Wireshark-users: Re: [Wireshark-users] *.pcap file?
From: hadi motamedi <motamedi24@xxxxxxxxx>
Date: Sat, 25 Aug 2012 13:52:00 +0430
On 8/25/12, Guy Harris <guy@xxxxxxxxxxxx> wrote: > > On Aug 24, 2012, at 9:13 PM, hadi motamedi wrote: > >> Dear All >> To troubleshoot my case, I captured the following log file from my >> linux server as the following: >> #tcpdump -i any -s 1500 -vvv -w /tmp/mss0-pps.pcap >> But my wireshark cannot open it, returning "unknown file format" . > > On what machine are you running Wireshark? The Linux server on which you > ran tcpdump, or some other machine? > > If the file is still present in /tmp on the Linux server, what does the > command "file /tmp/mss0-pps.pcap" print when you run it on that server? > > If you are running Wireshark on a different machine: > > 1) What OS is the other machine running - Windows, or some flavor of UN*X? > > 2) Did you copy the file to the machine on which you're running Wireshark, > or is it being exported over some remote file system such as NFS or SMB? > > 3) If you copied it, how did you copy it? > > 4) If that machine is running UN*X, or if it's running Windows and you have > Cygwin installed, what does "file" print when you run it on that machine? > (Run "file" from Cygwin if the machine is running Windows.) > >> Can you please let me know how can I recover this damaged file ? > > No, because we don't know what the problem is - but if, for example, it was > copied from Linux to Windows with a program that thought it was copying a > text file, and therefore "helpfully" converted the UN*X text file line > ending (LF by itself) to the DOS/Windows text file line ending (CR-LF), > then, unfortunately, it may or may not be able to repair it usefully. The > Web page for pcapfix: > > http://freecode.com/projects/pcapfix > > claims that it supports a -d flag that "force[s] packet detection inside the > whole file, and repairs ascii-corruption pcap header (Unix->Windows).", but > whether it can detect and repair damage to *raw packet data* caused by the > LF-to-CRLF conversion is another matter. > > If you copied the file from Linux to Windows, and if the file is still on > the Linux server, I'd suggest > > 1) making sure nobody deletes it from the Linux server > > and > > 2) try copying it in some fashion that *doesn't* "helpfully" translate UN*X > to DOS/Windows line endings, but that just copies the raw bytes of the > file. > > (By the way, the snapshot-length argument to "-s" includes everything in the > packet, *including link-layer headers*, so 1500 is the *wrong* value to use > in most if not all cases - for example, if you're capturing on an Ethernet > device, it's 14 bytes too short to capture a full-sized Ethernet packet, and > if you're capturing on the "any" device, it's 16 bytes too short to capture > a full-sized Ethernet packet. I would use 65535 or 65536 instead, as that > should be big enough for most link-layer headers. > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > Thank you very much for your help. Please be informed that I collected the file on my centos server and then sftp it to my windows machine that has wireshark running on it. I need to analyze the sccp portion of this file on my windows machine. The file command on my centos machine shows it as "data".
- Follow-Ups:
- Re: [Wireshark-users] *.pcap file?
- From: Guy Harris
- Re: [Wireshark-users] *.pcap file?
- References:
- [Wireshark-users] *.pcap file?
- From: hadi motamedi
- Re: [Wireshark-users] *.pcap file?
- From: Guy Harris
- [Wireshark-users] *.pcap file?
- Prev by Date: Re: [Wireshark-users] *.pcap file?
- Next by Date: Re: [Wireshark-users] *.pcap file?
- Previous by thread: Re: [Wireshark-users] *.pcap file?
- Next by thread: Re: [Wireshark-users] *.pcap file?
- Index(es):