On Jun 11, 2009, at 11:10 AM, Ujjval Karihaloo wrote:
Few of the files I want to merge show that they have a packet
larger than byte size 65535...and mergecap fails...I tried the -s
truncate option...but stillfails..
I think the capture device somehow left large packets inthere..
Either that, or the file somehow got damaged. Note that both
Wireshark's Wiretap library *AND* libpcap *both* treat packets in a
pcap file with a size larger than 65535 as an error; if the capture
device is returning packets bigger than 65535 bytes, either that limit
needs to be increased, or the capture device software needs to be
fixed. On what device did you capture this? (And did you FTP it
between a Windows machine and a UN*X machine?)
anyway to get around that and still merge those files
If the file is damaged, there's no way to repair the damage (as
there's no way to determine what the damage is), but you could try
using editcap to read from the file and write to another file - that
should copy all the packets up to the first damaged packet to the
output file, so you will at least have all the good packets.