Ask Your Question
0

File type is neither a supported pcap nor pcapng format

asked 2024-06-27 08:14:33 +0000

Harsh gravatar image

updated 2024-06-27 08:41:50 +0000

grahamb gravatar image

Hello Experts,

I am hoping for some help here regarding the error I get when I try to pipe tcpdump output to Wireshark on my Mac. I am running the following command getting this error.

ssh <username>@sw "tcpdump -s 0 -Un -w - -i et1" -batch | wireshark -k -i -

 (wireshark:35822) 01:03:45.418531 [GUI WARNING] -- Populating font family aliases took 147 ms. Replace uses of missing font family ".AppleSystemUIFont" with one that exists to avoid this cost.
 (wireshark:35822) 01:03:46.303276 [Capture MESSAGE] -- Capture Start ...
 (wireshark:35822) 01:03:46.850295 [Capture MESSAGE] -- Error message from child: "File type is neither a supported pcap nor pcapng format. (magic = 0x74203e0a)", "Please report this to the developers of the program writing to the pipe."
 (wireshark:35822) 01:03:50.123431 [Capture MESSAGE] -- Capture stopped.
 (wireshark:35822) 01:03:50.123547 [Capture WARNING] ui/capture.c:722 -- capture_input_closed():

I am running the latest version of Wireshark 4.2.5

Thank for your help

edit retag flag offensive close merge delete

Comments

Not sure what that "-batch" parameter is for/doing?

Jaap gravatar imageJaap ( 2024-06-27 10:50:06 +0000 )edit

0x74203e0a = t > cr
Looks like extra characters.

root@ubuntu1:~# tcpdump -s 0 -Un -w - -i eth0 | hexdump
tcpdump: 0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
0000010 0000 0004 0001 0000 4c88 667d 56fc 0003
0000020 00a6 0000 00a6 0000 de74 972b 6e2c 0c00

tcpdump suppress console output in script & write to file

root@ubuntu1:~# tcpdump -s 0 -Un -w - -i eth0 2> /dev/null | hexdump
0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000
0000010 0000 0004 0001 0000 4d8e 667d 48a4 0008
0000020 00a6 0000 00a6 0000 de74 972b 6e2c 0c00

Pipe the ssh output to hexdump (or similar hex output program) and look for the magic numbers:
Magic numbers for supported capture files for Wireshark

Chuckc gravatar imageChuckc ( 2024-06-27 11:35:58 +0000 )edit

Do you mean to run ssh with -o BatchMode=yes or similar? I am not aware of a version that takes a flag -batch.

johnthacker gravatar imagejohnthacker ( 2024-06-27 15:41:06 +0000 )edit

For testing purposes you might want to limit tcpdump output to just one packet with the -c 1 option and direct the ssh output to the hexdump utility on the macOS system itself:

ssh <username>@sw "tcpdump -s 0 -Un -w - -i et1 -c 1" -batch | LC_ALL=C hexdump -C
Jim Young gravatar imageJim Young ( 2024-06-27 19:27:58 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2024-06-27 19:04:32 +0000

Jim Young gravatar image

updated 2024-06-27 19:06:56 +0000

We see no stderr messages from the remote side of the ssh session perhaps implying that the unknown -batch parameter is suppressing or redirecting stderr messages to stdout making harder to see what is wrong.

Confirm that tcpdump is in the $PATH of the shell spawned by ssh on your remote device and that userid has permission to run tcpdump.

Compare the output of this failed tcpdump command (where we see a bash error message from the remote side):

% ssh ntppi.local. tcpdump -i wlan0 -s 0 -U -w - -c 1 | tshark -i -
Capturing on 'Standard input'
bash: tcpdump: command not found
tshark: End of file on pipe magic during open.
0 packets captured
%

With this successful command (where I used sudo tcpdump):

% ssh ntppi.local. sudo tcpdump -i wlan0 -s 0 -U -w - -c 1 | tshark -i - 
Capturing on 'Standard input'
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
1 packet captured
3 packets received by filter
0 packets dropped by kernel
    1    0.000000 fe80::123:b28b:5ec9:ec65 → fe80::8be:fe4a:b13d:3dd1 SSH 270    0xedb6 Good 0xedb6 8bd2bb92edad14befdec64f73603ab91 0 22 60544  100426379 Server: Encrypted packet (len=184)
1 packet captured

With this successful command:

% ssh ntppi.local. sudo tcpdump -i wlan0 -s 0 -U -w - -c 1 | Wireshark -k -i -
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
 ** (wireshark:86816) 14:41:01.187675 [MATE MESSAGE] -- initialize_mate: entering
1 packet captured
3 packets received by filter
0 packets dropped by kernel
 ** (wireshark:86816) 14:41:01.234288 [Capture MESSAGE] -- Capture Start ...
 ** (wireshark:86816) 14:41:01.336244 [Capture MESSAGE] -- Capture started
 ** (wireshark:86816) 14:41:01.336276 [Capture MESSAGE] -- File: "/var/folders/wk/rjxg8gjs2zl8j_0xgwnn1y9r0000gn/T/wireshark_Standard inputYHRVP2.pcapng"
 ** (wireshark:86816) 14:41:01.402738 [Capture MESSAGE] -- Capture stopped.

In these latter two examples tcpdump's stderr status messages do not interfere with tshark and wireshark from successfully reading from stdin.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2024-06-27 08:14:33 +0000

Seen: 752 times

Last updated: Jun 27

Related questions

Step by step SSL decrypt with wireshark

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

Client is waiting for FIN flag from server for 30 sec

wifi disconnects as wireshark starts

How do I add "child item" to an item in the subtree?

What is the syntax for wireshark custom column

Getting error MSB4018 when trying to build wireshark sources