Re: *.pcap file?

[Guy Harris <guy () alum mit edu>]

On Aug 25, 2012, at 8:56 PM, hadi motamedi wrote:

> Please be informed that the outputs are as the followings :

        ...

> # od -bc /tmp/mss0-pps.pcap | head
> 0000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
> *

That is not even remotely close to being a pcap file.  I have *no* idea what programs other than tcpdump wrote to that 
file, but either

        1) you have a very buggy version of tcpdump on your machine;

        2) tcpdump is using a very buggy version of libpcap on your machine;

        3) some *other* program wrote to that file and damaged it beyond repair.

In any case, there is almost certainly nothing you can do to get packet data from that capture.  I would suggest that 
you delete the file, try another capture, and if the same problem occurs, file a bug with the CentOS developers.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe