Wireshark-users: Re: [Wireshark-users] Wireshark-users: Merging a bunch of PCAP files

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 11 Jun 2009 20:18:13 -0700

On Jun 11, 2009, at 11:10 AM, Ujjval Karihaloo wrote:

Few of the files I want to merge show that they have a packet larger than byte size 65535...and mergecap fails...I tried the -s truncate option...but stillfails..

I think the capture device somehow left large packets inthere..

Either that, or the file somehow got damaged. Note that both Wireshark's Wiretap library *AND* libpcap *both* treat packets in a pcap file with a size larger than 65535 as an error; if the capture device is returning packets bigger than 65535 bytes, either that limit needs to be increased, or the capture device software needs to be fixed. On what device did you capture this? (And did you FTP it between a Windows machine and a UN*X machine?)

anyway to get around that and still merge those files

If the file is damaged, there's no way to repair the damage (as there's no way to determine what the damage is), but you could try using editcap to read from the file and write to another file - that should copy all the packets up to the first damaged packet to the output file, so you will at least have all the good packets.