Wireshark-users: Re: [Wireshark-users] Can't open PCAP file via GUI
From: Guy Harris <[email protected]>
Date: Wed, 14 Feb 2007 16:34:06 -0800
On Feb 14, 2007, at 4:00 PM, Donald Musser wrote:

I've done a yum install of wireshark and the wireshark-gnome programs. When I run wireshark from command line, the gui pops up, but when I try to open a PCAP file that I previously captured on a separate box using my tcpdump command, the program errors out and tells me the file is in a format that wireshark does not understand. I thought that wireshark was in fact able to read files with PCAP extensions.
The extension has nothing to do with it; the content does.  (Somebody  
back at MIT, in the days of CTSS, should've been thinking ahead and  
made file types something other than part of the file name, but I  
A PCAP file doesn't have to have ".pcap" as the extension (it doesn't  
have to have any extension), and a file with an extension of ".pcap"  
isn't necessarily a PCAP file.
For example, if you did *NOT* use the "-w" flag when capturing it with  
tcpdump, but, for example, did
	tcpdump >filename.pcap

that will produce a text file, which neither tcpdump nor Wireshark (nor any other program that reads libpcap-format files) can read.
If you did

	tcpdump -w filename.pcap

that should be a libpcap-format file (although

	tcpdump -s 0 -w filename.pcap

would probably have been better, as the default "snapshot length" for tcpdump is typically 68 or 96 bytes, and thus
	tcpdump -w filename.pcap

will save no more than the first 68 or 96 bytes of each packet; "-s 0" or, with older versions of tcpdump, "-s 65535" will save up to 65535 bytes of the packet).
If the file is a libpcap-format file, Wireshark should be able to read  
it, regardless of the extension, *if* the file hasn't been mangled by  
transporting it from one machine to another.  You said "tcpdump" when  
speaking of the other box, and said "yum install", so I assume the  
machine on which you captured the file is a UN*X box of some sort, as  
is the box on which you're running Wireshark, so the file probably  
wasn't mangled by transporting it - but try reading it with
	tcpdump -r {file name}

on the same machine on which you're running Wireshark.

If that fails, either

	1) the file was mangled somehow


2) it's not a pcap file (regardless of whether it has ".pcap" as the extension).