so-import-pcap "Error while merging"

Jay Hawk

unread,

Jan 10, 2019, 9:05:31 AM1/10/19

to security-onion

Hey guys,
I've been having an issue while running so-import-pcap. Seems I'm getting an issue similar to what Mr. Bejtlich was getting in his blog post here:
https://webcache.googleusercontent.com/search?q=cache:TXWq929d2boJ:https://taosecurity.blogspot.com/2018/02/+&cd=1&hl=en&ct=clnk&gl=us

Have there been any recent developments on this issue?

Thanks,
Jay

Wes Lambert

unread,

Jan 10, 2019, 4:14:19 PM1/10/19

to securit...@googlegroups.com

Hi Jay,

This is due to mergecap recognizing the pcaps in question as "corrupt", or non-compliant.

You could try using something like pcapfix (will likely have to install) to fix these pcaps before merging. It may be that we consider doing something like this directly in so-import-pcap, or that we replace the use of mergepcap with joincap in the future.

https://github.com/assafmo/joincap

I can't speak to either at the moment, but manually running pcapfix could help.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.