Wireshark-users: Re: [Wireshark-users] Pcap file isn't a capture file in a format TShark understa

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 26 Jan 2010 16:21:31 -0800
On Jan 25, 2010, at 10:19 AM, kahou lei wrote:

> The captured file is generated by our company software. Basically it is captured by out networking equipments and then it will be saved via our company software (by writing libpcap format and the binary to the file). It has been working fine.

Actually, it's not writing standard libpcap format, it's writing "nanosecond precision" libpcap format.  See below.

> [thot@REGRES-EL3 tshark]$ capinfos udp.pcap
> File name: udp.pcap
> File type: Wireshark - nanosecond libpcap

OK, that's not a standard libpcap file, so it's not surprising that tcpdump didn't like it.  Currently, libpcap doesn't support those files, so no libpcap-based tool will be able to read them.

However, if you used a magic number of 0xa1b23c4d, *Shark 0.99.7 does include code to read those files, so it's surprising that tchui1-rhel3 can't read them, given that the tshark you tested there:

> [thot@tchui1-rhel3 tshark]$ ./tshark -v
> TShark 0.99.7

is 0.99.7.

However, I note that you did "./tshark" there, but just ran "tshark" on the machine that could read the files:

> [thot@REGRES-EL3 thot]$ tshark -v
> TShark 0.99.7


What happens on tchui1-rhel3 if you run the command "tshark -v" - *not* "./tshark -v", just "tshark -v" - from a directory other than the Wireshark source directory?