Prashanth wrote:
Yes, i stop the trace on the filer before reading the file.
Then there's a bug on the filer; you should report it to NetApp. It
might not be writing out the last bufferful of packet data (which means
there might be some packets that are *completely* missing from the file).
If wireshark
ignores the packet then why doesn't it print the ip_hosts stats? Is
that the expected behavior? I normally use the -q because i am more
interested in looking at the stats by IP address. When wireshark finds
that a packet ( the last one) is cut short, it doesnt print the stats.
Is there a way to have it continue to print stats.
You can throw away the incomplete packet at the end - have editcap read
the file and write it to another file; it'll print an error, but it'll
just copy the complete packets to the output file.
Then read the output file with tshark.
