Wireshark-users: Re: [Wireshark-users] Can't open PCAP file via GUI

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 14 Feb 2007 17:30:02 -0800

On Feb 14, 2007, at 4:55 PM, Donald Musser wrote:

When I performed the original tcpdump on my production server, I did use the -w option. I then used Konqueror to transfer the file to my local CentOS machine. So perhaps the file was mangled somehow, as you said?

How did you transfer it with Konqueror? Drag-and-drop? If so, then Konqueror *shouldn't* have mangled the file when transferring it (either it was done with an ordinary file copy, or kioslave I/O, and if either of those mangle the file, Something's Broken).


I did note upon re-examining the file that it was empty. Perhaps this also is lending to the problem?

An empty file isn't a valid libpcap file; the minimum size is 24 bytes (that's the size of the libpcap per-file header).

Is the file empty on your production server?