Ethereal-users: RE: [Ethereal-users] Slow packet capture from file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Chris Robertson <Chris.Robertson@xxxxxxxxxxx>
Date: Wed, 24 Oct 2001 10:20:42 -0700
Ok, I feel a bit like a dummy... Let me give that a try and I'm guessing it
will do what I wanted it to in the first place.  Thanks for the help.

Chris

> -----Original Message-----
> From: Guy Harris [mailto:gharris@xxxxxxxxx]
> Sent: Tuesday, October 23, 2001 11:59 PM
> To: Chris Robertson
> Cc: ethereal-users@xxxxxxxxxxxx
> Subject: Re: [Ethereal-users] Slow packet capture from file
> 
> 
> On Tue, Oct 23, 2001 at 07:18:22PM -0700, Chris Robertson wrote:
> > Ok, the process was to run a tcpdump and capture that to a 
> file (ie tcpdump
> > > /tmp/tcpdump.file) on one machine,
> 
> "tcpdump >/tmp/tcpdump.file" will produce a text file that cannot be
> read by Ethereal.  If you want to produce, with tcpdump, a 
> file that can
> be read by Ethereal, do
> 
> 	tcpdump -s 65535 -w /tmp/tcpdump.file
> 
> ("-s 65535" makes sure that tcpdump doesn't just cut off the 
> packets at
> 68 bytes or so).
> 
> > on a second machine run snoop -v -o /tmp/snoop.file.
> 
> I'm not sure what that'll produce, but if you want to produce, with
> snoop, a file that can be read by Ethereal, do
> 
> 	snoop -o /tmp/snoop.file
> 
> without the "-v" flag.  ("-s" isn't necessary, as snoop defaults to
> saving all the data in packets.)
> 
> > Ftp the second file to the original machine, cat
> > tcpdump.file > capture.tmp; cat snoop.file >> capture.tmp.
> 
> That will produce a file that's half tcpdump file, and half 
> snoop file;
> it won't be readable by tcpdump, or snoop, or Ethereal, or, I suspect,
> any capture file on the planet.
> 
> It also doesn't even make sense if the two captures were happening at
> the same time; if you want that, you'd want to do a 
> time-sorted merge of
> the files, with the "mergecap" program that comes with Ethereal. 
> "mergecap" can read any capture file format that Ethereal can read, so
> it can read both tcpdump and snoop capture files; the resulting file
> will, by default, be in tcpdump format, which should work fine.
> 
> > Fire up Ethereal, start the capture from (ie ctrl-K) 
> /tmp/capture.tmp.
> 
> That doesn't start the capture *from* "/tmp/capture.tmp".
> 
> Control-K pops up a dialog box you use to capture *from* a network
> interface, writing *TO* a file.
> 
> I.e., if you typed control-K, put "/tmp/capture.tmp" into the "File:"
> box, and clicked "OK", it'd *overwrite* "/tmp/capture.tmp", throwing
> away whatever stuff was in there before.
> 
> I.e., as I suspected, you *weren't* reading from the capture file, you
> were doing a live capture - the strace file indicates that the
> "recvfrom()" calls were done on a file descriptor that was a PF_PACKET
> socket, which is the type of socket used for captures.
> 
> So packets will show up at the rate that Ethereal sees them 
> on whatever
> network you were capturing; if 5 packets were arriving per second on
> that network, that's what you'd see.
> 
> So, what you should've done is:
> 
> 	run "tcpdump -s 65535 -w /tmp/tcpdump.file" on the first machine
> 	and "snoop -o /tmp/snoop.file" on the second machine;
> 
> 	when you were done running tcpdump and snoop, copy both files
> 	onto some machine with Ethereal (including mergecap) on it, and
> 	run "mergecap -w merged.file tcpdump.file snoop.file";
> 
> 	run "ethereal -r merged.file" when "mergecap" completed.
>