On 2006-12-04 15:03, Harley Stenzel wrote: > On 12/1/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote: >> Is it possible they were the result of combining multiple pcaps via >> something like mergecap? > > It would seem that for something like this to be generally usefull, a > capture station identifier would be needed. I suppose a source-file > identifier could also do the trick.
Not sure I follow your response. It's not a proposal--mergecap exists as part of wireshark ne ethereal. There are other tools for doing this as well. Yes, something is lost, but something is gained. I use tools of this ilk to merge together multiple capture files that were collected on multiple identical, synchronized hosts that receive load-balanced monitor traffic. I was merely suggesting that perhaps one of the several tools available for this purpose doesn't properly set snaplen on its output file to the max of all input snaplens. -- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]> "Never try to retrieve anything from a bear."--National Park Service - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
