Ethereal-users: Re: [Ethereal-users] opening tcpdump files with ethereal.
On Oct 29, 2003, at 11:37 AM, Ariel Badillo wrote:
im performing tcpdumps on a unix workstation. i am
ftping the files to my windows 2k pro workstation
running ethereal 9.15
when i attempt to open the files it give me the
following errors.
pcap: File has 873887656-byte packet, bigger than
maximum of 65535
The capture file appears to be damaged or corrupted.
is there something i need to do in ethereal to open
these files?
No.
There's something you need to do when FTPing the file - you need to
make sure you use *binary* mode when transferring the files, otherwise
they will be corrupted.
In the BSD FTP command (which is what most UNIXes, *AND* Windows, use
as their command-line FTP tool), type the command "type binary" before
transferring any files.
(Many modern UNIX FTP commands will attempt to find out the FTP server
type and, if they succeed and that type is UNIX, default to binary mode
- but, as not all text file formats are the same, UNIX FTP commands
will *NOT* default to binary mode if the remote machine doesn't appear
to be a UNIX machine.
In particular, UNIX text files end with LF, while Windows and a number
of other systems have text files that end with CR-LF; this means that
if you transfer a text file in binary mode, the remote machine might
have a problem with it - *AND* that, if you transfer a binary file,
such as the libpcap-format captures that tcpdump/WinDump and Ethereal
generate, in *text* mode, the file will be treated as text and have the
line endings changed, e.g. going from UNIX to Windows a byte with the
hex value 0A will be changed to *two* bytes with the hex values 0D 0A,
which will probably make the binary file completely unusable.)