I installed openssh, libpcap and tcpdump using "pkgadd -d" and it
worked!! ... for 116 frames.
Then I had a "frame 117 too long" message, and wireshark stopped to
capture. I tried again, and the same happened after 131 frames. But i
think I know where the problem comes from:
I want to snoop ce4 and ce5 simultneously (there is a load balancing
on them, so I need both to understand what's happening) so I typed:
ssh username@IP "/usr/local/sbin/tcpdump -s 0 -i ce4 -w - port 5060 & /
usr/local/sbin/tcpdump -s 0 -i ce5 -w - port 5060" > /tmp/wireshark_pipe
Do you think that printing 2 processes simultaneously into a pipe
could be a reason for this error? Because when I capture on only one
interface, I don't have this problem. Can wireshark read and merge
from 2 pipes at once? I'm looking into this.
Anyway thank you very much for your help, I'm a big step further.
Greetings,
kaz
On 23.10.2008, at 20:11, Guy Harris wrote:
On Oct 23, 2008, at 7:44 AM, KaZ wrote:
This version of snoop can only save packets in a file (or display a
cleaned up version of the packets, so no libpcap format to stdout).
(Well, you could try writing to the "file" named "/dev/stdout".)
The file is in the libpcap format
No, it's not, it's in snoop format. Snoop format is documented in
RFCs 1761 and 3827; libpcap format is documented at
http://wiki.wireshark.org/Development/LibpcapFileFormat
and in the pcap-savefile man page I just checked into the libpcap main
and 1.0 branches (and there was much rejoicing :-)).
(I can open it with Wireshark).
Wireshark can read a *lot* of capture file formats, including libpcap
(its native format) and snoop; "I can open it with Wireshark" does not
imply "it's in libpcap format".
When the first packet arrives, wireshark displays "unrecognized
libpcap format".
That error message needs to be fixed to indicate that the problem is
that it's not libpcap format at all. Wireshark only supports reading
libpcap format from a pipe - the heuristics it uses to determine the
file type when reading regular capture files involve having the
handler for each file type read the file, starting from the beginning,
and that's done by seeking to the beginning of the file before each
handler; you can't seek on a pipe. (If we had an underlying buffered
I/O layer that supported seeking within a buffer *and* having a large-
enough buffer, it could be done; we don't currently have that.)
Any ideas what I could try? Do you know where I can find a
precompiled
tcpdump or tshark for solaris 10 / SPARC (maybe the problem is with
snoop)?
Yes, the problem is with snoop, and the problem is that it doesn't
write files in libpcap format and Wireshark doesn't support capture-
from-a-pipe for anything other than libpcap format.
tcpdump is available for Solaris 10 on x86 from
http://www.sunfreeware.com/programlistintel10.html
and for Solaris 10 on SPARC from
http://www.sunfreeware.com/programlistsparc10.html
Remember to run it with "-s 0" so that it writes out the *entire*
packet, not just the default first 64 or 96 bytes of the packet. On
the Mac, do
ssh username@remoteIP "tcpdump -s 0 -i cd4 -w - port 5060" >/tmp/
wireshark_pipe
and then capture from /tmp/wireshark_pipe.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users