Ethereal-users: Re: [Ethereal-users] Very Strange Problem

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Scott Solmonson <scosol@xxxxxxxxxx>
Date: Fri, 13 Jan 2006 12:23:45 -0800
Correcting this-

Tethereal works for capturing live traffic->display, and for capture->file-
But can not read back the file it created nor the known-good file.

Failing with the same error:

incitatus:~ scosol$ tethereal -r ./test.pcap
  1   0.000000              ->              Ethernet [Malformed Packet]
tethereal: "./test.pcap" appears to be damaged or corrupt.
(pcap: File has 1137183624-byte packet, bigger than maximum of 65535)

Tcpdump again can read this file just fine.

-SS

-- 
Scott Solmonson
Akamai Technologies, Inc.
AIM: scosolspeedera
Voice: 408.718.6290

http://www.akamai.com/


On 1/13/06 12:10 PM, "Scott Solmonson" <scosol@xxxxxxxxxx> wrote:

> Greetings- I'm using a bare-source-built Ethereal v0.10.14 on OSX:
> 
> Compiled with GTK+ 2.8.9, with GLib 2.8.5, with libpcap 0.8.3, with libz
> 1.2.3, with libpcre 6.4, without UCD-SNMP or Net-SNMP, without ADNS.
> Running with libpcap version 0.8.3 on Darwin 7.9.0.
> 
> And I'm experiencing some very strange behavior- I have pcap files that
> tcpdump can read just fine (they're not invalid)-
> Yet Ethereal can not read them.
> 
> The same thing happens when I try to do a live capture from any interface-
> 
> The error (and byte size) is always the same:
> 
> "The capture file appears to be damaged or corrupt.
> (pcap: File has 1137181850-byte packet, bigger than maximum of 65535)"
> 
> I have various versions of tcpdump and libpcap on here, and they all work
> fine for both live capture and from-file reads, additionally tethereal works
> flawlessly- so something screwy is going on with Ethereal here.
> 
> I've viewed the ktrace of me running Ethereal, opening a known-good pcap
> file, clearing the error dialog box, then exiting normally.
> After opening the file and reading it, I see it looking for an IOR.txt and
> not finding it-
> Then accessing /etc/localtime...
> Hmmm one time some "valid" packets came through and their timestamps were
> all wrong...
> 
> Anyway- any help would be appreciated- I have the full ktrace if anyone
> would like it.
> 
> -SS