Scott & Holly wrote:
How can I get ethereal to save as a pcap file?
Is this a file you've captured with Ethereal? If so, by default,
Ethereal will save it as a pcap file, as Martin Visser noted.
when I save it on knoppix, it is an unknown file type.
"Unknown" in what sense?
If, from the command line, you run the "file" command on the file, it
should say something such as
saved_file: tcpdump capture file (big-endian) - version 2.4 (Ethernet,
capture length 65535)
if it's a pcap file. What does the "file" command say about it?
If you mean that the GUI doesn't recognize it, then that would depend on
what GUI you're using. KDE and, I think, GNOME both use not only the
suffix of a file (e.g., ".doc") but also use the file contents (using a
mechanism similar to what the "file" command uses) to determine the file
type, so it shouldn't matter what the suffix is.
Took it to windows and it ended up as a dat file.
"Ended up as a dat file" in what sense? In Windows, the file type is,
as I understand it, solely determined by the file suffix, so a file
would end up as a .dat file only if it were given a name ending with ".dat".
I have it set up in ethereal to save as a pcap file.
"Set up" in what sense? Ethereal defaults to saving a file in the
format as the input file; when capturing traffic, Ethereal writes to a
temporary file in pcap format, so it'll default to saving it as a pcap file.