I have tried both versions of Wireshark (1.2.15 and 1.4.4). I have installed the 32 bit version on a Windows XP PC running service pack3 and the 64 bit version on a Windows 7 PC (running Windows 7 Enterprise with service pack 1). I have a snoop capture file from a SUN 35220 machine running Solaris 10. If I open the capture file on the XP machine using Wireshark it opens correctly and displays the data correctly (it is primarily SCTP/M3ua). If I open the same capture file on the Windows 7 machine the wireshark loads 4 packets and puts up a message box with the following message: The capture file appears to be damaged or corrupt. (snoop: File has 1174405120-byte packet, bigger than maximum of 65535) asked 31 Mar '11, 07:40 britdave edited 31 Mar '11, 15:01 SYN-bit ♦♦ |
2 Answers:
First of all, please check whether the snoop file on the XP system is exactly the same as on the Win7 box (you can do a MD5 checksum). The most common source of these errors is when the file is transferred by FTP in ASCII mode. If the files are the same, please make sure you use the same version of Wireshark on both systems, there might be a problem in one of the Wireshark versions (either already solved or recently introduced). If there is still a difference between the two systems, please check your preferences whether there is a difference there. Ideally you would delete all preferences on both systems to start with all default settings. If the problem still exists on Win7 (or now exist on both systems), please open a bug report on https://bugs.wireshark.org and attach the tracefile so that the problem can be investigated. answered 31 Mar '11, 07:53 SYN-bit ♦♦ |
You might use pcapfix which trys to repair the corrupted packets to make your file readable with wireshark again. But I think the cause of your issue will stay the same... any bug or transfer problem. Maybe the output of the tool and kind of corruption will help you identifying a possible reason for the problem. answered 05 May '12, 14:21 creeq |
Thanks for the quick response. I thought I had checked everything. I have a new FTP program and used it to transfer the files to the Windows 7 machine. I deleted the files and used the command line FTP on the Windows 7 pc with the bin switch set.I can now open the file in wireshark. Again, thanks for the timely response.
I have run into this error message consistently when trying to view capture files recorded on a linux system with tcpdump. In this specific case the linux box is a VM within OpenVZ.
I had taken these steps to confirm the file wasn't corrupt: -verified it was entirely readable using tcpdump on 3 different systems: the original linux machine, another physical linux machine, and my mac os 10.7 -re-transferred using usb stick, and verified file sizes
I have observed the same bug when using wireshark on all 3 machines: windows, mac os 10.7, and on ubuntu. Sorry, didn't grab the versions of wireshark on all 3, but I believe they were all very recent (post 1.6)
Bug? Thanks, Shawn
Shawn, your problem is probably a completely different problem, as you transferred your file between UN*X boxes and didn't transfer it with FTP. I'd suggest filing a bug, giving the exact error message (including the size numbers), and attaching the capture file.
I'd like to second SYN-bit's answer. I encountered the same error as the OP, in my case after transferring a packet capture from a Check Point firewall to a TFTP server. Apparently the default TFTP mode on the firewall is ASCII, but when I manually changed it to binary, I was then able to view the capture in Wireshark.