Why won't wireshark open my tcpdump file from linux

I am capturing traffic on a linux box and want to open the capture on a windows box in wireshark but it gives me an error:
The file "conference.pcap" isn't a capture file in a format Wireshark understands.
and has an OK button.
I have Wirehsark version 1.8.4

I am running the command on my linux box

tcpdump dst 10.10.1.2 -w /root/conference.log

I press ctrl and c to stop the capture

The screen writes:
10 packets captured
11 packets received by filter
0 packets dropped by kernel

I transfer the file from Linux to windows and double click ot open and that is when I get the error.

I have tried nameing the file .log or .pcap and both get the same error.

What am I doing wrong?
Dragon0x40Asked:
Who is Participating?
 
Chris HConnect With a Mentor Infrastructure ManagerCommented:
By default, windows 7 makes it difficult for some programs to utilize files on the desktop or c:\ drive.  I could never get CD burner XP to burn an iso off the c:| or desktop...  Not sure what causes this, but I imagine it's some form of user impersonation the system doesn't like.
0
 
Chris HInfrastructure ManagerCommented:
you probably dumped raw.  what command did you use to create thepcap file?
0
 
Chris SandriniConnect With a Mentor Senior System EngineerCommented:
How do you transfer the file? It might get changed when transfered. You could check the checksum.

If you transfer via WinSCP edit your config and force binary mode.

Advanced options (checked) -> Preferences -> Transfer -> Binary

By default if you transfer a .txt file it is copied in ASCII mode.
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
Dragon0x40Author Commented:
tcpdump dst 10.10.1.2 -w /root/conference.log
0
 
Dragon0x40Author Commented:
winscp is already set to binary transfer mode
0
 
Chris SandriniSenior System EngineerCommented:
Hi

How do you copy it to your windows machine? Make sure it is copied in binarymode. BTW I would not call it .log as it is not a log file. Call it .pcap or .dump
0
 
Dragon0x40Author Commented:
I transferred it by dragging onto my C drive using winscp

The first capture I named .pcap and that did not work so the next capture I name .log

both files gave the same error when trying to open with wireshark.

The file "conference.pcap" isn't a capture file in a format Wireshark understands.

Is my command incorrect?

tcpdump dst 10.10.1.2 -w /root/conference.log
0
 
Chris HConnect With a Mentor Infrastructure ManagerCommented:
Command is correct.  what happens if you tcpdump -r conference.pcap

does it open?
0
 
Dragon0x40Author Commented:
no that does not work either

tcpdump -r conference.pcap

tcpdump: bad dump file format

the one I saved as a .log file opened

tcpdump -r conference321.log

reading from file conference321.log, link-type EN10MB (Ethernet)
(output truncated)
0
 
Chris SandriniSenior System EngineerCommented:
Hi

What os are you using?
What tcpdump version?
What does "file conference321.log" tell you?
0
 
Gerwin Jansen, EE MVEConnect With a Mentor Topic Advisor Commented:
Can you try adding this parameter:

-s 65535

to your tcpdump command line?
0
 
Dragon0x40Author Commented:
I ran

tcpdump -i eth0 -s0 -w filename.pcap

that file opened with both wireshark and tcpdump -r

I seem to have been having some trouble copying the file to the root of my c drive and instead created a folder to transfer the packet captures to.

My IT department appears to prevent certain file downloads to be copied to the desktop and the root of the C drive
0
 
Chris HInfrastructure ManagerCommented:
PS, a log file would be created from > not -w

The file you named .log after the -w would be your capture file.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.