Re: Which versions of pcap files accept pcap_open_offline()?

[Guy Harris <guy () alum mit edu>]

vcarela wrote:

> The problem is that if I capture with wireshark a trace from my eth0
> connection and I save it as a "Wireshark/tcpdump/...-libpcap" file. Then
> when I run the sniffer with this pcap trace the sniffer runs properly. 
> But if I open a .erf trace from a DAG card with wireshark and I save it
> as a "Wireshark/tcpdump/...-libpcap" when I run this trace in the
> sniffer no packets are dispatched.

When read an ERF trace, save it with a recent build of Wireshark as a 
libpcap-format file, and run a (slightly modified, so it compiles) 
version of your program, it prints

        Error compilando el filtro 'ip'

without even trying to read the file.

Recent versions of Wireshark save ERF files as libpcap files with a 
packet type of DLT_ERF, and the filter compiler in libpcap doesn't 
support DLT_ERF.

What version of Wireshark did you use to convert the file?

This is presumably Linux (as you say the device was "eth0"); what does 
the "file" command say when you run it on the libpcap file you saved 
from Wireshark?

Did your sniffer print any errors, such as

        Error compilando el filtro 'ip'
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.