Guy,
Thanks for the quick response. This certainly sounds reasonable. I do
not know about whether or not this is a new feature in EtherPeek, but I
seem to recall using it before. From WildPackets' web site
(http://www.wildpackets.com/support/knowledge_base/etherpeek#30).
How do I create a tcpdump file that can be read into EtherPeek?
For most versions of Unix, you should be successful using the
following command:
tcpdump -i (interface name) -w filename.dmp
(interface name) should be substituted for the Ethernet adapter name
on your Unix system.
e.g. on a RedHat Linux system the command might be:
tcpdump -i eth0 -w filename.dmp
This implies that there is full support for tcpdump format in EtherPeek.
Could there be some discrepancies in the file written out by Ethereal
running on Windows with libpcap and tcpdump running on Unix?
Thanks,
Chris
Guy Harris <guy@xxxxxxxxxxxx>
12/29/2003 02:35 PM
To: Chris_Friedline@xxxxxxxxxxxxxxx
cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Ethereal time format anomaly with libpcap file format
On Mon, Dec 29, 2003 at 02:22:11PM -0500, Chris_Friedline@xxxxxxxxxxxxxxx
wrote:
> Thoughts? Do I just need to convert everything to Sniffer before using
> EtherPeek or did I stumble upon something in Ethereal?
Time stamps in libpcap format are stored as seconds since January 1,
1970, 00:00:00 GMT, plus microseconds. DOS-based Sniffer files store
time stamps as local times.
I suspect that either
1) EtherPeek's code for handling libpcap-format captures
is
broken and doesn't handle UNIX-style time stamps
correctly
or
2) the time stamps are wrong on your server but the C
library
functions Ethereal is using to process those time
stamps is
compensating for that
and as I have no reason to believe that the C library functions would
compensate for that, I suspect the answer is 1). The ability to read
libpcap-format captures in EtherPeek might be a new feature, so perhaps
there are some glitches in it (although Wildpackets' ProConvert has
handled them for a while).