Wireshark-users: Re: [Wireshark-users] remote capture with a pipe: "unrecognized libpcap format"

From: KaZ <k2a1z9@xxxxxxxxx>
Date: Fri, 24 Oct 2008 10:47:33 +0200
I installed openssh, libpcap and tcpdump using "pkgadd -d" and it worked!! ... for 116 frames.

Then I had a "frame 117 too long" message, and wireshark stopped to capture. I tried again, and the same happened after 131 frames. But i think I know where the problem comes from:

I want to snoop ce4 and ce5 simultneously (there is a load balancing on them, so I need both to understand what's happening) so I typed:

ssh username@IP "/usr/local/sbin/tcpdump -s 0 -i ce4 -w - port 5060 & / usr/local/sbin/tcpdump -s 0 -i ce5 -w - port 5060" > /tmp/wireshark_pipe

Do you think that printing 2 processes simultaneously into a pipe could be a reason for this error? Because when I capture on only one interface, I don't have this problem. Can wireshark read and merge from 2 pipes at once? I'm looking into this.

Anyway thank you very much for your help, I'm a big step further.

Greetings,
kaz


On 23.10.2008, at 20:11, Guy Harris wrote:


On Oct 23, 2008, at 7:44 AM, KaZ wrote:

This version of snoop can only save packets in a file (or display a
cleaned up version of the packets, so no libpcap format to stdout).

(Well, you could try writing to the "file" named "/dev/stdout".)

The file is in the libpcap format

No, it's not, it's in snoop format.  Snoop format is documented in
RFCs 1761 and 3827; libpcap format is documented at

	http://wiki.wireshark.org/Development/LibpcapFileFormat

and in the pcap-savefile man page I just checked into the libpcap main
and 1.0 branches (and there was much rejoicing :-)).

(I can open it with Wireshark).

Wireshark can read a *lot* of capture file formats, including libpcap
(its native format) and snoop; "I can open it with Wireshark" does not
imply "it's in libpcap format".

When the first packet arrives, wireshark displays "unrecognized
libpcap format".

That error message needs to be fixed to indicate that the problem is
that it's not libpcap format at all.  Wireshark only supports reading
libpcap format from a pipe - the heuristics it uses to determine the
file type when reading regular capture files involve having the
handler for each file type read the file, starting from the beginning,
and that's done by seeking to the beginning of the file before each
handler; you can't seek on a pipe.  (If we had an underlying buffered
I/O layer that supported seeking within a buffer *and* having a large-
enough buffer, it could be done; we don't currently have that.)

Any ideas what I could try? Do you know where I can find a precompiled
tcpdump or tshark for solaris 10 / SPARC (maybe the problem is with
snoop)?

Yes, the problem is with snoop, and the problem is that it doesn't
write files in libpcap format and Wireshark doesn't support capture-
from-a-pipe for anything other than libpcap format.

tcpdump is available for Solaris 10 on x86 from

	http://www.sunfreeware.com/programlistintel10.html

and for Solaris 10 on SPARC from

	http://www.sunfreeware.com/programlistsparc10.html

Remember to run it with "-s 0" so that it writes out the *entire*
packet, not just the default first 64 or 96 bytes of the packet.  On
the Mac, do

	ssh username@remoteIP "tcpdump -s 0 -i cd4 -w - port 5060" >/tmp/
wireshark_pipe

and then capture from /tmp/wireshark_pipe.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users