This usually happens to me when I have a disk full condition while capturing. Captures stop getting flushed to disk until some space is cleared, and when they restart a header is no longer in the right place because a lot of buffered data was lost.
I have 39Gb left so I don't meet the same condition as you.
Could it happen because there are several applications using libpcap at the same time ?
If this is what happened and the data is valuable to you you can make the best of it by locating the next valid packet header by hand and stripping out the bogus info in the middle. This is not as hard as it might seem at first.How do you do that ? Is there a tool for this ? editcap cannot remove a single broken packet. I can't use tethereal with a display filter "frame.number != myboguspacketnumber" because it won't go farther than the bogus packet.
Regards, Xavier - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
