Hello, I'm running this command to display traffic in the remote host : with some hosts it works fine but with some other hosts it returns this error : Could you help me please? Thank you. asked 06 Jan '14, 06:49  Manou |
4 Answers:
It is likely that not all hosts are running the same version of Wireshark. For those hosts returning the unrecognized libpcap format error, my guess is that To force answered 06 Jan '14, 08:44  cmaynard ♦♦ |
Don't use tshark to capture, use dumpcap. Check the wiki for other suggestions, use the sharkfin maybe? answered 07 Jan '14, 06:52  Jaap ♦ Hello, Thank you Jaap for your answer. The problem has been solved by using this command : So I just used tcpdump instead of tshark and it resolve the problem. Thank You (09 Jan '14, 01:59) Manou Apart from the correct observation, for a host of other reasons, that tcpdump is a better tool for pure capture tasks, it works because tcpdump always generates pcap output, hence no need for the appropriate flag. Until tcpdump starts to output pcapng (I have no idea if this is likely to happen). (09 Jan '14, 02:26) grahamb ♦
If you're a Mac (or Hackintosh :-)) user, it already happened, if you're running a recent enough OS, although it's not the default (unless you're capturing from the "any" device or from a pktap device). Support for writing pcapng files will probably happen in the main libpcap code base at some point, and tcpdump will support it (with a (08 Jul '16, 18:29) Guy Harris ♦♦ |
Are all hosts listed in your "known_hosts" file? If not, there will be a fingerprint check which disrupts the libpcap format. Can you log in with ssh manually into each of the failing hosts to make sure they are listed in your "known_hosts" file? answered 06 Jan '14, 12:54  SYN-bit ♦♦ Hello, Thank you for your reply. All hosts are listed in my "known_hosts" file and I can easily connect with ssh to all hosts. This problem is only with wireshark. (07 Jan '14, 01:37) Manou |
I think that issue was because of libpcap version. The libpcap version for tshark and wireshark were different. That is why you were getting 'unrecognized libpcap format'. It works with tcpdump, because they both uses same libpcap version. answered 08 Jul '16, 16:23  ashuaeron Nope. Wireshark doesn't use libpcap to read or write capture files, it uses its own code. Chris Maynard's answer is the correct answer; we really need to fix the error message in the short term (and, if possible, support reading both pcap and pcapng data from the pipe in the long term). (08 Jul '16, 18:31) Guy Harris ♦♦ |
Hello,
Thank you for your reply. When passing -F pcap option I have this output:
tshark: "pcap" isn't a valid capture file type tshark: The available capture file types for the "-F" flag are: 5views - InfoVista 5View capture btsnoop - Symbian OS btsnoop commview - TamoSoft CommView dct2000 - Catapult DCT2000 trace (.out format) erf - Endace ERF capture eyesdn - EyeSDN USB S0/E1 ISDN trace format k12text - K12 text file lanalyzer - Novell LANalyzer libpcap - Wireshark/tcpdump/... - libpcap modlibpcap - Modified tcpdump - libpcap netmon1 - Microsoft NetMon 1.x netmon2 - Microsoft NetMon 2.x nettl - HP-UX nettl trace ngsniffer - NA Sniffer (DOS) ngwsniffer_1_1 - NA Sniffer (Windows) 1.1 ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x niobserver - Network Instruments Observer nokialibpcap - Nokia tcpdump - libpcap nseclibpcap - Wireshark - nanosecond libpcap nstrace10 - NetScaler Trace (Version 1.0) nstrace20 - NetScaler Trace (Version 2.0) pcapng - Wireshark - pcapng rf5 - Tektronix K12xx 32-bit .rf5 format rh6_1libpcap - RedHat 6.1 tcpdump - libpcap snoop - Sun snoop suse6_3libpcap - SuSE 6.3 tcpdump - libpcap visual - Visual Networks traffic captureLooks like your version of tshark (which is?) uses the flag
libpcap.I just noticed that tshark versions are different: In my local machine I have TShark 1.6.7 and in the remote host I have TShark 1.8.10 so it could be the cause of this problem.
Just ensure that the tshark instance that is generating the traffic has the appropriate -F flag (
libpcap|pcap). That will produce output that Wireshark can consume.