Guy,
Thanks for your response.
Yes, i stop the trace on the filer before reading the file. If wireshark
ignores the packet then why doesn't it print the ip_hosts stats? Is that the
expected behavior? I normally use the -q because i am more interested in
looking at the stats by IP address. When wireshark finds that a packet ( the
last one) is cut short, it doesnt print the stats. Is there a way to have it
continue to print stats.
Thanks
Venkat
Guy Harris <[EMAIL PROTECTED]> wrote: Prashanth wrote:
> I am using wireshark to read in a .trc file that was generated from a
> fileserver (netapp) that generated dump in trc format for analysis.
"trc format" is just libpcap format.
> In some instance i see the following:
>
> [EMAIL PROTECTED]:~/work % /local/wireshark/bin/tshark -r vif1.trc -z
> 'ip_hosts,tree' -q
> tshark: "vif1.trc" appears to have been cut short in the middle of a packet.
Did you stop the trace on the filer before reading the file? If not,
that isn't guaranteed to work - there might be data in memory on the
file that hasn't yet been written out to the file. That could cause
this problem.
> I have not copied the trc file from one OS to another. Is there a way i
> can have wireshark ignore such packets when it reads the trc file?
That message is printed for the last packet in the file;
Wireshark/TShark already ignores it when it sees that problem. It
doesn't ignore it *silently*, because it's not supposed to.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
---------------------------------
Got a little couch potato?
Check out fun summer activities for kids.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users