Solved tcpdump won't honor -C option

Hello,

I've a very big pflog.log file (60 GB), and I would like to load only the last GB into Wireshark.
According to its man page, tcpdump allows you to split a file using:

Code:
tcpdump -r your-file -w new-file -C 1024

where -C 1024 tells tcpdump to split every 1024 millions bytes (~1GB).

Unfortunately, when I try this, tcpdump fails to split the file:

Code:
tcpdump -r pflog.20160423 -w /patpro/pflog.20160423_0 -C 1000
tcpdump -r pflog.20160423 -w /patpro/pflog.20160423_0 -C 10
tcpdump -r pflog.20160423 -w /patpro/pflog.20160423_0 -C 1
tcpdump -r pflog.20160423 -w /patpro/pflog.20160423_0 -C 0.5
tcpdump -r pflog.20160423 -w /patpro/pflog.20160423_0 -C 0.05

Whatever setting I choose, it looks like tcpdump will just copy the full file (I've always interrupted it after 5-6 GB, though).

I'm running FreeBSD 10.1 RELEASE.

Is that a known behavior?
 
Damn, thanks. I've worked around the bug by using editcap that comes with Wireshark (pretty handy, by the way).
 
Back
Top