Wireshark-users: Re: [Wireshark-users] Mergecap Questions

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 15 Oct 2009 21:54:48 +0200
On Thu, Oct 15, 2009 at 09:09:11AM -0700, Moran, Brian wrote:
> 
>    Hello, not sure if this is the place for mergecap questions -

Yes, it's part of the wireshark "suite" :-)

>    mergecap: Error reading probex_66159_20091014100306.pcap: Less data was
>    read than was expected
> 
>    I run 500 file 50MB ring buffers on a dumpcap probe, and do a batch copy
>    at midnight to another file server of the whole ring, so I am suspecting
>    that this particular file was copied while the dumpcap probe was writing
>    to the file?

That may very well be the cause of the error indeed...

>    Is there a way around this? I can simply delete the file and merge the
>    rest - but then that means I have to wake up in the middle of the night to
>    babysit the process.

Not sure if I understand your setup correctly, why do you want to merge
the files automatically?

What I would do is copy only the complete files, ie sort the files by
time and skip the last one. Or you could run your script after midnight
and only copy the files which have the date of yesterday in the name.

>    Also, is there a way to run mergecap in more than one thread? I run it on
>    a Win2k8-64 server and it shows 1 thread @ 25% CPU and was wondering if
>    there is a way to make utilize more.

Unfortunately not... but you can speed up things a bit by using the '-a'
option, which will omit checking the proper order of packets by
timestamp (which is not necessary if you merge files from a ring).

Cheers,


Sake