Brian Oleksa wrote:
Bill
Can you collaborate on this a little more..??
Do I want to pass in my .pcap file as the <infile> to which I am having
problems with..??
And I am assuming that you want me to pass in the "ballpark" number (or
a range) to where I think the crash occurs.
I can load about 70% of the file...which is right around frame # 16813.....
For example: C:\wireshark\editcap test.pcap -r 16813-20000 is this
what you do..??
Thanks,
Brian
Yes: Of course you also need to specify an <outfile>
editcap -r in.pcap out.pcap 16800-20000
tshark -nVxr out.pcap >foo.txt (crash)
editcap -r in.pcap out.pcap 18000-20000
tshark -nVxr out.pcap >foo.txt (no crash:
... so: bad frame(s) must be between 16800-17999
editcap -r in.pcap out.pcap 16800-17000
...
The process is a bit tedious and not necessarily worth the effort.
Also: sometimes multiple frames are needed.
Just using a debugger on the original file and seeing where the crash
occurs may be all that is needed.