Solved

Why won't wireshark open my tcpdump file from linux

Posted on 2013-01-28
13
3,459 Views
Last Modified: 2013-04-30
I am capturing traffic on a linux box and want to open the capture on a windows box in wireshark but it gives me an error:
The file "conference.pcap" isn't a capture file in a format Wireshark understands.
and has an OK button.
I have Wirehsark version 1.8.4

I am running the command on my linux box

tcpdump dst 10.10.1.2 -w /root/conference.log

I press ctrl and c to stop the capture

The screen writes:
10 packets captured
11 packets received by filter
0 packets dropped by kernel

I transfer the file from Linux to windows and double click ot open and that is when I get the error.

I have tried nameing the file .log or .pcap and both get the same error.

What am I doing wrong?
0
Comment
Question by:Dragon0x40
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 38829957
you probably dumped raw.  what command did you use to create thepcap file?
0
 
LVL 11

Assisted Solution

by:un1x86
un1x86 earned 125 total points
ID: 38830267
How do you transfer the file? It might get changed when transfered. You could check the checksum.

If you transfer via WinSCP edit your config and force binary mode.

Advanced options (checked) -> Preferences -> Transfer -> Binary

By default if you transfer a .txt file it is copied in ASCII mode.
0
 

Author Comment

by:Dragon0x40
ID: 38831221
tcpdump dst 10.10.1.2 -w /root/conference.log
0
The Orion Papers

Are you interested in becoming an AWS Certified Solutions Architect?

Discover a new interactive way of training for the exam.

 

Author Comment

by:Dragon0x40
ID: 38831234
winscp is already set to binary transfer mode
0
 
LVL 11

Expert Comment

by:un1x86
ID: 38831235
Hi

How do you copy it to your windows machine? Make sure it is copied in binarymode. BTW I would not call it .log as it is not a log file. Call it .pcap or .dump
0
 

Author Comment

by:Dragon0x40
ID: 38833059
I transferred it by dragging onto my C drive using winscp

The first capture I named .pcap and that did not work so the next capture I name .log

both files gave the same error when trying to open with wireshark.

The file "conference.pcap" isn't a capture file in a format Wireshark understands.

Is my command incorrect?

tcpdump dst 10.10.1.2 -w /root/conference.log
0
 
LVL 16

Assisted Solution

by:choward16980
choward16980 earned 250 total points
ID: 38833077
Command is correct.  what happens if you tcpdump -r conference.pcap

does it open?
0
 

Author Comment

by:Dragon0x40
ID: 38833464
no that does not work either

tcpdump -r conference.pcap

tcpdump: bad dump file format

the one I saved as a .log file opened

tcpdump -r conference321.log

reading from file conference321.log, link-type EN10MB (Ethernet)
(output truncated)
0
 
LVL 11

Expert Comment

by:un1x86
ID: 38833900
Hi

What os are you using?
What tcpdump version?
What does "file conference321.log" tell you?
0
 
LVL 38

Assisted Solution

by:Gerwin Jansen, EE MVE
Gerwin Jansen, EE MVE earned 125 total points
ID: 38834266
Can you try adding this parameter:

-s 65535

to your tcpdump command line?
0
 

Author Comment

by:Dragon0x40
ID: 38835250
I ran

tcpdump -i eth0 -s0 -w filename.pcap

that file opened with both wireshark and tcpdump -r

I seem to have been having some trouble copying the file to the root of my c drive and instead created a folder to transfer the packet captures to.

My IT department appears to prevent certain file downloads to be copied to the desktop and the root of the C drive
0
 
LVL 16

Accepted Solution

by:
choward16980 earned 250 total points
ID: 38835944
By default, windows 7 makes it difficult for some programs to utilize files on the desktop or c:\ drive.  I could never get CD burner XP to burn an iso off the c:| or desktop...  Not sure what causes this, but I imagine it's some form of user impersonation the system doesn't like.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38835950
PS, a log file would be created from > not -w

The file you named .log after the -w would be your capture file.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question