Xavier Brouckaert wrote:How do you do that ? Is there a tool for this ? editcap cannot remove a single broken packet.
No? Assuming it doesn't choke on the bogus packet, and you know its' sequence number, something like 'editcap <original file> <fixed file> <# of bogus packet>' should do it...
Not really.
The problem is usually that what follows some packet is not a valid packet header, for whatever reason -- in my case usually a transient disk full condition. You can't skip a packet if the header is invalid; you don't know how many bytes to skip to find the next valid packet header.
If you know where the problem is, though, you can split the file on various boundaries (say, using tail +NNNNc) until you find a valid packet header at the beginning.
Or if you open the file in a hex editor you'll have no problem finding a valid packet header, especially for captured ethernet data. The link headers are unmistakable.
Once you've found a sync point, you just need to strip out the data from the start of the problem area to your sync point.
-- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
