Wireshark-users: Re: [Wireshark-users] captured file can not be understood by Tshark
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 02 Jan 2007 23:52:08 -0800
joyce wrote:
Thanks for your reply. What the "libpcap-format file header" looks like?
It looks like the first 24 bytes of a pcap-version file that your system generates and that Wireshark *can* read. To undo the damage your system did, if you have another log file from that system, you could copy the first 24 bytes from that file and combine it with one of the damaged files, e.g., on UN*X systems (and perhaps on Windows with Cygwin) you could do

   (dd if=good_log_file bs=24 count=1; cat bad_log_file) >fixed_log_file

Who made the system that's generating those damaged log files? You should file a bug report with them.