Wireshark-users: [Wireshark-users] remote capture with a pipe: "unrecognized libpcap format"
Hello,
I'm trying to make a remote capture. I'm on a Mac (OS X Leopard
10.5.5), and I want to do it on a solaris 10.
Here it's very well explained:
http://wiki.wireshark.org/CaptureSetup/Pipes
My limitation is that the solaris machine is a "light" solaris (many
many things removed, impossible to compile anything on it), with only
"snoop".
This version of snoop can only save packets in a file (or display a
cleaned up version of the packets, so no libpcap format to stdout).
The file is in the libpcap format (I can open it with Wireshark).
I try this:
– On the remote machine: "snoop -d ce4 -o trace.cap port 5060" to
snoop SIP messages on interface ce4.
– On my mac: "mkfifo /tmp/wireshark_pipe"
– On my mac: "ssh username@remoteIP "cat /opt/sniffer/traces-ce4.cap"
> /tmp/wireshark_pipe"
– On my mac: "wireshark -k -i /tmp/wireshark_pipe
When the first packet arrives, wireshark displays "unrecognized
libpcap format".
I tried to capture with tshark into a pipe on my mac and open the pipe
with wireshark, and it works. So, either the snoop has a pipe
incompatible libpcap format (?! not possible, is it?) or the ssh
changes something in the encoding of the libpcap data making it
unreadable to wireshark.
Any ideas what I could try? Do you know where I can find a precompiled
tcpdump or tshark for solaris 10 / SPARC (maybe the problem is with
snoop)?
Greetings,
kaz
