Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 9, Issue 39
From: wzella1@xxxxxxxxxx
Date: Thu, 15 Feb 2007 14:33:03 +0000
William Zellars -----Original Message----- From: wireshark-users-request@xxxxxxxxxxxxx Date: Thu, 15 Feb 2007 12:01:01 To:wireshark-users@xxxxxxxxxxxxx Subject: Wireshark-users Digest, Vol 9, Issue 39 Send Wireshark-users mailing list submissions to wireshark-users@xxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://www.wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request@xxxxxxxxxxxxx You can reach the person managing the list at wireshark-users-owner@xxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. Re: Can't open PCAP file via GUI (Hans Nilsson) ---------------------------------------------------------------------- Message: 1 Date: Wed, 14 Feb 2007 20:52:54 -1100 From: "Hans Nilsson" <hasse_gg@xxxxxxxx> Subject: Re: [Wireshark-users] Can't open PCAP file via GUI To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <1171525974.29673.1174747213@xxxxxxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="ISO-8859-1" Well if the file is empty it obviously wasn't created or transfered properly and doesn't contain any data or anything valid for Wireshark to read. On Thu, 15 Feb 2007 00:55:20 +0000, "Donald Musser" <dmjmusser@xxxxxxxxx> said: > When I performed the original tcpdump on my production server, I did use > the > -w option. I then used Konqueror to transfer the file to my local CentOS > machine. So perhaps the file was mangled somehow, as you said? > > I did note upon re-examining the file that it was empty. Perhaps this > also > is lending to the problem? > > ~Myles > > On 2/15/07, Guy Harris <guy@xxxxxxxxxxxx> wrote: > > > > > > On Feb 14, 2007, at 4:00 PM, Donald Musser wrote: > > > > > I've done a yum install of wireshark and the wireshark-gnome > > > programs. When I run wireshark from command line, the gui pops up, > > > but when I try to open a PCAP file that I previously captured on a > > > separate box using my tcpdump command, the program errors out and > > > tells me the file is in a format that wireshark does not understand. > > > I thought that wireshark was in fact able to read files with PCAP > > > extensions. > > > > The extension has nothing to do with it; the content does. (Somebody > > back at MIT, in the days of CTSS, should've been thinking ahead and > > made file types something other than part of the file name, but I > > digress....) > > > > A PCAP file doesn't have to have ".pcap" as the extension (it doesn't > > have to have any extension), and a file with an extension of ".pcap" > > isn't necessarily a PCAP file. > > > > For example, if you did *NOT* use the "-w" flag when capturing it with > > tcpdump, but, for example, did > > > > tcpdump >filename.pcap > > > > that will produce a text file, which neither tcpdump nor Wireshark > > (nor any other program that reads libpcap-format files) can read. > > > > If you did > > > > tcpdump -w filename.pcap > > > > that should be a libpcap-format file (although > > > > tcpdump -s 0 -w filename.pcap > > > > would probably have been better, as the default "snapshot length" for > > tcpdump is typically 68 or 96 bytes, and thus > > > > tcpdump -w filename.pcap > > > > will save no more than the first 68 or 96 bytes of each packet; "-s 0" > > or, with older versions of tcpdump, "-s 65535" will save up to 65535 > > bytes of the packet). > > > > If the file is a libpcap-format file, Wireshark should be able to read > > it, regardless of the extension, *if* the file hasn't been mangled by > > transporting it from one machine to another. You said "tcpdump" when > > speaking of the other box, and said "yum install", so I assume the > > machine on which you captured the file is a UN*X box of some sort, as > > is the box on which you're running Wireshark, so the file probably > > wasn't mangled by transporting it - but try reading it with > > > > tcpdump -r {file name} > > > > on the same machine on which you're running Wireshark. > > > > If that fails, either > > > > 1) the file was mangled somehow > > > > or > > > > 2) it's not a pcap file (regardless of whether it has ".pcap" as > > the > > extension). > > > > _______________________________________________ > > Wireshark-users mailing list > > Wireshark-users@xxxxxxxxxxxxx > > http://www.wireshark.org/mailman/listinfo/wireshark-users > > -- Hans Nilsson hasse_gg@xxxxxxxx -- http://www.fastmail.fm - Choose from over 50 domains or use your own ------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 9, Issue 39 **********************************************
- Prev by Date: Re: [Wireshark-users] Can't open PCAP file via GUI
- Next by Date: Re: [Wireshark-users] [patch] drop privs in dumpcap if run setuid by non-root
- Previous by thread: Re: [Wireshark-users] Can't open PCAP file via GUI
- Next by thread: [Wireshark-users] Unsupported ERF format problem.
- Index(es):