I did file a report with netapp, but i still wanted to find out about ways of reading everything else except for the broken packet. Using editcap and creating a new file worked just like you mentioned. I am able to get the stats now.
Thanks very much,
venkat
Guy Harris <guy@xxxxxxxxxxxx> wrote:
wrote:
> Yes, i stop the trace on the filer before reading the file.
Then there's a bug on the filer; you should report it to NetApp. It
might not be writing out the last bufferful of packet data (which means
there might be some packets that are *completely* missing from the file).
> If wireshark
> ignores the packet then why doesn't it print the ip_hosts stats? Is
> that the expected behavior? I normally use the -q because i am more
> interested in looking at the stats by
IP address. When wireshark finds
> that a packet ( the last one) is cut short, it doesnt print the stats.
> Is there a way to have it continue to print stats.
You can throw away the incomplete packet at the end - have editcap read
the file and write it to another file; it'll print an error, but it'll
just copy the complete packets to the output file.
Then read the output file with tshark.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
Be a better Globetrotter.
Get better travel answers from someone who knows.
Yahoo! Answers - Check it out.