Date: Wed, 21 Feb 2001 02:30:48 -0500 (EST) From: "Yazz D. Atlas" <yazz@osdn.com> Subject: Re: Stupid user question Message-ID: <Pine.LNX.4.30.0102210154280.19936-100000@bofh.andover.net>
On Tue, 20 Feb 2001, Rob Austein wrote:
> See whether some other pcap-reading program can understand the dump
> files. In particular, try ethereal/tethereal.
Yep both ethreal/tethereal plus ngrep read the tcpdump file fine.
> Some linux distributions (including RH 6.2, if I recall correctly) use
> a mutant form of the pcap library that emits an incompatable format
> (without changing the file header either, grrrr). tethereal can
> convert between the mutant pcap and standard pcap formats for you.
Humm I tried the conversion and no luck there.
So I did the following...
-rw-r--r-- 1 yazz yazz 2605763 Feb 17 21:15 posdos.dump
[yazz@bofh yazz]$ tethereal -r posdos.dump -F libpcap -w posdos.dump3
[yazz@bofh yazz]$ file posdos.dump3
posdos.dump3: tcpdump capture file (little-endian) - version 2.4
(Ethernet, capture length 96)
[yazz@bofh yazz]$ tcptrace -G posdos.dump3
1 arg remaining, starting with 'posdos.dump3'
Ostermann's tcptrace -- version 6.0.0a -- Wed Jan 17, 2001
Fatal, too many hosts to name (max length 8)
Now another format... snoop
[yazz@bofh yazz]$ file posdos.dump3
posdos.dump3: Snoop capture file - version 2 (Ethernet)
[yazz@bofh yazz]$ tcptrace posdos.dump3
1 arg remaining, starting with 'posdos.dump3'
Ostermann's tcptrace -- version 6.0.0a -- Wed Jan 17, 2001
Fatal, too many hosts to name (max length 8)
And yet another... rh6_1libpcap
[yazz@bofh yazz]$ tethereal -r posdos.dump -F rh6_1libpcap -w posdos.dump3
[yazz@bofh yazz]$ file posdos.dump3
posdos.dump3: tcpdump capture file (little-endian) - version 2.4
(Ethernet, capture length 96)
[yazz@bofh yazz]$ tcptrace posdos.dump3
1 arg remaining, starting with 'posdos.dump3'
Ostermann's tcptrace -- version 6.0.0a -- Wed Jan 17, 2001
PCAP error: 'bogus savefile header'
0 packets seen, 0 TCP packets traced
elapsed wallclock time: 0:00:00.011358, 0 pkts/sec analyzed
trace file elapsed time: 0:00:00.000000
no traced TCP packets
With the -G option it didn't open xplot...
More info on the linux box I'm doing this on...
tcpdump-3.5.2.tar.gz
libpcap-0.5.2.tar.gz
Humm... I have a FreeBSD box that I captured packets from and scp the dump
to the linux box, X isn't installed on that machine. Still no luck on the
linux box...
Yazz
--
Yazz D. Atlas <yazz@osdn.com> Voice: 978-635-5300 ext 183
Systems and Network Engineer/BOFH Fax: 978-635-5326
[ O | S | D | N ], Open Source Development Network
http://www.osdn.com/ 50 Nagog Park, Acton, MA 01720
gpg --keyserver pgp.mit.net --recv-key 0x0C57DDA0
----------------------------------------------------------------------------
To unsubscribe, send a message with body containing "unsubscribe tcptrace" to
majordomo@tcptrace.org.
This archive was generated by hypermail 2b30 : 02/21/01 EST