Hi, Using Wireshark (version 1.8.4) on Windows 7, I captured a couple of hundred packets in a pcap file. (using pcap and not pcapng format). Then I used the editcap command line utility as below to retain only 184th packet. editcap -r in.pcap out.pcap 184 I copied these two pcap files onto a Fedora Linux machine. $ file in.pcap small.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535) $ file out.pcap out.pcap: data As seen above, Linux does not recognize file type for the output file generated by editcap. Now I used editcap on Linux with the same command line as above and again checked file type of newly generated out.pcap $ file out.pcap out.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535) Is this a bug in Windows based editcap ? Thanks, Mahendra asked 14 Dec '12, 00:24  Mahendra edited 14 Dec '12, 20:30  Guy Harris ♦♦ |
One Answer:
editcap 1.8.4 writes pcap-ng by default, so if your Fedora magic file (the database used by file) does not support pcap-ng, it will simply show "data". What is your Fedora version? Please try to write a pcap file with editcap and then copy that to Fedora.
If that does not solve the problem, please post the output of the following command for both files on linux:
Regards answered 14 Dec '12, 06:33  Kurt Knochner ♦ edited 14 Dec '12, 06:36 Thanks Kurt. The editcap command line you gave above worked for me. (14 Dec '12, 10:07) Mahendra |
I have unix drive mapped on my Windows PC using Samba server. So just used Windows explorer for this copy-paste.