Wireshark · Wireshark-users: Re: [Wireshark-users] remote capture with a pipe: "unrecognized libpcap format"

[KaZ <k2a1z9@xxxxxxxxx>]

Hello,

thank you very much for the response! Now I think I have a solaris  
problem now I think. I will ask it on corresponding mailing lists, but  
if you know what's wrong, I'd be glad to hear it.

I downloaded libpcap-0.9.8-sol10-sparc-local.gz and tcpdump-3.9.8- 
sol10-sparc-local.gz, uncompressed them, put them in /usr/local as  
told, bu when I start tcpdump, I get the following (I suspect that my  
solaris was too much "lightened", and that I won't be able to run or  
install anything on it exept the only app which is supposed to run on  
it – it's a class 5 switch)

./tcpdump-3.9.8-sol10-sparc-local: SMCtcpd: not found
./tcpdump-3.9.8-sol10-sparc-local:  
0707010002b467000081a40000000a0000000a0000000147561778000000b3000000760000000000000000000000000000001000000000SMCtcpd 
/pkginfoPKG=SMCtcpd: not found
./tcpdump-3.9.8-sol10-sparc-local: Jacobson: not found
./tcpdump-3.9.8-sol10-sparc-local: Christensen: not found
./tcpdump-3.9.8-sol10-sparc-local:  
0707010002b462000081a40000000a0000000a00000001475617780000257d000000760000000000000000000000000000000f00000000SMCtcpd 
/pkgmap:: not found
./tcpdump-3.9.8-sol10-sparc-local: 1: not found

... same line 100 times ...

./tcpdump-3.9.8-sol10-sparc-local: 1: not found
./tcpdump-3.9.8-sol10-sparc-local:  
07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000b00000000TRAILER 
!!! 
0707010002b467000081a40000000a0000000a0000000147561778000000b3000000760000000000000000000000000000000800000000pkginfoPKG 
=SMCtcpd: not found
./tcpdump-3.9.8-sol10-sparc-local: Jacobson: not found
./tcpdump-3.9.8-sol10-sparc-local: Christensen: not found
./tcpdump-3.9.8-sol10-sparc-local:  
0707010002b462000081a40000000a0000000a00000001475617780000257d000000760000000000000000000000000000000700000000pkgmap 
:: not found
./tcpdump-3.9.8-sol10-sparc-local: 1: not found

... same line 100 times again ...

./tcpdump-3.9.8-sol10-sparc-local: 1: not found
./tcpdump-3.9.8-sol10-sparc-local:  
0707010002b469000041ed0000000a0000000a000000054756177800000000000000760000000000000000000000000000000600000000reloc0707010002b46c000041ed0000000a0000000a000000034756177800000000000000760000000000000000000000000000000a00000000reloc 
/ 
doc0707010002b472000041ed0000000a0000000a000000034756177800000000000000760000000000000000000000000000001200000000reloc 
/doc/ 
tcpdump0707010002b475000081a40000000a0000000a000000014756177700007fb6000000760000000000000000000000000000001a00000000reloc 
/doc/tcpdump/CHANGES:: not found
./tcpdump-3.9.8-sol10-sparc-local: Mon.: not found
./tcpdump-3.9.8-sol10-sparc-local: Rework: not found
./tcpdump-3.9.8-sol10-sparc-local: Rework: not found
./tcpdump-3.9.8-sol10-sparc-local: Add: not found
./tcpdump-3.9.8-sol10-sparc-local: syntax error at line 296: `('  
unexpected

Many thanks for your help again!


On 23.10.2008, at 20:11, Guy Harris wrote:

> On Oct 23, 2008, at 7:44 AM, KaZ wrote:
>
> > This version of snoop can only save packets in a file (or display a
> > cleaned up version of the packets, so no libpcap format to stdout).
>
> (Well, you could try writing to the "file" named "/dev/stdout".)
>
> > The file is in the libpcap format
>
> No, it's not, it's in snoop format.  Snoop format is documented in
> RFCs 1761 and 3827; libpcap format is documented at
>
> 	http://wiki.wireshark.org/Development/LibpcapFileFormat
>
> and in the pcap-savefile man page I just checked into the libpcap main
> and 1.0 branches (and there was much rejoicing :-)).
>
> > (I can open it with Wireshark).
>
> Wireshark can read a *lot* of capture file formats, including libpcap
> (its native format) and snoop; "I can open it with Wireshark" does not
> imply "it's in libpcap format".
>
> > When the first packet arrives, wireshark displays "unrecognized
> > libpcap format".
>
> That error message needs to be fixed to indicate that the problem is
> that it's not libpcap format at all.  Wireshark only supports reading
> libpcap format from a pipe - the heuristics it uses to determine the
> file type when reading regular capture files involve having the
> handler for each file type read the file, starting from the beginning,
> and that's done by seeking to the beginning of the file before each
> handler; you can't seek on a pipe.  (If we had an underlying buffered
> I/O layer that supported seeking within a buffer *and* having a large-
> enough buffer, it could be done; we don't currently have that.)
>
> > Any ideas what I could try? Do you know where I can find a  
> > precompiled
> > tcpdump or tshark for solaris 10 / SPARC (maybe the problem is with
> > snoop)?
>
> Yes, the problem is with snoop, and the problem is that it doesn't
> write files in libpcap format and Wireshark doesn't support capture-
> from-a-pipe for anything other than libpcap format.
>
> tcpdump is available for Solaris 10 on x86 from
>
> 	http://www.sunfreeware.com/programlistintel10.html
>
> and for Solaris 10 on SPARC from
>
> 	http://www.sunfreeware.com/programlistsparc10.html
>
> Remember to run it with "-s 0" so that it writes out the *entire*
> packet, not just the default first 64 or 96 bytes of the packet.  On
> the Mac, do
>
> 	ssh username@remoteIP "tcpdump -s 0 -i cd4 -w - port 5060" >/tmp/
> wireshark_pipe
>
> and then capture from /tmp/wireshark_pipe.
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users