Hi, I have wireshark 1.8.6 on x86 platform. When I try to open a large .pcap file (>3 mb), it gives "Unrecognized libpcap format" error. I am sending input to wireshark via pipe. below is the cli command: Reason for using pipe input is that, pcap file is generating at run time with real traffic on node. Wireshark 1.8.6 does not support the large pcap files? Any help on this is appreciated. asked 21 Aug '13, 04:49  KumarM edited 22 Aug '13, 08:23  cmaynard ♦♦ |
4 Answers:
"tail -f" will start to read the whole file and will display the last 10 lines of the file and then list any new line to the file. So if your file does not contain 10 newlines yet in the binary data, the tail -f will indeed send the file header to wireshark. If it does already contain 10 newlines, the first lines will be skipped and so will the file header. Workaround, use answered 21 Aug '13, 12:50  SYN-bit ♦♦ |
Pcap files have, at the beginning, a file header that indicates that the file is a pcap file and specifies, among other things, the link-layer header type for the packets in the file. (And pcap-ng files have, at the beginning, several data blocks that provide equally-necessary information.) Using the So it is impossible to use the Therefore, you must not use Instead, you would need to do something such as find or write a program that reads a file in its entirety and writes it to the standard output and, when it reaches the end of the file, waits for the file to get longer and, when it does, reads the new data and writes it out. I don't know whether any such programs exist; if not, you will have to write it. Alternatively, if whatever program is writing that pcap file can be made to write to a named pipe, you could create a named pipe, have it write to that pipe, and run Wireshark with the Or, if the program can write the pcap file to its standard output, you could run it, have it write to its standard output and pipe its output to answered 21 Aug '13, 13:12  Guy Harris ♦♦ |
The problem is that you need to send the whole file to Wireshark not just a section I think. Hence wireshark think the file is broken as the header(s) are missing. answered 21 Aug '13, 08:22  Anders ♦ |
How is The default capture file format with 1.8 is pcapng, but Wireshark has problems reading that type of file from a pipe it seems, so assuming it's dumpcap doing the capturing, you could use the If it's tcpdump, (or something else) doing the capturing, then you'll likely need to provide additional information. answered 21 Aug '13, 08:54 cmaynard ♦♦ edited 22 Aug '13, 08:11 |
Thanks for pointing that out, but I don't think that's the biggest problem. I believe that you still need to ensure that the file is written in pcap format and not in pcapng format. For example, on Windows I do this:
Cmd:
dumpcap.exe -P -i 4 -w pcap-pipe-filecygwin:
tail -c +0 -f pcap-pipe-file | Wireshark.exe -k -i -As I indicated in my answer, if I don't use
-P, then this always fails.True, but since the OP was having good results when the file was still small, I assumed that the file was already in pcap format :-)
(and thanks for the "-c +0", something learned for today :-))
but since the OP was having good results when the file was still small
Well, this too is an assumption since there was no explicit mention of it working with small files. Maybe only big files were tried?
thanks for the "-c +0"
You're welcome. Every once in a while the padawan teaches the master something. :)