Correcting this-
Tethereal works for capturing live traffic->display, and for capture->file-
But can not read back the file it created nor the known-good file.
Failing with the same error:
incitatus:~ scosol$ tethereal -r ./test.pcap
1 0.000000 -> Ethernet [Malformed Packet]
tethereal: "./test.pcap" appears to be damaged or corrupt.
(pcap: File has 1137183624-byte packet, bigger than maximum of 65535)
Tcpdump again can read this file just fine.
-SS
--
Scott Solmonson
Akamai Technologies, Inc.
AIM: scosolspeedera
Voice: 408.718.6290
http://www.akamai.com/
On 1/13/06 12:10 PM, "Scott Solmonson" <scosol@xxxxxxxxxx> wrote:
> Greetings- I'm using a bare-source-built Ethereal v0.10.14 on OSX:
>
> Compiled with GTK+ 2.8.9, with GLib 2.8.5, with libpcap 0.8.3, with libz
> 1.2.3, with libpcre 6.4, without UCD-SNMP or Net-SNMP, without ADNS.
> Running with libpcap version 0.8.3 on Darwin 7.9.0.
>
> And I'm experiencing some very strange behavior- I have pcap files that
> tcpdump can read just fine (they're not invalid)-
> Yet Ethereal can not read them.
>
> The same thing happens when I try to do a live capture from any interface-
>
> The error (and byte size) is always the same:
>
> "The capture file appears to be damaged or corrupt.
> (pcap: File has 1137181850-byte packet, bigger than maximum of 65535)"
>
> I have various versions of tcpdump and libpcap on here, and they all work
> fine for both live capture and from-file reads, additionally tethereal works
> flawlessly- so something screwy is going on with Ethereal here.
>
> I've viewed the ktrace of me running Ethereal, opening a known-good pcap
> file, clearing the error dialog box, then exiting normally.
> After opening the file and reading it, I see it looking for an IOR.txt and
> not finding it-
> Then accessing /etc/localtime...
> Hmmm one time some "valid" packets came through and their timestamps were
> all wrong...
>
> Anyway- any help would be appreciated- I have the full ktrace if anyone
> would like it.
>
> -SS