Solved

Why won't wireshark open my tcpdump file from linux

Posted on 2013-01-28
13
3,202 Views
Last Modified: 2013-04-30
I am capturing traffic on a linux box and want to open the capture on a windows box in wireshark but it gives me an error:
The file "conference.pcap" isn't a capture file in a format Wireshark understands.
and has an OK button.
I have Wirehsark version 1.8.4

I am running the command on my linux box

tcpdump dst 10.10.1.2 -w /root/conference.log

I press ctrl and c to stop the capture

The screen writes:
10 packets captured
11 packets received by filter
0 packets dropped by kernel

I transfer the file from Linux to windows and double click ot open and that is when I get the error.

I have tried nameing the file .log or .pcap and both get the same error.

What am I doing wrong?
0
Comment
Question by:Dragon0x40
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 38829957
you probably dumped raw.  what command did you use to create thepcap file?
0
 
LVL 11

Assisted Solution

by:un1x86
un1x86 earned 125 total points
ID: 38830267
How do you transfer the file? It might get changed when transfered. You could check the checksum.

If you transfer via WinSCP edit your config and force binary mode.

Advanced options (checked) -> Preferences -> Transfer -> Binary

By default if you transfer a .txt file it is copied in ASCII mode.
0
 

Author Comment

by:Dragon0x40
ID: 38831221
tcpdump dst 10.10.1.2 -w /root/conference.log
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:Dragon0x40
ID: 38831234
winscp is already set to binary transfer mode
0
 
LVL 11

Expert Comment

by:un1x86
ID: 38831235
Hi

How do you copy it to your windows machine? Make sure it is copied in binarymode. BTW I would not call it .log as it is not a log file. Call it .pcap or .dump
0
 

Author Comment

by:Dragon0x40
ID: 38833059
I transferred it by dragging onto my C drive using winscp

The first capture I named .pcap and that did not work so the next capture I name .log

both files gave the same error when trying to open with wireshark.

The file "conference.pcap" isn't a capture file in a format Wireshark understands.

Is my command incorrect?

tcpdump dst 10.10.1.2 -w /root/conference.log
0
 
LVL 16

Assisted Solution

by:choward16980
choward16980 earned 250 total points
ID: 38833077
Command is correct.  what happens if you tcpdump -r conference.pcap

does it open?
0
 

Author Comment

by:Dragon0x40
ID: 38833464
no that does not work either

tcpdump -r conference.pcap

tcpdump: bad dump file format

the one I saved as a .log file opened

tcpdump -r conference321.log

reading from file conference321.log, link-type EN10MB (Ethernet)
(output truncated)
0
 
LVL 11

Expert Comment

by:un1x86
ID: 38833900
Hi

What os are you using?
What tcpdump version?
What does "file conference321.log" tell you?
0
 
LVL 38

Assisted Solution

by:Gerwin Jansen, EE MVE
Gerwin Jansen, EE MVE earned 125 total points
ID: 38834266
Can you try adding this parameter:

-s 65535

to your tcpdump command line?
0
 

Author Comment

by:Dragon0x40
ID: 38835250
I ran

tcpdump -i eth0 -s0 -w filename.pcap

that file opened with both wireshark and tcpdump -r

I seem to have been having some trouble copying the file to the root of my c drive and instead created a folder to transfer the packet captures to.

My IT department appears to prevent certain file downloads to be copied to the desktop and the root of the C drive
0
 
LVL 16

Accepted Solution

by:
choward16980 earned 250 total points
ID: 38835944
By default, windows 7 makes it difficult for some programs to utilize files on the desktop or c:\ drive.  I could never get CD burner XP to burn an iso off the c:| or desktop...  Not sure what causes this, but I imagine it's some form of user impersonation the system doesn't like.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38835950
PS, a log file would be created from > not -w

The file you named .log after the -w would be your capture file.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Upgrade BIOS / EUFI at Scale 4 56
What is the best way to transfer files from and to Linux VNC window? 9 51
Apache module 5 48
SMB Packet - File Data 4 14
Fine Tune your automatic Updates for Ubuntu / Debian
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question