Wireshark-users: Re: [Wireshark-users] "cut short in the middle of a packet" issue
Guy,
Thanks for your response.
Yes, i stop the trace on the filer before reading the file. If wireshark ignores the packet then why doesn't it print the ip_hosts stats? Is that the expected behavior? I normally use the -q because i am more interested in looking at the stats by IP address. When wireshark finds that a packet ( the last one) is cut short, it doesnt print the stats. Is there a way to have it continue to print stats.
Thanks
Venkat
Guy Harris <guy@xxxxxxxxxxxx> wrote:
Prashanth wrote:
> I am using wireshark to read in a .trc file that was generated from a
> fileserver (netapp) that generated dump in trc format for analysis.
"trc format" is just libpcap format.
> In some instance i see the following:
>
> pvenkatg@comet:~/work %
/local/wireshark/bin/tshark -r vif1.trc -z
> 'ip_hosts,tree' -q
> tshark: "vif1.trc" appears to have been cut short in the middle of a packet.
Did you stop the trace on the filer before reading the file? If not,
that isn't guaranteed to work - there might be data in memory on the
file that hasn't yet been written out to the file. That could cause
this problem.
> I have not copied the trc file from one OS to another. Is there a way i
> can have wireshark ignore such packets when it reads the trc file?
That message is printed for the last packet in the file;
Wireshark/TShark already ignores it when it sees that problem. It
doesn't ignore it *silently*, because it's not supposed to.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
Got a little couch potato?
Check out fun
summer activities for kids.
