On Wednesday, June 25, 2003, at 9:56AM, James Fields wrote:
Many of my captures are from Distributed Sniffer Pro boxes. I am using
editcap to convert them to libpcap format - but ntop doesn't seem to
like them. I have also tried the other libpcap formats for Redhat and
so forth with no better luck. Ntop reports it is opening a thread to
read packets from the file and then promptly closes the thread.
Closes the thread without reporting an error? I'd consider that a bug
in ntop.
Ethereal can open those converted files just fine.
Can a version of tcpdump *built with the same version of libpcap as the
one with which your ntop is built* read them? If not, what does it
report?
HOWEVER - if I capture with Ethereal and save in libpcap format, ntop
can read those files fine. So it seems there is something different
about a file captured with libpcap and saved that way as opposed to
something captured as a Sniffer format and converted,
There's something different about a file captured with libpcap and
saved in that format, *with a link-layer type that the version of
libpcap used in ntop can read*, and a file captured with a Sniffer and
treated, by Ethereal, as requiring a link-layer type that the version
of libpcap used in ntop *can't* read. I suspect that's the difference.
Another possible difference is that there might be a difference between
Sniffer captures that include a CRC in the packet data and Ethereal
captures that don't, but ntop *should* just think of the CRC as packet
trailer data (as Ethereal would).
