On 4/28/05, Matt Morgan <minxmertzmomo@xxxxxxxxx> wrote: > On 4/27/05, Leonard Isham <leonard.isham@xxxxxxxxx> wrote: > > On 4/27/05, Matt Morgan <minxmertzmomo@xxxxxxxxx> wrote: > > > I have a debian server with no gui. I need to analyze some tcp traffic > > > there, so I ran tethereal and sent the output to a file in libpcap > > > format. Here are the first few lines of the output: > > > > > > 435.917846 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001 > > > [SYN] Seq=2566198018 Ack=0 Win=5840 Len=0 MSS=1460 TSV=438910965 > > > TSER=0 WS=0 > > > 435.950570 192.168.4.11 -> jasmine.brooklynmuseum.org TCP 3001 > 59474 > > > [SYN, ACK] Seq=3354128481 Ack=2566198019 Win=2047 Len=0 MSS=1024 > > > 435.950640 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001 > > > [ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=0 > > > 435.951200 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001 > > > [PSH, ACK] Seq=2566198019 Ack=3354128482 Win=5840 Len=5 > > > 435.951280 jasmine.brooklynmuseum.org -> 192.168.4.11 TCP 59474 > 3001 > > > [FIN, PSH, ACK] Seq=2566198024 Ack=3354128482 Win=5840 Len=2 > > > > > > I am no ethereal expert, but I thought that I should then be able to > > > take this file and open it in ethereal (the gui version) on my > > > workstation so I could analyze it. However, when I try, I get the > > > error > > > > > > 'The file "eth_output_3001" isn't a capture file in a format Ethereal > > > understands.' > > > > > > What am I doing wrong? > > > > > > > 1. Are they the same version? I have seen some older versions (used > > by another person) create files that can't be read by newer versions. > > (not sure if it was the older version or an error on the part of the > > person that sent me the files) > > > > I'm going to guess that it bacame corrupted when transfering. Did you > > use ftp and not set binary before transfering? > > Thanks, that's helpful. I didn't ftp it--actually I emailed it to > myself and I was able to see that it came through OK. But your first > guess seems to be right. On debian, 'tethereal -v' gets me > > tethereal 0.9.4, with GLib 1.2.10, with libpcap 0.6 > > and on FC3 I get > > tethereal 0.10.10 Compiled with GLib 2.4.8, with libpcap 0.8.3 > > In fact, when I compare captures on the two systems, I can tell they > look a little different. So I'm trying to figure out how to get FC3's > version to read an older version of libpcap, but none of the options > (rh6_1libpcap, suse6_3libpcap, modlibpcap, nokialibpcap) seem to work. > I guess I'll install ethereal manually on the debian server so I can > get a newer version. I spoke too soon. I couldn't open these output files in an older version of ethereal either. How am I supposed to be creating output files? I'm just using tethereal [options] > outputfilename Is that wrong?
