[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

SOLVED (was Re: reading capture file into ethereal)



On 4/28/05, Matt Morgan <minxmertzmomo gmail com> wrote:
> On 4/28/05, Matt Morgan <minxmertzmomo gmail com> wrote:
> > On 4/27/05, Leonard Isham <leonard isham gmail com> wrote:
> > > On 4/27/05, Matt Morgan <minxmertzmomo gmail com> wrote:
> > > > I have a debian server with no gui. I need to analyze some tcp traffic
> > > > there, so I ran tethereal and sent the output to a file in libpcap
> > > > format. Here are the first few lines of the output:
> > > >
> > > > 435.917846 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > > > [SYN] Seq=2566198018 Ack=0 Win=5840 Len=0 MSS=1460 TSV=438910965
> > > > TSER=0 WS=0
> > > > 435.950570 192.168.4.11 -> jasmine.brooklynmuseum.org TCP 3001 > 59474
> > > > [SYN, ACK] Seq=3354128481 Ack=2566198019 Win=2047 Len=0 MSS=1024
> > > > 435.950640 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > > > [ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=0
> > > > 435.951200 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > > > [PSH, ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=5
> > > > 435.951280 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > > > [FIN, PSH, ACK] Seq=2566198024 Ack=3354128482 Win=5840 Len=2
> > > >
> > > > I am no ethereal expert, but I thought that I should then be able to
> > > > take this file and open it in ethereal (the gui version) on my
> > > > workstation so I could analyze it. However, when I try, I get the
> > > > error
> > > >
> > > > 'The file "eth_output_3001" isn't a capture file in a format Ethereal
> > > > understands.'
> > > >
> > > > What am I doing wrong?
> > > >
> > >
> > > 1. Are they the same version?  I have seen some older versions (used
> > > by another person) create files that can't be read by newer versions.
> > > (not sure if it was the older version or an error on the part of the
> > > person that sent me the files)
> > >
> > > I'm going to guess that it bacame corrupted when transfering.  Did you
> > > use ftp and not set binary before transfering?
> >
> > Thanks, that's helpful. I didn't ftp it--actually I emailed it to
> > myself and I was able to see that it came through OK. But your first
> > guess seems to be right. On debian, 'tethereal -v' gets me
> >
> > tethereal 0.9.4, with GLib 1.2.10, with libpcap 0.6
> >
> > and on FC3 I get
> >
> > tethereal 0.10.10 Compiled with GLib 2.4.8, with libpcap 0.8.3
> >
> > In fact, when I compare captures on the two systems, I can tell they
> > look a little different. So I'm trying to figure out how to get FC3's
> > version to read an older version of libpcap, but none of the options
> > (rh6_1libpcap, suse6_3libpcap, modlibpcap, nokialibpcap) seem to work.
> > I guess I'll install ethereal manually on the debian server so I can
> > get a newer version.
> 
> I spoke too soon. I couldn't open these output files in an older
> version of ethereal either.
> 
> How am I supposed to be creating output files? I'm just using
> 
> tethereal [options] > outputfilename
> 
> Is that wrong?

OK, the option I want is 

-w savefile

silly me; they call an input file "infile" so I was grepping for "out"
and "outfile," etc. :-)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]