reading capture file into ethereal
Leonard Isham
leonard.isham at gmail.com
Wed Apr 27 21:15:36 UTC 2005
On 4/27/05, Matt Morgan <minxmertzmomo at gmail.com> wrote:
> I have a debian server with no gui. I need to analyze some tcp traffic
> there, so I ran tethereal and sent the output to a file in libpcap
> format. Here are the first few lines of the output:
>
> 435.917846 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> [SYN] Seq=2566198018 Ack=0 Win=5840 Len=0 MSS=1460 TSV=438910965
> TSER=0 WS=0
> 435.950570 192.168.4.11 -> jasmine.brooklynmuseum.org TCP 3001 > 59474
> [SYN, ACK] Seq=3354128481 Ack=2566198019 Win=2047 Len=0 MSS=1024
> 435.950640 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> [ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=0
> 435.951200 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> [PSH, ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=5
> 435.951280 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> [FIN, PSH, ACK] Seq=2566198024 Ack=3354128482 Win=5840 Len=2
>
> I am no ethereal expert, but I thought that I should then be able to
> take this file and open it in ethereal (the gui version) on my
> workstation so I could analyze it. However, when I try, I get the
> error
>
> 'The file "eth_output_3001" isn't a capture file in a format Ethereal
> understands.'
>
> What am I doing wrong?
>
1. Are they the same version? I have seen some older versions (used
by another person) create files that can't be read by newer versions.
(not sure if it was the older version or an error on the part of the
person that sent me the files)
I'm going to guess that it bacame corrupted when transfering. Did you
use ftp and not set binary before transfering?
--
Leonard Isham, CISSP
Ostendo non ostento.
More information about the fedora-list
mailing list