Wireshark · Wireshark-users: Re: [Wireshark-users] 2 gig limit on mergecap

["Daniel Goolsby" <danielgoolsby@xxxxxxxxx>]

After trying this:

        for i in {files 2 through n}
        do
                (dd bs=20 count=1; cat) <$i >>the_first_file
        done

it created the file, but tcpdump gave this error while trying to just read it:

tcpdump: <filename>: Value too large for defined data type.  it also gave that error with any program that had to read it (snort, bro, etc..)

suppose i'll just stick with running them individually until this functionality is implemented.

thanks for the help..

daniel

On 11/22/06, Guy Harris < guy@xxxxxxxxxxxx > wrote:

Daniel Goolsby wrote:
> not sure, they're binary files.

In the specific type of merging you're doing, which is just
concatenation, if the capture files are all libpcap files, you could,
for files 2 through N, strip off the 20-byte file header from the file
and append it to the first file.  That could be done with the aid of dd
and cat), for example:

        for i in {files 2 through n}
        do
                (dd bs=20 count=1; cat) <$i >>the_first_file
        done

in the Bourne shell or a compatible shell (Korn, Bourne-again, etc.).

However, whether you'd be able to read the resulting file, either with
tcpdump or *shark, is another matter, as per my other mail.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

-- 
--daniel
--