hello every one, i'd captured 12 files of .pcap format.... all are working fine except 2. i'm getting the following error "The file "ttt.pcap" isn't a capture file in a format Wireshark understands." all the files are captures in the same scenario, and under same conditions and same command. the only apparent difference between the files that are working fine and the files that are not working is of size. the files that i could not open are of size 11.2 MB and 3.14 MB..... rest of the files are of size from 1.2 MB to 1.7 MB......... does the size really matters in opening the file or is there some other other which i could not figure out? prompt response will highly be appreciated. asked 11 Mar '14, 00:31  Javeeria Jalil showing 5 of 10 show 5 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
File 2 might be damaged in some way, did you open it on the same system where the capture was done or did you copy it of that system? (ftp?) did you use Wireshark/tshark/dumpcap to write the file? What version?
If on a Unix alike system what does
file path/to/bad/pcapshow?@Anders sir there are 2 files out of 12 which are not working....... i simulated a scenario on VMware with virtual machines, making a VOIP call and capturing it. the captured .pcap file is then moved to another system with windows 7 operating system and wireshark installed. i do not even use wireshark to capture the file but a linux command to simply capture the packets and place them in a file of .pcap format. i'd done the same for every file (12 files in total). out of 12, 10 are working perfectly, only 2 are not working, infact not get opened.
What is the output of capinfos for the two 'damaged' files?
How did you move those files?
sir simply copying and pasting, using a portable flash drive..... is there some special way to move? by "move" i mean i then take the file to a system with wireshark installed
There are problems when the move of the file is done via FTP, depending on the transfer mode, which can damage the file. Moving the file via flash drive should not be a problem.
As Kurt suggested, can you run the 'capinfos' CLI command against the file? What is the result?
What do you mean by "copying and pasting"? When you copy the file from the machine on which you captured the file onto a flash drive plugged into that machine, are the two files (the one from which you copied, and the copy on the flash drive) the exact same size, in bytes?
What happens if you open those two files with tcpdump on the Linux machine where you captured them?