When I performed the original tcpdump on my production server, I did use the -w option. I then used Konqueror to transfer the file to my local CentOS machine. So perhaps the file was mangled somehow, as you said?
I did note upon re-examining the file that it was empty. Perhaps this also is lending to the problem?
~Myles
On 2/15/07, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Feb 14, 2007, at 4:00 PM, Donald Musser wrote:
> I've done a yum install of wireshark and the wireshark-gnome
> programs. When I run wireshark from command line, the gui pops up,
> but when I try to open a PCAP file that I previously captured on a
> separate box using my tcpdump command, the program errors out and
> tells me the file is in a format that wireshark does not understand.
> I thought that wireshark was in fact able to read files with PCAP
> extensions.
The extension has nothing to do with it; the content does. (Somebody
back at MIT, in the days of CTSS, should've been thinking ahead and
made file types something other than part of the file name, but I
digress....)
A PCAP file doesn't have to have ".pcap" as the extension (it doesn't
have to have any extension), and a file with an extension of ".pcap"
isn't necessarily a PCAP file.
For example, if you did *NOT* use the "-w" flag when capturing it with
tcpdump, but, for example, did
tcpdump >filename.pcap
that will produce a text file, which neither tcpdump nor Wireshark
(nor any other program that reads libpcap-format files) can read.
If you did
tcpdump -w filename.pcap
that should be a libpcap-format file (although
tcpdump -s 0 -w filename.pcap
would probably have been better, as the default "snapshot length" for
tcpdump is typically 68 or 96 bytes, and thus
tcpdump -w filename.pcap
will save no more than the first 68 or 96 bytes of each packet; "-s 0"
or, with older versions of tcpdump, "-s 65535" will save up to 65535
bytes of the packet).
If the file is a libpcap-format file, Wireshark should be able to read
it, regardless of the extension, *if* the file hasn't been mangled by
transporting it from one machine to another. You said "tcpdump" when
speaking of the other box, and said "yum install", so I assume the
machine on which you captured the file is a UN*X box of some sort, as
is the box on which you're running Wireshark, so the file probably
wasn't mangled by transporting it - but try reading it with
tcpdump -r {file name}
on the same machine on which you're running Wireshark.
If that fails, either
1) the file was mangled somehow
or
2) it's not a pcap file (regardless of whether it has ".pcap" as the
extension).
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
