Ethereal-users: Re: [ethereal-users] Problem reading a capture produced by MS Netmon 5.00.646
On Tue, Mar 21, 2000 at 07:51:49AM -0600, Fabrizio Ammollo wrote:
>
>
> Hello,
>
> as the subject says, I have problems reading a capture produced by that
> program
> with Ethereal 0.8.4.
>
> Upon the opening of the file, ethereal complains about a problem with it
> ("The
> capture file appears to be damaged or corrupt") and on stdout I have the
> following: "Message: netmon: File has 1112359981-byte packet, bigger than
> maximum of 65535".. the file is correctly identified as "Microsoft Network
> Monitor 2.x", and the native program opens the file without any problem, so
> I
> think there could be a problem in the decoding of the file made by
> Ethereal.
> In Ethereal's main window, the packets correctly appear until frame 380,
> then
> there are two frames with a negative value into the "Time" field and all
> the
> other fields blank, and then a last one with negative Time and absurd
> values
> into the other fields.
There are some special packets in netmon traces that we don't decode
in Ethereal. They contain some diagnostic and status information
about the trace. The timestamps are strange --- that's why you
get a negative time value.
But the "corrupt file" message is something to worry about. Can you send
your trace file to ethereal-dev@xxxxxxxx? When gzipped, if it's still
big (> 1 MB), let me know and we'll arrange something.
What would also be a big help would be a printout or screen dump of
the summary information of the first few packets and the last few
packets in the trace, to make sure we correctly fix our netmon-reading
routines.
> May I be of any help by submitting the capture (compressed, for sure) to
> someone of the developers ?
>
> I'd like to see this problem fixed, because Ethereal gives much more
> information, and in a much easier and user friendly way, than the MS
> program !
thanks,
--gilbert
