I have tried both versions of Wireshark (1.2.15 and 1.4.4). I have installed the 32 bit version on a Windows XP PC running service pack3 and the 64 bit version on a Windows 7 PC (running Windows 7 Enterprise with service pack 1). I have a snoop capture file from a SUN 35220 machine running Solaris 10. If I open the capture file on the XP machine using Wireshark it opens correctly and displays the data correctly (it is primarily SCTP/M3ua). If I open the same capture file on the Windows 7 machine the wireshark loads 4 packets and puts up a message box with the following message: The capture file appears to be damaged or corrupt. (snoop: File has 1174405120-byte packet, bigger than maximum of 65535)
asked 31 Mar '11, 07:40
edited 31 Mar '11, 15:01
First of all, please check whether the snoop file on the XP system is exactly the same as on the Win7 box (you can do a MD5 checksum). The most common source of these errors is when the file is transferred by FTP in ASCII mode.
If the files are the same, please make sure you use the same version of Wireshark on both systems, there might be a problem in one of the Wireshark versions (either already solved or recently introduced).
If there is still a difference between the two systems, please check your preferences whether there is a difference there. Ideally you would delete all preferences on both systems to start with all default settings.
If the problem still exists on Win7 (or now exist on both systems), please open a bug report on https://bugs.wireshark.org and attach the tracefile so that the problem can be investigated.
answered 31 Mar '11, 07:53
You might use pcapfix which trys to repair the corrupted packets to make your file readable with wireshark again. But I think the cause of your issue will stay the same... any bug or transfer problem. Maybe the output of the tool and kind of corruption will help you identifying a possible reason for the problem.
answered 05 May '12, 14:21