Wireshark-users: Re: [Wireshark-users] Pcap file isn't a capture file in a format TShark understa
From: kahou lei <kahou82@xxxxxxxxx>
Date: Mon, 25 Jan 2010 10:19:17 -0800
> This file is captured by another machine.

How was the file captured on that machine? What software was used?

>> The captured file is generated by our company software. Basically it is captured by out networking equipments and then it will be saved via our company software (by writing libpcap format and the binary to the file). It has been working fine.

> I try to use tshark and wireshark with this file on another machine which is not the captured one and it works.

Are you saying that on one machine, TShark and Wireshark can read the "udp.pcap" file, but, on another machine, TShark and Wireshark cannot read the *same* "udp.pcap" file?

If so, what versions of TShark and Wireshark are running on those two machines, and, if you run the command "capinfos udp.pcap" on the machine where TShark and Wireshark *can* read the file, what does it print?

>> Yes, same udp.pcap file can't read on one linux machine but can read on another linux machine.

>> Here is the information of the one that "cannot" read udp.pcap:

[thot@tchui1-rhel3 tshark]$ ./tshark -v
TShark 0.99.7

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.2.3, with libpcap 0.7.2, with libz 1.1.4, without libpcre,
with SMI 0.4.5, without ADNS, without Lua, without GnuTLS, without Gcrypt, with
MIT Kerberos.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.4.21-32.ELsmp, with libpcap (version unknown).

Built using gcc 3.2.3 20030502 (ASPLinux 3.2.3-59asp).

>> Here is the information of the one that "can" read udp.pcap

[thot@REGRES-EL3 thot]$ tshark -v
TShark 0.99.7

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.2.3, with libpcap 0.7.2, with libz 1.1.4, without libpcre,
with SMI 0.4.5, without ADNS, without Lua, without GnuTLS, without Gcrypt, with
MIT Kerberos.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.4.21-40.ELsmp, with libpcap (version unknown).

Built using gcc 3.2.3 20030502 (ASPLinux 3.2.3-59asp).


[thot@REGRES-EL3 tshark]$ capinfos udp.pcap
File name: udp.pcap
File type: Wireshark - nanosecond libpcap
File encapsulation: Ethernet
Number of packets: 1
File size: 168 bytes
Data size: 128 bytes
Capture duration: 0.000000 seconds
Start time: Thu Dec 17 18:35:35 2009
End time: Thu Dec 17 18:35:35 2009
Data rate: inf bytes/s
Data rate: inf bits/s
Average packet size: 128.00 bytes

Thanks,
Kahou