Wireshark-users: Re: [Wireshark-users] Dumping multiple filters out to files?
From: Patrick M Geahan <pmgeahan@xxxxxxxxxxxxxx>
Date: Sat, 25 Oct 2008 18:55:27 -0500 (CDT)
On Sat, 25 Oct 2008, Guy Harris wrote:

On Oct 25, 2008, at 7:42 AM, Patrick M Geahan wrote:
I did run into one minor issue with tcpflow, namely that it added
one byte to the beginning of all of the raw files.  This may perhaps
be a particular fluke of the method I've been using to analyze the
files, which started out as packeteer format before I converted
to pcap.

Possibly, but I'd expect it to affect *every* packet, so there'd be
bytes inserted into the file at various points.

I'd agree with you, there.  I don't quite know why it does this, but on
the four or five pcap files I'd dumped raw from with Wireshark, by hand,
tcpflow put out the same files, plus a leading byte.  After removing the
one byte from each files, they all were identical to the by-hand ones; and, in the few cases where I knew what the files were supposed to be, down to the CRC32 value, they were also identical.

How did you convert Packeteer format to libpcap?

tshark read the packeteer format fine, so I used a filter to pull
out the packets I was really interested in, then had tshark write those
to a new file. tshark writes pcap by default, so it ended up doing the conversion for me.


-------Patrick M Geahan----pmgeahan@xxxxxxxxxxxxxx---ICQ:3784715------
"You know, this is how the sum total of human knowledge is increased.
Not with idle speculation and meaningless chatter, but with a
medium-sized hammer and some free time." - spam.sc@xxxxxxxxx, a.f.c-a