Hi all,
Just curious if this is a known issue or something that is out of
your control.
I noticed that some of the flows in my pcaps have nowhere near the
expected number of packets after separating an individual flow using
editcap.
ie. editcap -r /pub/mypcap.pcap /pub/mysubcap.pcap 1-3 6-7 12-14 15-16
20-40 etc. etc.
I have several pcaps I am analyzing that have flows that have 6000+
packets, but they very spread out across the pcap resulting in only
sets of 2-10 packets together.
I did some experimenting and the problem seems to lie in that editcap
seems to only read the first 100 arguments (be it individual packet
numbers or sets of packet numbers).
Is this limit intentional or can it be removed? Is this a unix/linux
limitation?
Thanks,
Rob
--
---------------------------------------
Rob Campbell
a.robcampbell@xxxxxxxxx
