Wireshark-bugs: [Wireshark-bugs] [Bug 3895] Save-As Nokia tcpdump corrupts the file
Date: Wed, 21 Dec 2011 00:37:03 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3895 --- Comment #11 from Guy Harris <guy@xxxxxxxxxxxx> 2011-12-21 00:36:59 PST --- And libpcap, as used by tcpdump and other tools, doesn't even *try* to recognize it as a Nokia pcap file; if we hand the attached test sample file to a reasonably close to top-of-trunk Wireshark's version of TShark, we get $ tshark -n -r test.pcap 1 0.000000 99.230.215.92 -> 10.167.0.176 ICMP Destination unreachable (Port unreachable) 2 0.054467 99.233.32.194 -> 10.167.0.176 ICMP Destination unreachable (Host unreachable) 3 0.230358 219.84.235.134 -> 10.167.0.176 ICMP Destination unreachable (Port unreachable) 4 2.073723 99.230.215.92 -> 10.167.0.176 ICMP Destination unreachable (Port unreachable) ... but if we hand it to a reasonably close to top-of-trunk tcpdump linked with reasonably close to top-of-trunk libpcap, we get: $ tcpdump -n -r test.pcap reading from file test.pcap, link-type EN10MB (Ethernet) 12:12:15.455510 50:44:72:35:00:23 Unknown SSAP 0xc0 > 02:b6:bf:9f:00:00 Unknown DSAP 0xb4 Information, send seq 4, rcv seq 0, Flags [Command], length 176 tcpdump: pcap_loop: bogus savefile header and if we hand it to tcpdump 4.0.0, linked with libpcap 1.0.0, as shipped with Mac OS X 10.6.8, we get the same thing: $ tcpdump -n -r test.pcap reading from file test.pcap, link-type EN10MB (Ethernet) 12:12:15.455510 50:44:72:35:00:23 Unknown SSAP 0xc0 > 02:b6:bf:9f:00:00 Unknown DSAP 0xb4 Information, send seq 4, rcv seq 0, Flags [Command], length 176 tcpdump: pcap_loop: bogus savefile header as we do if we hand it to tcpdump 4.1.1, linked with libpcap 1.1.1, as shipped with Ubuntu 10.10: $ tcpdump -n -r test.pcap reading from file test.pcap, link-type EN10MB (Ethernet) 12:12:15.455510 50:44:72:35:00:23 Unknown SSAP 0xc0 > 02:b6:bf:9f:00:00 Unknown DSAP 0xb4 Information, send seq 4, rcv seq 0, Flags [Command], length 176 tcpdump: pcap_loop: bogus savefile header so I'm not sure what tools - other than tools linked with a hacked-up version of libpcap that thinks pcap files with a standard magic number are Nokia pcap files rather tha standard pcap files, or tools that have their own pcap-file reader similarly hacked - would support opening *any* Nokia pcap files as such. (I.e., if you have such a tool, whatever it's using to read pcap files is probably hacked up in that fashion, and probably won't correctly read all the zillions of normal pcap files out there, including the ones from the "sample captures" page in the Wireshark Wiki and from www.pcapr.net.) -- Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
- Prev by Date: [Wireshark-bugs] [Bug 6686] dissector for the bzr smart server protocol
- Next by Date: [Wireshark-bugs] [Bug 6681] -R misfeatures with -w and -c
- Previous by thread: [Wireshark-bugs] [Bug 3895] Save-As Nokia tcpdump corrupts the file
- Next by thread: [Wireshark-bugs] [Bug 3895] Save-As Nokia tcpdump corrupts the file
- Index(es):
- Get Wireshark
- Download
- Code of Conduct