> I read on the archivs you had to use -w to capture packets with tcpdump
> for use with ethereal.
>
> Tried it, but all i get is:
> The Capture file is damaged or corrupt
>
> And the hint, is my packets even when i use the -v200 are complained
> upon by ethereal saying that the packet is 892893293 bytes long. My
> guess is he doesn't detect the end of a packet : )
>
> Someone that can help me ?
>
> System:
>
> RedHat 6.1
<RANT>
Red Hat 6.1 has a version of "libpcap" and "tcpdump" that includes
Alexey Kuznetsov's patches:
http://ftp.sunet.se/pub/os/Linux/ip-routing/lbl-tools/
Unfortunately, Alexey's patches changes the format of the records within
a "libpcap" file *WITHOUT CHANGING THE MAGIC NUMBER OR VERSION NUMBER IN
THE HEADER OF THE FILE*, so any program - such as the "tcpdump" that
comes with Red Hat 6.1 - that uses a "libpcap" with that patch produces
capture files that cannot be read by programs that read standard
"libpcap" files - such as, for example, *THE TCPDUMP THAT COMES WITH
MOST OTHER LINUX DISTRIBUTIONS AND THE VARIOUS BSDs, AND THAT MANY
PEOPLE HAVE INSTALLED ON THEIR SYSTEMS* - and cannot read capture files
produced by programs that write standard "libpcap" files.
Ethereal has its own library for reading and writing capture files;
silly us, we actually thought that the "tcpdump" format was a standard,
and that we could rely on any file with the "tcpdump" magic number being
readable.
I'd *really* like to know what Alexey thought he was doing when he added
fields to the packet header and didn't change the magic number and
version number. Grr....
</RANT>
Sigh. Perhaps there's some heuristic we can use to detect, when reading
a "libpcap" file, whether it's a real "libpcap" file or a Kuznetsified
"libpcap" file, allowing Ethereal, on *ANY* platform, to read *both*
real "libpcap" files and Kuznetsified "libpcap" files.
Does your capture file have any data in it that you'd want to keep
private? If not, could you send a copy of that capture file to
"guy@xxxxxxxxxxxx" (so that I get copies both at home and at work, and
can work on the problem either at home or at work)? I'll try to come up
with some way to let us read either kind of file, and, if I can, I'll
make available a patch.
In the meanwhile, you should be able to use Ethereal itself to capture
packets, assuming you can do the capture from an X session - or you can
try either
1) getting a "tcpdump" binary from a Red Hat 6.0 or earlier
system (which, from another discussion, may be
statically-linked with "libpcap", and thus may write out real
"libpcap" captures even on Red Hat 6.1);
2) getting the standard "tcpdump" and "libpcap" from
http://www-nrg.ee.lbl.gov/nrg.html
(there are links on that page to the "tcpdump" and "libpcap"
on the LBL FTP site), building those, and using that
"tcpdump" binary.
