Hey,
I have been examining data from a group that saves their packet data
in a dump file. Wireshark recognizes these dump files, but they are
too large, and it crashes before it can finish reading in the entire
file. I have been able to split the files using the Unix command
'split', but since this command obviously cannot read the dump format,
it splits the file in the middle of a packet.
Now, I don't really care about the loss of this packet, as it is only
one among thousands, but when I try to load the second portion of the
file that was split, wireshark doesn't recognize it (since it starts
with the second part of a packet, and not a new one).
Does anyone know what the wireshark dump file format is, and if so, if
it's possible that I can manually open the second and on portions of
the dump file, delete the second part of the packet, and load the rest
into wireshark?
I am not sure if this will appear appropriately on other computers,
but here is an example of a packet from the dump file:
‘√≤°������������`�������P�”Ceå �6���å������fl§ ��†
\���E��~kí@�6��ì�ÙÍ>É@J‚�P£ƒZ�«AD§O¶P��–Ã���
This is exactly one packet.
Also, here is a selection of the very beginning of the second part of
the file:
�Ø˛©P�˙ÏÕ��R�”Ce���6��� ������fl§ ��†
\���E��˚øi@�q�«�‹∂ú
Ö"Ñ©�Ø�P‰Ó‡ì8=œΩP�˝ = ��R�”Cl���6���O������fl§ ��†
\���E��A¯É@�4�£¡ƒ'�xÀ��«Ä��5�-Ï.IT����������R�”Cû��
�6���<�����† \����fl§ ��E��(w⁄@�v�¡†É@J‚�ÙÍ>
£â�P·ñÑrXÛ(‘P�ˇˇX’��R�”CB���6���<�����† \����fl§
��E��(w€@�v�¡üÉ@J‚�ÙÍ>£â�P·ñÑrXÛ3ÄP�ıSX’��R�”CÊ��
�6���<�����† \����fl§ ��E��(Û€@�v�èP°Í∆�F�”©�®�PÙü6Å�
∞
Again, this is just gibberish to me, so I really don't know exactly
what to delete from the second file.
Any help would be very much appreciated.
-Thanks
