This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I'm running this command to display traffic in the remote host :

ssh [email protected]_adress 'tshark -f "port !22" -w -' | wireshark -k -i -

with some hosts it works fine but with some other hosts it returns this error :

unrecognized libpcap format

Could you help me please?

Thank you.

asked 06 Jan '14, 06:49

Manou's gravatar image

Manou
1112
accept rate: 0%


It is likely that not all hosts are running the same version of Wireshark. For those hosts returning the unrecognized libpcap format error, my guess is that tshark is writing pcap-ng output by default, but there are known problems with Wireshark attempting to read pcap-ng data from a pipe.

To force tshark to write pcap output instead of pcap-ng output, try passing the -F pcap option to tshark.

permanent link

answered 06 Jan '14, 08:44

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Hello,

Thank you for your reply. When passing -F pcap option I have this output:

tshark: "pcap" isn't a valid capture file type tshark: The available capture file types for the "-F" flag are: 5views - InfoVista 5View capture btsnoop - Symbian OS btsnoop commview - TamoSoft CommView dct2000 - Catapult DCT2000 trace (.out format) erf - Endace ERF capture eyesdn - EyeSDN USB S0/E1 ISDN trace format k12text - K12 text file lanalyzer - Novell LANalyzer libpcap - Wireshark/tcpdump/... - libpcap modlibpcap - Modified tcpdump - libpcap netmon1 - Microsoft NetMon 1.x netmon2 - Microsoft NetMon 2.x nettl - HP-UX nettl trace ngsniffer - NA Sniffer (DOS) ngwsniffer_1_1 - NA Sniffer (Windows) 1.1 ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x niobserver - Network Instruments Observer nokialibpcap - Nokia tcpdump - libpcap nseclibpcap - Wireshark - nanosecond libpcap nstrace10 - NetScaler Trace (Version 1.0) nstrace20 - NetScaler Trace (Version 2.0) pcapng - Wireshark - pcapng rf5 - Tektronix K12xx 32-bit .rf5 format rh6_1libpcap - RedHat 6.1 tcpdump - libpcap snoop - Sun snoop suse6_3libpcap - SuSE 6.3 tcpdump - libpcap visual - Visual Networks traffic capture

(07 Jan '14, 01:35) Manou

Looks like your version of tshark (which is?) uses the flag libpcap.

(07 Jan '14, 02:09) grahamb ♦

I just noticed that tshark versions are different: In my local machine I have TShark 1.6.7 and in the remote host I have TShark 1.8.10 so it could be the cause of this problem.

(07 Jan '14, 02:36) Manou

Just ensure that the tshark instance that is generating the traffic has the appropriate -F flag (libpcap | pcap). That will produce output that Wireshark can consume.

(07 Jan '14, 02:47) grahamb ♦

Don't use tshark to capture, use dumpcap. Check the wiki for other suggestions, use the sharkfin maybe?

permanent link

answered 07 Jan '14, 06:52

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Hello,

Thank you Jaap for your answer. The problem has been solved by using this command :

ssh [email protected] tcpdump -U -s0 -w - 'not port 22' | wireshark -k -i -

So I just used tcpdump instead of tshark and it resolve the problem.

Thank You

(09 Jan '14, 01:59) Manou

Apart from the correct observation, for a host of other reasons, that tcpdump is a better tool for pure capture tasks, it works because tcpdump always generates pcap output, hence no need for the appropriate flag.

Until tcpdump starts to output pcapng (I have no idea if this is likely to happen).

(09 Jan '14, 02:26) grahamb ♦

Until tcpdump starts to output pcapng (I have no idea if this is likely to happen).

If you're a Mac (or Hackintosh :-)) user, it already happened, if you're running a recent enough OS, although it's not the default (unless you're capturing from the "any" device or from a pktap device).

Support for writing pcapng files will probably happen in the main libpcap code base at some point, and tcpdump will support it (with a -P flag, for Mac OS X, err, OS X, err, macOS compatibility; it won't do so by default, for compatibility with everything else).

(08 Jul '16, 18:29) Guy Harris ♦♦

Are all hosts listed in your "known_hosts" file? If not, there will be a fingerprint check which disrupts the libpcap format. Can you log in with ssh manually into each of the failing hosts to make sure they are listed in your "known_hosts" file?

permanent link

answered 06 Jan '14, 12:54

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hello,

Thank you for your reply.

All hosts are listed in my "known_hosts" file and I can easily connect with ssh to all hosts. This problem is only with wireshark.

(07 Jan '14, 01:37) Manou

I think that issue was because of libpcap version. The libpcap version for tshark and wireshark were different. That is why you were getting 'unrecognized libpcap format'. It works with tcpdump, because they both uses same libpcap version.

permanent link

answered 08 Jul '16, 16:23

ashuaeron's gravatar image

ashuaeron
61
accept rate: 0%

Nope. Wireshark doesn't use libpcap to read or write capture files, it uses its own code. Chris Maynard's answer is the correct answer; we really need to fix the error message in the short term (and, if possible, support reading both pcap and pcapng data from the pipe in the long term).

(08 Jul '16, 18:31) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×25

question asked: 06 Jan '14, 06:49

question was seen: 29,974 times

last updated: 08 Jul '16, 18:38

p​o​w​e​r​e​d by O​S​Q​A