Solved

Why won't wireshark open my tcpdump file from linux

Posted on 2013-01-28
13
2,921 Views
Last Modified: 2013-04-30
I am capturing traffic on a linux box and want to open the capture on a windows box in wireshark but it gives me an error:
The file "conference.pcap" isn't a capture file in a format Wireshark understands.
and has an OK button.
I have Wirehsark version 1.8.4

I am running the command on my linux box

tcpdump dst 10.10.1.2 -w /root/conference.log

I press ctrl and c to stop the capture

The screen writes:
10 packets captured
11 packets received by filter
0 packets dropped by kernel

I transfer the file from Linux to windows and double click ot open and that is when I get the error.

I have tried nameing the file .log or .pcap and both get the same error.

What am I doing wrong?
0
Comment
Question by:Dragon0x40
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 16

Expert Comment

by:choward16980
Comment Utility
you probably dumped raw.  what command did you use to create thepcap file?
0
 
LVL 11

Assisted Solution

by:un1x86
un1x86 earned 125 total points
Comment Utility
How do you transfer the file? It might get changed when transfered. You could check the checksum.

If you transfer via WinSCP edit your config and force binary mode.

Advanced options (checked) -> Preferences -> Transfer -> Binary

By default if you transfer a .txt file it is copied in ASCII mode.
0
 

Author Comment

by:Dragon0x40
Comment Utility
tcpdump dst 10.10.1.2 -w /root/conference.log
0
 

Author Comment

by:Dragon0x40
Comment Utility
winscp is already set to binary transfer mode
0
 
LVL 11

Expert Comment

by:un1x86
Comment Utility
Hi

How do you copy it to your windows machine? Make sure it is copied in binarymode. BTW I would not call it .log as it is not a log file. Call it .pcap or .dump
0
 

Author Comment

by:Dragon0x40
Comment Utility
I transferred it by dragging onto my C drive using winscp

The first capture I named .pcap and that did not work so the next capture I name .log

both files gave the same error when trying to open with wireshark.

The file "conference.pcap" isn't a capture file in a format Wireshark understands.

Is my command incorrect?

tcpdump dst 10.10.1.2 -w /root/conference.log
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 16

Assisted Solution

by:choward16980
choward16980 earned 250 total points
Comment Utility
Command is correct.  what happens if you tcpdump -r conference.pcap

does it open?
0
 

Author Comment

by:Dragon0x40
Comment Utility
no that does not work either

tcpdump -r conference.pcap

tcpdump: bad dump file format

the one I saved as a .log file opened

tcpdump -r conference321.log

reading from file conference321.log, link-type EN10MB (Ethernet)
(output truncated)
0
 
LVL 11

Expert Comment

by:un1x86
Comment Utility
Hi

What os are you using?
What tcpdump version?
What does "file conference321.log" tell you?
0
 
LVL 37

Assisted Solution

by:Gerwin Jansen
Gerwin Jansen earned 125 total points
Comment Utility
Can you try adding this parameter:

-s 65535

to your tcpdump command line?
0
 

Author Comment

by:Dragon0x40
Comment Utility
I ran

tcpdump -i eth0 -s0 -w filename.pcap

that file opened with both wireshark and tcpdump -r

I seem to have been having some trouble copying the file to the root of my c drive and instead created a folder to transfer the packet captures to.

My IT department appears to prevent certain file downloads to be copied to the desktop and the root of the C drive
0
 
LVL 16

Accepted Solution

by:
choward16980 earned 250 total points
Comment Utility
By default, windows 7 makes it difficult for some programs to utilize files on the desktop or c:\ drive.  I could never get CD burner XP to burn an iso off the c:| or desktop...  Not sure what causes this, but I imagine it's some form of user impersonation the system doesn't like.
0
 
LVL 16

Expert Comment

by:choward16980
Comment Utility
PS, a log file would be created from > not -w

The file you named .log after the -w would be your capture file.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now