Solved

Why won't wireshark open my tcpdump file from linux

Posted on 2013-01-28
13
3,115 Views
Last Modified: 2013-04-30
I am capturing traffic on a linux box and want to open the capture on a windows box in wireshark but it gives me an error:
The file "conference.pcap" isn't a capture file in a format Wireshark understands.
and has an OK button.
I have Wirehsark version 1.8.4

I am running the command on my linux box

tcpdump dst 10.10.1.2 -w /root/conference.log

I press ctrl and c to stop the capture

The screen writes:
10 packets captured
11 packets received by filter
0 packets dropped by kernel

I transfer the file from Linux to windows and double click ot open and that is when I get the error.

I have tried nameing the file .log or .pcap and both get the same error.

What am I doing wrong?
0
Comment
Question by:Dragon0x40
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 38829957
you probably dumped raw.  what command did you use to create thepcap file?
0
 
LVL 11

Assisted Solution

by:un1x86
un1x86 earned 125 total points
ID: 38830267
How do you transfer the file? It might get changed when transfered. You could check the checksum.

If you transfer via WinSCP edit your config and force binary mode.

Advanced options (checked) -> Preferences -> Transfer -> Binary

By default if you transfer a .txt file it is copied in ASCII mode.
0
 

Author Comment

by:Dragon0x40
ID: 38831221
tcpdump dst 10.10.1.2 -w /root/conference.log
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:Dragon0x40
ID: 38831234
winscp is already set to binary transfer mode
0
 
LVL 11

Expert Comment

by:un1x86
ID: 38831235
Hi

How do you copy it to your windows machine? Make sure it is copied in binarymode. BTW I would not call it .log as it is not a log file. Call it .pcap or .dump
0
 

Author Comment

by:Dragon0x40
ID: 38833059
I transferred it by dragging onto my C drive using winscp

The first capture I named .pcap and that did not work so the next capture I name .log

both files gave the same error when trying to open with wireshark.

The file "conference.pcap" isn't a capture file in a format Wireshark understands.

Is my command incorrect?

tcpdump dst 10.10.1.2 -w /root/conference.log
0
 
LVL 16

Assisted Solution

by:choward16980
choward16980 earned 250 total points
ID: 38833077
Command is correct.  what happens if you tcpdump -r conference.pcap

does it open?
0
 

Author Comment

by:Dragon0x40
ID: 38833464
no that does not work either

tcpdump -r conference.pcap

tcpdump: bad dump file format

the one I saved as a .log file opened

tcpdump -r conference321.log

reading from file conference321.log, link-type EN10MB (Ethernet)
(output truncated)
0
 
LVL 11

Expert Comment

by:un1x86
ID: 38833900
Hi

What os are you using?
What tcpdump version?
What does "file conference321.log" tell you?
0
 
LVL 37

Assisted Solution

by:Gerwin Jansen, EE MVE
Gerwin Jansen, EE MVE earned 125 total points
ID: 38834266
Can you try adding this parameter:

-s 65535

to your tcpdump command line?
0
 

Author Comment

by:Dragon0x40
ID: 38835250
I ran

tcpdump -i eth0 -s0 -w filename.pcap

that file opened with both wireshark and tcpdump -r

I seem to have been having some trouble copying the file to the root of my c drive and instead created a folder to transfer the packet captures to.

My IT department appears to prevent certain file downloads to be copied to the desktop and the root of the C drive
0
 
LVL 16

Accepted Solution

by:
choward16980 earned 250 total points
ID: 38835944
By default, windows 7 makes it difficult for some programs to utilize files on the desktop or c:\ drive.  I could never get CD burner XP to burn an iso off the c:| or desktop...  Not sure what causes this, but I imagine it's some form of user impersonation the system doesn't like.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38835950
PS, a log file would be created from > not -w

The file you named .log after the -w would be your capture file.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS- KeepAlived notify script not working 23 86
Martian Packets Unix 5 54
Run DOS2UNIX and then execute the command 21 72
EIGRP - redistribute without the default route 5 38
Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question