This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tcpdump text output to pcap

1

I have a raw tcpdump text file like

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:22:24.464282 IP 1.4.0.2.50425 > 1.4.1.75.8009: P 3284624349:3284624961(612) ack 4160875603 win 602 <nop,nop,timestamp 1267965975 3686849135>
17:22:24.464353 IP 1.4.0.2.50425 > 1.4.1.75.8009: P 612:1401(789) ack 1 win 602 <nop,nop,timestamp 1267965975 3686849135>

Where Wireshark responds to opening the file "The file "xxxxx" isn't a capture file in a format wireshark understands.

Do you have a converter? or something that will assist me?

asked 01 Mar '13, 11:06

BeastyISNT's gravatar image

BeastyISNT
26113
accept rate: 0%

edited 20 Jun '14, 17:23

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

I also tried

editcap -F libpcap ws_gsk_web001_v3 output.pcap editcap: Can't open ws_gsk_web001_v3: The file isn't a capture file in a known format

I also tried -T unknown, -T unknown-nettl, -T ether, -T eht0

Your thoughts. and Thank you for your time and effort.

(01 Mar '13, 11:10) BeastyISNT

4 Answers:

2

Where Wireshark responds to opening the file "The file "xxxxx" isn't a capture file in a format wireshark understands.

Sure, as your tcpdump output is just text based. Wireshark needs a binary format called pcap or pcap-ng.

Do you have a converter? or something that will assist me?

No, but you can write the tcpdump output in pcap format.

tcpdump -ni eth0 -s0 -w /var/tmp/capture.pcap

Then open that file with Wireshark.

Regards
Kurt

answered 01 Mar '13, 11:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Would love to re-run the tcpdump; however the data is provided by a hosted tier. I do not have access to run the process. Will check into http://code.google.com/p/pcapr/wiki/Xtractr as stated in the first comment.

(01 Mar '13, 11:34) BeastyISNT

xtractr won't help, as it needs a pcap file, which you don't get from the hosted tier.

(01 Mar '13, 12:12) Kurt Knochner ♦

or something that will assist me?

BTW: assist in what? Troubleshooting or converting?

(01 Mar '13, 12:30) Kurt Knochner ♦

0

Please have a look at the answers to this similar question...

answered 01 Mar '13, 11:25

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

As the output of tcpdump was its text-mode output, the only information available in the file is the information tcpdump printed; even if it were possible to convert that file to a pcap file, the pcap file would not contain any more information than is available in the printout - the TCP payload of the two packets you showed, for example, is permanently lost and you will not ever be able to get it back.

If you need that information in order to solve a problem, you're out of luck. At best, you can try to get another trace, if whatever problem you're trying to diagnose can be made to happen again, and this time have them use tcpdump with the -w option, so that it writes out a pcap file. They should also use -s 0 in the tcpdump command, so that they get the full packet data.

Apple have a pretty good technical note on how to take network traces; it discusses this from the point of view of an OS X user, and mentions some OS X-only tools, but it also mentions tcpdump in the "Getting Started With tcpdump" section, and that section applies to other UN*Xes, once you replace "If you're running on a system prior to OS X 10.6" with "If you're using tcpdump 0.x or 1.0.x" and "on OS X 10.6 and later" with "with tcpdump 1.1.0 and later", and replace the stuff talking about the -i option with whatever is appropriate for your OS and machine. That note mentions both -w and -s 0, as they are very important for getting traces to be sent to somebody else to analyze.

answered 01 Mar '13, 15:36

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks Everyone who responded it was very helpful! Not sure how I mark this as answered.

(23 Jun '14, 05:58) bz6djs

you can't in this question, as it's not your own question. If you think your own question has been answered, click on the check mark.

(23 Jun '14, 06:16) Kurt Knochner ♦

-1

Use -vvv to create a pcap file which Wireshark can open.

tcpdump -i eth0 -s 0 -vvv -w ./dump.pcap

answered 24 Jun '14, 17:32

TiME2014's gravatar image

TiME2014
0
accept rate: 0%

-v isn't used when you're using -w; -w is the flag to tell tcpdump to write a pcap file, which tcpdump and Wireshark (and some other tools) can read.

I.e.

tcpdump -i eth0 -s 0 -w ./dump.pcap

is sufficient.

(24 Jun '14, 18:13) Guy Harris ♦♦