Wireshark-dev: Re: [Wireshark-dev] Portability issue of capture files.
From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Thu, 07 Sep 2006 10:15:41 +0800


Andreas Fink wrote:
I recently compiled wireshark under MacOS X 10.4.7 on a intel machine. This time I succeeded even with GTK+2 after fiddling with a lot of options. I'm preparing an installer for it for users without "fink" or "darwin ports".

But while using it, I find out a strange behaviour.

I'm capturing data on a linux machine (fedora5) with tcpdump -s0 -wdumpfile.cap. Transfer the file to the mac and try to open it with wireshark. I get weird errors saying it couldnt open it because packet size is bigger than 65k or something like that. Same is if I capture with ethereal on that linux box and transfer the file to the mac. I can capture on the mac fine with tcpdump and read it on the mac with wireshark but whatever comes from that linux machine is not working.

Most frequently that's due to using FTP and not setting binary mode. Does the file's checksum change from machine to machine after copying it?

The PCAP/Wiretap library is supposed to figure out the endianism of the host where the file was generated automatically so normally there's no problem with that. (I frequently look at capture files from SPARC machines on my Intel laptop, including with 0.99.3.)