We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] Can't open PCAP file via GUI

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 14 Feb 2007 16:34:06 -0800

On Feb 14, 2007, at 4:00 PM, Donald Musser wrote:

I've done a yum install of wireshark and the wireshark-gnome programs. When I run wireshark from command line, the gui pops up, but when I try to open a PCAP file that I previously captured on a separate box using my tcpdump command, the program errors out and tells me the file is in a format that wireshark does not understand. I thought that wireshark was in fact able to read files with PCAP extensions.

The extension has nothing to do with it; the content does. (Somebody back at MIT, in the days of CTSS, should've been thinking ahead and made file types something other than part of the file name, but I digress....)

A PCAP file doesn't have to have ".pcap" as the extension (it doesn't have to have any extension), and a file with an extension of ".pcap" isn't necessarily a PCAP file.

For example, if you did *NOT* use the "-w" flag when capturing it with tcpdump, but, for example, did

	tcpdump >filename.pcap

that will produce a text file, which neither tcpdump nor Wireshark (nor any other program that reads libpcap-format files) can read.

If you did

	tcpdump -w filename.pcap

that should be a libpcap-format file (although

	tcpdump -s 0 -w filename.pcap

would probably have been better, as the default "snapshot length" for tcpdump is typically 68 or 96 bytes, and thus

	tcpdump -w filename.pcap

will save no more than the first 68 or 96 bytes of each packet; "-s 0" or, with older versions of tcpdump, "-s 65535" will save up to 65535 bytes of the packet).

If the file is a libpcap-format file, Wireshark should be able to read it, regardless of the extension, *if* the file hasn't been mangled by transporting it from one machine to another. You said "tcpdump" when speaking of the other box, and said "yum install", so I assume the machine on which you captured the file is a UN*X box of some sort, as is the box on which you're running Wireshark, so the file probably wasn't mangled by transporting it - but try reading it with

	tcpdump -r {file name}

on the same machine on which you're running Wireshark.

If that fails, either

	1) the file was mangled somehow


2) it's not a pcap file (regardless of whether it has ".pcap" as the extension).