they were the result of combining multiple pcaps via something like mergecap? It would seem that for something like this to be generally usefull, a capture station identifier would be needed. I suppose a source-file identif