Hi all.
Is there a difference between a file capture byt the following command :
tcpdump -w file
and a dump capture throught ethereal ?
I ask this question because I have detect some problem when analysing H323 communications.
When I make a dump with tcpdump on linux and read it on win32 ethereal (with H323 plugins) it's not the same result that a file capure on Ethereal on linux and read on ethereal on Win32.
Any explanation to that ???
Here is to file to illustrate my problem. I can't send u network dump but I make screenshot of ethereal output.
Capture haven't been made on the same call to avoid interaction between tcpdump and ethereal but the dissector must have been the same work if file are the same.
call_ethereal.jpg is a screenshot of a dump made by ethereal on linux and analyse on ethereal under win32
call_tcpdump.jpg is a screenshot of a dump made by 'tcpdump -w file' command on linux and analysed on ethereal on win32.
Why interpretation is not the same in both ???
Does the 'tcpdump -w file' doesn't capture all the packet length ?
Can we have a problem due to network byte order ?
Really thanks for all the information u can provide to solve this case.
JB
Jacky Buyck
R&D Engineer - Intranet Security Services
Tel : +33 2 31 75 93 61
Fax : +33 2 31 75 06 31
France Telecom R&D - DMI/SIR
42 Rue des Coutures - BP 6243 - 14066 Caen Cedex 4 - France
Attachment:
call_ethereal.jpg
Description: call_ethereal.jpg
Attachment:
call_tcpdump.jpg
Description: call_tcpdump.jpg
