Re: Pcap file isn't a capture file in a format TShark understands

[Guy Harris <guy () alum mit edu>]

On Jan 25, 2010, at 10:19 AM, kahou lei wrote:

> The captured file is generated by our company software. Basically it is captured by out networking equipments and 
> then it will be saved via our company software (by writing libpcap format and the binary to the file). It has been 
> working fine.

Actually, it's not writing standard libpcap format, it's writing "nanosecond precision" libpcap format.  See below.

> [thot@REGRES-EL3 tshark]$ capinfos udp.pcap
> File name: udp.pcap
> File type: Wireshark - nanosecond libpcap

OK, that's not a standard libpcap file, so it's not surprising that tcpdump didn't like it.  Currently, libpcap doesn't 
support those files, so no libpcap-based tool will be able to read them.

However, if you used a magic number of 0xa1b23c4d, *Shark 0.99.7 does include code to read those files, so it's 
surprising that tchui1-rhel3 can't read them, given that the tshark you tested there:

> [thot@tchui1-rhel3 tshark]$ ./tshark -v
> TShark 0.99.7

is 0.99.7.

However, I note that you did "./tshark" there, but just ran "tshark" on the machine that could read the files:

> [thot@REGRES-EL3 thot]$ tshark -v
> TShark 0.99.7


What happens on tchui1-rhel3 if you run the command "tshark -v" - *not* "./tshark -v", just "tshark -v" - from a 
directory other than the Wireshark source directory?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe