Reading from a capture file that has not yet received any packets fails with "truncated dump file"; to avoid this, flush the file (forcing the pcap header out) immediately after opening it.
Suggested by Ferenc Wagner <wf...@niif.hu> in Debian bug #533625. --- tcpdump.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/tcpdump.c b/tcpdump.c index 06683af..76dc67b 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -1205,6 +1205,10 @@ main(int argc, char **argv) callback = dump_packet; pcap_userdata = (u_char *)p; } +#ifdef HAVE_PCAP_DUMP_FLUSH + if (Uflag) + pcap_dump_flush(p); +#endif } else { type = pcap_datalink(pd); printinfo.ndo_type = 1; -- 1.7.1.rc0.13.g7ec1e - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.