We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] Can't open PCAP file via GUI

From: "Donald Musser" <dmjmusser@xxxxxxxxx>
Date: Thu, 15 Feb 2007 00:55:20 +0000
When I performed the original tcpdump on my production server, I did use the -w option. I then used Konqueror to transfer the file to my local CentOS machine. So perhaps the file was mangled somehow, as you said?

I did note upon re-examining the file that it was empty. Perhaps this also is lending to the problem?


On 2/15/07, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Feb 14, 2007, at 4:00 PM, Donald Musser wrote:

> I've done a yum install of wireshark and the wireshark-gnome
> programs. When I run wireshark from command line, the gui pops up,
> but when I try to open a PCAP file that I previously captured on a
> separate box using my tcpdump command, the program errors out and
> tells me the file is in a format that wireshark does not understand.
> I thought that wireshark was in fact able to read files with PCAP
> extensions.

The extension has nothing to do with it; the content does.  (Somebody
back at MIT, in the days of CTSS, should've been thinking ahead and
made file types something other than part of the file name, but I

A PCAP file doesn't have to have ".pcap" as the extension (it doesn't
have to have any extension), and a file with an extension of ".pcap"
isn't necessarily a PCAP file.

For example, if you did *NOT* use the "-w" flag when capturing it with
tcpdump, but, for example, did

        tcpdump >filename.pcap

that will produce a text file, which neither tcpdump nor Wireshark
(nor any other program that reads libpcap-format files) can read.

If you did

        tcpdump -w filename.pcap

that should be a libpcap-format file (although

        tcpdump -s 0 -w filename.pcap

would probably have been better, as the default "snapshot length" for
tcpdump is typically 68 or 96 bytes, and thus

        tcpdump -w filename.pcap

will save no more than the first 68 or 96 bytes of each packet; "-s 0"
or, with older versions of tcpdump, "-s 65535" will save up to 65535
bytes of the packet).

If the file is a libpcap-format file, Wireshark should be able to read
it, regardless of the extension, *if* the file hasn't been mangled by
transporting it from one machine to another.  You said "tcpdump" when
speaking of the other box, and said "yum install", so I assume the
machine on which you captured the file is a UN*X box of some sort, as
is the box on which you're running Wireshark, so the file probably
wasn't mangled by transporting it - but try reading it with

        tcpdump -r {file name}

on the same machine on which you're running Wireshark.

If that fails, either

        1) the file was mangled somehow


        2) it's not a pcap file (regardless of whether it has ".pcap" as the

Wireshark-users mailing list