I have a raw tcpdump text file like
Where Wireshark responds to opening the file "The file "xxxxx" isn't a capture file in a format wireshark understands.
Do you have a converter? or something that will assist me?
asked 01 Mar '13, 11:06
edited 20 Jun '14, 17:23
Guy Harris ♦♦
Sure, as your tcpdump output is just text based. Wireshark needs a binary format called pcap or pcap-ng.
No, but you can write the tcpdump output in pcap format.
Then open that file with Wireshark.
answered 01 Mar '13, 11:26
Kurt Knochner ♦
Please have a look at the answers to this similar question...
answered 01 Mar '13, 11:25
As the output of tcpdump was its text-mode output, the only information available in the file is the information tcpdump printed; even if it were possible to convert that file to a pcap file, the pcap file would not contain any more information than is available in the printout - the TCP payload of the two packets you showed, for example, is permanently lost and you will not ever be able to get it back.
If you need that information in order to solve a problem, you're out of luck. At best, you can try to get another trace, if whatever problem you're trying to diagnose can be made to happen again, and this time have them use tcpdump with the
Apple have a pretty good technical note on how to take network traces; it discusses this from the point of view of an OS X user, and mentions some OS X-only tools, but it also mentions tcpdump in the "Getting Started With tcpdump" section, and that section applies to other UN*Xes, once you replace "If you're running on a system prior to OS X 10.6" with "If you're using tcpdump 0.x or 1.0.x" and "on OS X 10.6 and later" with "with tcpdump 1.1.0 and later", and replace the stuff talking about the
answered 01 Mar '13, 15:36
Guy Harris ♦♦
Use -vvv to create a pcap file which Wireshark can open.
tcpdump -i eth0 -s 0 -vvv -w ./dump.pcap
answered 24 Jun '14, 17:32