Wireshark-users: Re: [Wireshark-users] Can't open PCAP file via GUI
From: "Hans Nilsson" <hasse_gg@xxxxxxxx>
Date: Wed, 14 Feb 2007 20:52:54 -1100
Well if the file is empty it obviously wasn't created or transfered
properly and doesn't contain any data or anything valid for Wireshark to
read.


On Thu, 15 Feb 2007 00:55:20 +0000, "Donald Musser"
<dmjmusser@xxxxxxxxx> said:
> When I performed the original tcpdump on my production server, I did use
> the
> -w option. I then used Konqueror to transfer the file to my local CentOS
> machine. So perhaps the file was mangled somehow, as you said?
> 
> I did note upon re-examining the file that it was empty. Perhaps this
> also
> is lending to the problem?
> 
> ~Myles
> 
> On 2/15/07, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> >
> >
> > On Feb 14, 2007, at 4:00 PM, Donald Musser wrote:
> >
> > > I've done a yum install of wireshark and the wireshark-gnome
> > > programs. When I run wireshark from command line, the gui pops up,
> > > but when I try to open a PCAP file that I previously captured on a
> > > separate box using my tcpdump command, the program errors out and
> > > tells me the file is in a format that wireshark does not understand.
> > > I thought that wireshark was in fact able to read files with PCAP
> > > extensions.
> >
> > The extension has nothing to do with it; the content does.  (Somebody
> > back at MIT, in the days of CTSS, should've been thinking ahead and
> > made file types something other than part of the file name, but I
> > digress....)
> >
> > A PCAP file doesn't have to have ".pcap" as the extension (it doesn't
> > have to have any extension), and a file with an extension of ".pcap"
> > isn't necessarily a PCAP file.
> >
> > For example, if you did *NOT* use the "-w" flag when capturing it with
> > tcpdump, but, for example, did
> >
> >         tcpdump >filename.pcap
> >
> > that will produce a text file, which neither tcpdump nor Wireshark
> > (nor any other program that reads libpcap-format files) can read.
> >
> > If you did
> >
> >         tcpdump -w filename.pcap
> >
> > that should be a libpcap-format file (although
> >
> >         tcpdump -s 0 -w filename.pcap
> >
> > would probably have been better, as the default "snapshot length" for
> > tcpdump is typically 68 or 96 bytes, and thus
> >
> >         tcpdump -w filename.pcap
> >
> > will save no more than the first 68 or 96 bytes of each packet; "-s 0"
> > or, with older versions of tcpdump, "-s 65535" will save up to 65535
> > bytes of the packet).
> >
> > If the file is a libpcap-format file, Wireshark should be able to read
> > it, regardless of the extension, *if* the file hasn't been mangled by
> > transporting it from one machine to another.  You said "tcpdump" when
> > speaking of the other box, and said "yum install", so I assume the
> > machine on which you captured the file is a UN*X box of some sort, as
> > is the box on which you're running Wireshark, so the file probably
> > wasn't mangled by transporting it - but try reading it with
> >
> >         tcpdump -r {file name}
> >
> > on the same machine on which you're running Wireshark.
> >
> > If that fails, either
> >
> >         1) the file was mangled somehow
> >
> > or
> >
> >         2) it's not a pcap file (regardless of whether it has ".pcap" as
> > the
> > extension).
> >
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> >
-- 
  Hans Nilsson
  hasse_gg@xxxxxxxx

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own