reading capture file into ethereal
Matt Morgan
minxmertzmomo at gmail.com
Thu Apr 28 17:11:19 UTC 2005
On 4/28/05, Matt Morgan <minxmertzmomo at gmail.com> wrote:
> On 4/27/05, Leonard Isham <leonard.isham at gmail.com> wrote:
> > On 4/27/05, Matt Morgan <minxmertzmomo at gmail.com> wrote:
> > > I have a debian server with no gui. I need to analyze some tcp traffic
> > > there, so I ran tethereal and sent the output to a file in libpcap
> > > format. Here are the first few lines of the output:
> > >
> > > 435.917846 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > > [SYN] Seq=2566198018 Ack=0 Win=5840 Len=0 MSS=1460 TSV=438910965
> > > TSER=0 WS=0
> > > 435.950570 192.168.4.11 -> jasmine.brooklynmuseum.org TCP 3001 > 59474
> > > [SYN, ACK] Seq=3354128481 Ack=2566198019 Win=2047 Len=0 MSS=1024
> > > 435.950640 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > > [ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=0
> > > 435.951200 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > > [PSH, ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=5
> > > 435.951280 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001
> > > [FIN, PSH, ACK] Seq=2566198024 Ack=3354128482 Win=5840 Len=2
> > >
> > > I am no ethereal expert, but I thought that I should then be able to
> > > take this file and open it in ethereal (the gui version) on my
> > > workstation so I could analyze it. However, when I try, I get the
> > > error
> > >
> > > 'The file "eth_output_3001" isn't a capture file in a format Ethereal
> > > understands.'
> > >
> > > What am I doing wrong?
> > >
> >
> > 1. Are they the same version? I have seen some older versions (used
> > by another person) create files that can't be read by newer versions.
> > (not sure if it was the older version or an error on the part of the
> > person that sent me the files)
> >
> > I'm going to guess that it bacame corrupted when transfering. Did you
> > use ftp and not set binary before transfering?
>
> Thanks, that's helpful. I didn't ftp it--actually I emailed it to
> myself and I was able to see that it came through OK. But your first
> guess seems to be right. On debian, 'tethereal -v' gets me
>
> tethereal 0.9.4, with GLib 1.2.10, with libpcap 0.6
>
> and on FC3 I get
>
> tethereal 0.10.10 Compiled with GLib 2.4.8, with libpcap 0.8.3
>
> In fact, when I compare captures on the two systems, I can tell they
> look a little different. So I'm trying to figure out how to get FC3's
> version to read an older version of libpcap, but none of the options
> (rh6_1libpcap, suse6_3libpcap, modlibpcap, nokialibpcap) seem to work.
> I guess I'll install ethereal manually on the debian server so I can
> get a newer version.
I spoke too soon. I couldn't open these output files in an older
version of ethereal either.
How am I supposed to be creating output files? I'm just using
tethereal [options] > outputfilename
Is that wrong?
More information about the fedora-list
mailing list