Wireshark · Ethereal-dev: Re: [ethereal-dev] Sample captures and an idea

Ethereal-dev: Re: [ethereal-dev] Sample captures and an idea

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>

Date: Fri, 11 Feb 2000 20:46:59 -0800

> That's because the file appears to be damaged or corrupt after the
> eighth frame; after gunzipping it, if I try to run "tcpdump" on it, I
> get:
> 
> 	tcpdump: pcap_loop: bogus savefile header
> 
> so it's not as if it's just Ethereal that doesn't like it.

The file appears to have had one byte removed from it at an offset of
0x369; the libpcap header for the packet that would include that byte
implies that it's 89 bytes long, and the IP header's total length field
is 75, and it's an Ethernet packet so the MAC header is 14 bytes, and
75+14 = 89, but the byte in question is part of the beginning of the
next packet's libpcap header.

References:
- [ethereal-dev] Sample captures and an idea
  - From: andreas . sikkema
- Re: [ethereal-dev] Sample captures and an idea
  - From: Guy Harris

Prev by Date: Re: [ethereal-dev] Ethereal crash
Next by Date: Re: [ethereal-dev] An idea
Previous by thread: Re: [ethereal-dev] Sample captures and an idea
Next by thread: Re: [ethereal-dev] Sample captures and an idea
Index(es):
- Date
- Thread