Ethereal-users: Re: [Ethereal-users] opening tcpdump files with ethereal.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 29 Oct 2003 13:47:41 -0800

On Oct 29, 2003, at 11:37 AM, Ariel Badillo wrote:

im performing tcpdumps on a unix workstation. i am
ftping the files to my windows 2k pro workstation
running ethereal 9.15

when i attempt to open the files it give me the
following errors.
pcap: File has 873887656-byte packet, bigger than
maximum of 65535
The capture file appears to be damaged or corrupted.

is there something i need to do in ethereal to open
these files?

No.

There's something you need to do when FTPing the file - you need to make sure you use *binary* mode when transferring the files, otherwise they will be corrupted.

In the BSD FTP command (which is what most UNIXes, *AND* Windows, use as their command-line FTP tool), type the command "type binary" before transferring any files.

(Many modern UNIX FTP commands will attempt to find out the FTP server type and, if they succeed and that type is UNIX, default to binary mode - but, as not all text file formats are the same, UNIX FTP commands will *NOT* default to binary mode if the remote machine doesn't appear to be a UNIX machine.

In particular, UNIX text files end with LF, while Windows and a number of other systems have text files that end with CR-LF; this means that if you transfer a text file in binary mode, the remote machine might have a problem with it - *AND* that, if you transfer a binary file, such as the libpcap-format captures that tcpdump/WinDump and Ethereal generate, in *text* mode, the file will be treated as text and have the line endings changed, e.g. going from UNIX to Windows a byte with the hex value 0A will be changed to *two* bytes with the hex values 0D 0A, which will probably make the binary file completely unusable.)