Hi all, Just curious if this is a known issue or something that is out of your control. I noticed that some of the flows in my pcaps have nowhere near the expected number of packets after separating an individual flow using editcap.
ie. editcap -r /pub/mypcap.pcap /pub/mysubcap.pcap 1-3 6-7 12-14 15-16 20-40 etc. etc. I have several pcaps I am analyzing that have flows that have 6000+ packets, but they very spread out across the pcap resulting in only sets of 2-10 packets together. I did some experimenting and the problem seems to lie in that editcap seems to only read the first 100 arguments (be it individual packet numbers or sets of packet numbers). Is this limit intentional or can it be removed? Is this a unix/linux limitation? Thanks, Rob -- --------------------------------------- Rob Campbell [EMAIL PROTECTED] _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
