Ethereal-users: Re: [Ethereal-users] pcap: File has 4294949296-byte packet, bigger than maximum

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Stef <stefmit@xxxxxxxxx>
Date: Thu, 16 Dec 2004 12:47:39 -0600
I keep thinking of ways to re-process that file, that may allow you to
narrow down the problem. So - what about:

- trying other libpcap-capable utilities (snort -v comes to mind)
or
- trying to "slice" it: http://www.tcpdump.org/related.html
or ... whatever else ...

I could also try to open it, myself, in one of the many commercial
utilities I have laying around, if the info is not confidential, then
(if successful) saving it in another format acceptable for ethereal
... just let me know if I could help this way ...

Stef


On Thu, 16 Dec 2004 13:04:37 -0500, Stephen Youndt
<syoundt@xxxxxxxxxxxxxxxxxxx> wrote:
> I just tried that and editcap gives me the same error.
> 
> Stef wrote:
> 
> >Have you tried editcap
> >(http://www.ethereal.com/docs/man-pages/editcap.1.html), "forcing"
> >various option for output, using the "-F", then trying to open the
> >resultant file? I have had a similar problem, but in the opposite
> >direction: file captured with tcpdump (under Linux, if that matters at
> >all), which I had to analyze, but would not open in OPNET, though it
> >would work just fine in tethereal. Ran it through editcap, with the
> >"-F libpcap" (!), and the output file was just fine in OPNET. Go
> >figure!
> >
> >HTH,
> >Stef
> >
> >
> >On Wed, 15 Dec 2004 16:36:39 -0500, Stephen Youndt
> ><syoundt@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> >
> >>Forgive me if this is documented somewhere, but I've been googling for a
> >>couple of days without finding anything applicable.
> >>
> >>I get the above mentioned message whenever I try to open a tcpdump
> >>capture file on SPARC Solaris hosted ethereal.  The files open without
> >>any problem in windows and linux, so it's not file corruption. In fact,
> >>the same files work with tcpdump on the SPARC box. A similar message (a
> >>different numeral) is displayed if I try to save a capture from within
> >>ethereal even though the capture seems to work.
> >>
> >>I can capture valid files with tethereal, but can't read them back with
> >>[t]ethereal on SPARC. They work fine on x86 systems, though, and within
> >>tcpdump on SPARC.
> >>
> >>I've tried a couple different versions of Ethereal and libpcap including
> >>direct downloads from SunFreeware, so my software build skills aren't
> >>the common variable.
> >>
> >>I suspect an alignment or endian problem, but I don't have enough
> >>experience with the source to even begin to debug it.
> >>
> >>Has anybody else seen this, and perhaps have a workaround or patch?
> >>
> >>Thanks in advance,
> >>Stephen
> >>
> >>
> >>_______________________________________________
> >>Ethereal-users mailing list
> >>Ethereal-users@xxxxxxxxxxxx
> >>http://www.ethereal.com/mailman/listinfo/ethereal-users
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >_______________________________________________
> >Ethereal-users mailing list
> >Ethereal-users@xxxxxxxxxxxx
> >http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
> >
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 
> 
>