reading capture file into ethereal
Matt Morgan
minxmertzmomo at gmail.com
Thu Apr 28 16:32:40 UTC 2005
On 4/27/05, Leonard Isham <leonard.isham at gmail.com> wrote:
> On 4/27/05, Matt Morgan <minxmertzmomo at gmail.com> wrote:
> > I have a debian server with no gui. I need to analyze some tcp traffic
> > there, so I ran tethereal and sent the output to a file in libpcap
> > format. Here are the first few lines of the output:
> >
> > 435.917846 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > [SYN] Seq=2566198018 Ack=0 Win=5840 Len=0 MSS=1460 TSV=438910965
> > TSER=0 WS=0
> > 435.950570 192.168.4.11 -> jasmine.brooklynmuseum.org TCP 3001 > 59474
> > [SYN, ACK] Seq=3354128481 Ack=2566198019 Win=2047 Len=0 MSS=1024
> > 435.950640 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > [ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=0
> > 435.951200 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > [PSH, ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=5
> > 435.951280 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > [FIN, PSH, ACK] Seq=2566198024 Ack=3354128482 Win=5840 Len=2
> >
> > I am no ethereal expert, but I thought that I should then be able to
> > take this file and open it in ethereal (the gui version) on my
> > workstation so I could analyze it. However, when I try, I get the
> > error
> >
> > 'The file "eth_output_3001" isn't a capture file in a format Ethereal
> > understands.'
> >
> > What am I doing wrong?
> >
>
> 1. Are they the same version? I have seen some older versions (used
> by another person) create files that can't be read by newer versions.
> (not sure if it was the older version or an error on the part of the
> person that sent me the files)
>
> I'm going to guess that it bacame corrupted when transfering. Did you
> use ftp and not set binary before transfering?
Thanks, that's helpful. I didn't ftp it--actually I emailed it to
myself and I was able to see that it came through OK. But your first
guess seems to be right. On debian, 'tethereal -v' gets me
tethereal 0.9.4, with GLib 1.2.10, with libpcap 0.6
and on FC3 I get
tethereal 0.10.10 Compiled with GLib 2.4.8, with libpcap 0.8.3
In fact, when I compare captures on the two systems, I can tell they
look a little different. So I'm trying to figure out how to get FC3's
version to read an older version of libpcap, but none of the options
(rh6_1libpcap, suse6_3libpcap, modlibpcap, nokialibpcap) seem to work.
I guess I'll install ethereal manually on the debian server so I can
get a newer version.
Thanks!
More information about the fedora-list
mailing list