Ok, I feel a bit like a dummy... Let me give that a try and I'm guessing it
will do what I wanted it to in the first place. Thanks for the help.
Chris
> -----Original Message-----
> From: Guy Harris [mailto:gharris@xxxxxxxxx]
> Sent: Tuesday, October 23, 2001 11:59 PM
> To: Chris Robertson
> Cc: ethereal-users@xxxxxxxxxxxx
> Subject: Re: [Ethereal-users] Slow packet capture from file
>
>
> On Tue, Oct 23, 2001 at 07:18:22PM -0700, Chris Robertson wrote:
> > Ok, the process was to run a tcpdump and capture that to a
> file (ie tcpdump
> > > /tmp/tcpdump.file) on one machine,
>
> "tcpdump >/tmp/tcpdump.file" will produce a text file that cannot be
> read by Ethereal. If you want to produce, with tcpdump, a
> file that can
> be read by Ethereal, do
>
> tcpdump -s 65535 -w /tmp/tcpdump.file
>
> ("-s 65535" makes sure that tcpdump doesn't just cut off the
> packets at
> 68 bytes or so).
>
> > on a second machine run snoop -v -o /tmp/snoop.file.
>
> I'm not sure what that'll produce, but if you want to produce, with
> snoop, a file that can be read by Ethereal, do
>
> snoop -o /tmp/snoop.file
>
> without the "-v" flag. ("-s" isn't necessary, as snoop defaults to
> saving all the data in packets.)
>
> > Ftp the second file to the original machine, cat
> > tcpdump.file > capture.tmp; cat snoop.file >> capture.tmp.
>
> That will produce a file that's half tcpdump file, and half
> snoop file;
> it won't be readable by tcpdump, or snoop, or Ethereal, or, I suspect,
> any capture file on the planet.
>
> It also doesn't even make sense if the two captures were happening at
> the same time; if you want that, you'd want to do a
> time-sorted merge of
> the files, with the "mergecap" program that comes with Ethereal.
> "mergecap" can read any capture file format that Ethereal can read, so
> it can read both tcpdump and snoop capture files; the resulting file
> will, by default, be in tcpdump format, which should work fine.
>
> > Fire up Ethereal, start the capture from (ie ctrl-K)
> /tmp/capture.tmp.
>
> That doesn't start the capture *from* "/tmp/capture.tmp".
>
> Control-K pops up a dialog box you use to capture *from* a network
> interface, writing *TO* a file.
>
> I.e., if you typed control-K, put "/tmp/capture.tmp" into the "File:"
> box, and clicked "OK", it'd *overwrite* "/tmp/capture.tmp", throwing
> away whatever stuff was in there before.
>
> I.e., as I suspected, you *weren't* reading from the capture file, you
> were doing a live capture - the strace file indicates that the
> "recvfrom()" calls were done on a file descriptor that was a PF_PACKET
> socket, which is the type of socket used for captures.
>
> So packets will show up at the rate that Ethereal sees them
> on whatever
> network you were capturing; if 5 packets were arriving per second on
> that network, that's what you'd see.
>
> So, what you should've done is:
>
> run "tcpdump -s 65535 -w /tmp/tcpdump.file" on the first machine
> and "snoop -o /tmp/snoop.file" on the second machine;
>
> when you were done running tcpdump and snoop, copy both files
> onto some machine with Ethereal (including mergecap) on it, and
> run "mergecap -w merged.file tcpdump.file snoop.file";
>
> run "ethereal -r merged.file" when "mergecap" completed.
>
