On 4/27/05, Leonard Isham <leonard.isham@xxxxxxxxx> wrote: > On 4/27/05, Matt Morgan <minxmertzmomo@xxxxxxxxx> wrote: > > I have a debian server with no gui. I need to analyze some tcp traffic > > there, so I ran tethereal and sent the output to a file in libpcap > > format. Here are the first few lines of the output: > > > > 435.917846 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001 > > [SYN] Seq=2566198018 Ack=0 Win=5840 Len=0 MSS=1460 TSV=438910965 > > TSER=0 WS=0 > > 435.950570 192.168.4.11 -> jasmine.brooklynmuseum.org TCP 3001 > 59474 > > [SYN, ACK] Seq=3354128481 Ack=2566198019 Win=2047 Len=0 MSS=1024 > > 435.950640 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001 > > [ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=0 > > 435.951200 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001 > > [PSH, ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=5 > > 435.951280 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001 > > [FIN, PSH, ACK] Seq=2566198024 Ack=3354128482 Win=5840 Len=2 > > > > I am no ethereal expert, but I thought that I should then be able to > > take this file and open it in ethereal (the gui version) on my > > workstation so I could analyze it. However, when I try, I get the > > error > > > > 'The file "eth_output_3001" isn't a capture file in a format Ethereal > > understands.' > > > > What am I doing wrong? > > > > 1. Are they the same version? I have seen some older versions (used > by another person) create files that can't be read by newer versions. > (not sure if it was the older version or an error on the part of the > person that sent me the files) > > I'm going to guess that it bacame corrupted when transfering. Did you > use ftp and not set binary before transfering? Thanks, that's helpful. I didn't ftp it--actually I emailed it to myself and I was able to see that it came through OK. But your first guess seems to be right. On debian, 'tethereal -v' gets me tethereal 0.9.4, with GLib 1.2.10, with libpcap 0.6 and on FC3 I get tethereal 0.10.10 Compiled with GLib 2.4.8, with libpcap 0.8.3 In fact, when I compare captures on the two systems, I can tell they look a little different. So I'm trying to figure out how to get FC3's version to read an older version of libpcap, but none of the options (rh6_1libpcap, suse6_3libpcap, modlibpcap, nokialibpcap) seem to work. I guess I'll install ethereal manually on the debian server so I can get a newer version. Thanks!
