Ethereal-dev: Re: [Ethereal-dev] Pcap file Cleaning

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 20 Jan 2002 17:26:22 -0800
On Sun, Jan 20, 2002 at 08:02:51PM -0500, Vincas Ciziunas wrote:
> A packet that's been cut off mid-capture.

I.e., cut off by having done the capture with a snapshot length shorter
than the maximum packet size on the network?

There's no utility to automatically discard packets with a "captured
length" less than the real length.  You could do it manually with

	tethereal -r {input file} -w {output file} \
		-R 'frame.cap_len >= frame.pkt_len'

> Also any packet that ethereal
> reports as 'invalid.'  I want to clean a file of those

There are a number of ways in which Ethereal can report a packet as
"invalid"; not all of them can necessarily be detected with a display
filter expression, so if you really want to remove *any* packet that
Ethereal reports as invalid, you'd have to do that manually, by running
Ethereal on the file, marking all the frames in the file (with the "Mark
All Frames" operation under the "Edit" menu), unmarking the frames you
don't want in the file (with the "Mark Frame" operation under the "Edit"
menu, the accelerator for which is control-M; that operation really
means "toggle the marked status of the frame"), and then do a "Save As"
and select "Save only marked packets".