Ethereal-users: Re: [Ethereal-users] opening tcpdump files with ethereal.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 29 Oct 2003 13:47:41 -0800
On Oct 29, 2003, at 11:37 AM, Ariel Badillo wrote:

im performing tcpdumps on a unix workstation. i am
ftping the files to my windows 2k pro workstation
running ethereal 9.15

when i attempt to open the files it give me the
following errors.
pcap: File has 873887656-byte packet, bigger than
maximum of 65535
The capture file appears to be damaged or corrupted.

is there something i need to do in ethereal to open
these files?
No.

There's something you need to do when FTPing the file - you need to make sure you use *binary* mode when transferring the files, otherwise they will be corrupted.
In the BSD FTP command (which is what most UNIXes, *AND* Windows, use 
as their command-line FTP tool), type the command "type binary" before 
transferring any files.
(Many modern UNIX FTP commands will attempt to find out the FTP server 
type and, if they succeed and that type is UNIX, default to binary mode 
- but, as not all text file formats are the same, UNIX FTP commands 
will *NOT* default to binary mode if the remote machine doesn't appear 
to be a UNIX machine.
In particular, UNIX text files end with LF, while Windows and a number 
of other systems have text files that end with CR-LF; this means that 
if you transfer a text file in binary mode, the remote machine might 
have a problem with it - *AND* that, if you transfer a binary file, 
such as the libpcap-format captures that tcpdump/WinDump and Ethereal 
generate, in *text* mode, the file will be treated as text and have the 
line endings changed, e.g. going from UNIX to Windows a byte with the 
hex value 0A will be changed to *two* bytes with the hex values 0D 0A, 
which will probably make the binary file completely unusable.)