Ethereal-users: Re: [Ethereal-users] Slow packet capture from file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 23 Oct 2001 23:59:00 -0700
On Tue, Oct 23, 2001 at 07:18:22PM -0700, Chris Robertson wrote:
> Ok, the process was to run a tcpdump and capture that to a file (ie tcpdump
> > /tmp/tcpdump.file) on one machine,

"tcpdump >/tmp/tcpdump.file" will produce a text file that cannot be
read by Ethereal.  If you want to produce, with tcpdump, a file that can
be read by Ethereal, do

	tcpdump -s 65535 -w /tmp/tcpdump.file

("-s 65535" makes sure that tcpdump doesn't just cut off the packets at
68 bytes or so).

> on a second machine run snoop -v -o /tmp/snoop.file.

I'm not sure what that'll produce, but if you want to produce, with
snoop, a file that can be read by Ethereal, do

	snoop -o /tmp/snoop.file

without the "-v" flag.  ("-s" isn't necessary, as snoop defaults to
saving all the data in packets.)

> Ftp the second file to the original machine, cat
> tcpdump.file > capture.tmp; cat snoop.file >> capture.tmp.

That will produce a file that's half tcpdump file, and half snoop file;
it won't be readable by tcpdump, or snoop, or Ethereal, or, I suspect,
any capture file on the planet.

It also doesn't even make sense if the two captures were happening at
the same time; if you want that, you'd want to do a time-sorted merge of
the files, with the "mergecap" program that comes with Ethereal. 
"mergecap" can read any capture file format that Ethereal can read, so
it can read both tcpdump and snoop capture files; the resulting file
will, by default, be in tcpdump format, which should work fine.

> Fire up Ethereal, start the capture from (ie ctrl-K) /tmp/capture.tmp.

That doesn't start the capture *from* "/tmp/capture.tmp".

Control-K pops up a dialog box you use to capture *from* a network
interface, writing *TO* a file.

I.e., if you typed control-K, put "/tmp/capture.tmp" into the "File:"
box, and clicked "OK", it'd *overwrite* "/tmp/capture.tmp", throwing
away whatever stuff was in there before.

I.e., as I suspected, you *weren't* reading from the capture file, you
were doing a live capture - the strace file indicates that the
"recvfrom()" calls were done on a file descriptor that was a PF_PACKET
socket, which is the type of socket used for captures.

So packets will show up at the rate that Ethereal sees them on whatever
network you were capturing; if 5 packets were arriving per second on
that network, that's what you'd see.

So, what you should've done is:

	run "tcpdump -s 65535 -w /tmp/tcpdump.file" on the first machine
	and "snoop -o /tmp/snoop.file" on the second machine;

	when you were done running tcpdump and snoop, copy both files
	onto some machine with Ethereal (including mergecap) on it, and
	run "mergecap -w merged.file tcpdump.file snoop.file";

	run "ethereal -r merged.file" when "mergecap" completed.