Heath D. Henderson wrote:
I have a Suse 9.0 computer running as a proxyserver. I am attempting to
do a tcpdump to a file of all traffic, then copy my file back to my
WinXP where I have Ethereal installed to analyze the file. Every time I
get the file back to my windows machine
How did you transfer it to the Windows machine?
If you transferred it with FTP, you probably didn't transfer it in
binary mode; libpcap-format capture files are binary files, and if
they're transferred in ASCII mode between Windows and UNIX, the copy
will be corrupted, and you might get errors such as:
The capture file appears to be damaged or corrupt.
(pcap: File has 11665408-byte packet, bigger than maximum of 65535)
There might be other forms of copying that copy in ASCII mode (to fix
the difference between Windows and UNIX line endings) and that therefore
damage the file.
That damage is probably irreversable; copying from UNIX to Windows in
ASCII mode will turn a newline (hex 0a) into a carriage return/line feed
(hex 0d followed by hex 0a), but might or might not turn a carriage
return/line feed into a double carriage return/line feed, so you can't
necessarily repair the damage by converting 0x0d 0x0a into 0x0a.
I tried to use editcap, but it didn’t work
Editcap can't fix a file that's been irreversably damaged, and doesn't
include a "de-Windowsify" function.
First I guess I need the correct syntax for tcpdump,
You probably already used the correct syntax ("-w {filename}"), although
you might want to use "-s 0" (I think SuSE 9.0 is probably new enough
that its tcpdump supports that; if not, try "-s 65535") to make sure you
capture *all* of the packet rather than just the first 68 or 96 bytes of
the packet.
and then I need the
correct way to open the file using Ethereal.
You probably used the correct way to open the file, but the file wasn't
*transferred* correctly.
