 | 1 | initial version |
tcpdump writes the pcap file in blocks of a certain size. This means that during the capturing, the file ends in the middle of a packet. If you copy the file while tcpdump is still capturing, the last packet in the file will not be completely written yet, hence the error message in Wireshark.
If you stop tcpdump before copying the file, the remaining buffer will be written to disk and all packets will be complete.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
