On 12/4/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote:
Not sure I follow your response. It's not a proposal--mergecap exists as part of wireshark ne ethereal. There are other tools for doing this as well. Yes, something is lost, but something is gained. I use tools of this ilk to merge together multiple capture files that were collected on multiple identical, synchronized hosts that receive load-balanced monitor traffic.
I think we're in complete agreement. My comment is simply *If* your use of a capture file is not sensitive to where the observation was made, then merging is an option. Moreover, other uses of merged files are broken because the merge process causes the source of the information to be lost.
I was merely suggesting that perhaps one of the several tools available for this purpose doesn't properly set snaplen on its output file to the max of all input snaplens.
Absolutely. Looking forward, however, it would be helpful if the libpcap file format provided a way to tag the source of the captured packet, so that merged files do not loose information. This information would be very helpful to me in the types of situations I debug. Would it be helpful to others? --Harley - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
