This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark is not able to display the capture-packet for VPN interface

0

Hi, When i capture the packet on vpn interface ,it is capturing the packet but i have to use -w .pcap command and then i need to use wireshark to see the packet .

output when i run tshark -i vpn_interfacename

Running as user "root" and group "root". This could be dangerous. Capturing on tun0 0.000000 -> UNKNOWN WTAP_ENCAP = 7 0.000763 -> UNKNOWN WTAP_ENCAP = 7 1.003662 -> UNKNOWN WTAP_ENCAP = 7 1.004461 -> UNKNOWN WTAP_ENCAP = 7

... i looked into the source code ../epan/dissectors/... but i could not get any proper solution

Please help me out .

Thanks , Deepak

asked 09 Jun '14, 03:54

deepak660d's gravatar image

deepak660d
11223
accept rate: 0%

edited 09 Jun '14, 04:30

grahamb's gravatar image

grahamb ♦
19.8k330206

What is your

  • OS and OS version
  • tshark version (tshark -v)
  • Wireshark version (wireshark -v)
(09 Jun '14, 10:22) Kurt Knochner ♦

Hi ,

tshark -v

TShark 1.4.3 Compiled (32-bit) with GLib 2.12.3, with libpcap 0.9.4, without libz, with POSIX capabilities (Linux), with libpcre (version unknown), without SMI, without c-ares, without ADNS, without Lua, without Python, without GnuTLS, with Gcrypt 1.4.4, without Kerberos, without GeoIP. Running on Linux 2.6.32.10, with libpcap version 0.9.4. Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-46).

wireshark -v

-bash: wireshark: command not found

(09 Jun '14, 21:21) deepak660d

Hi , Before this problem this error was coming tshark: arptype 65534 not supported by libpcap - falling back to cooked socket. so i just made some changes inside the function map_arphdr_to_dlt for ARPHRD_NONE(65534) and give the linktype to DLT_RAW .

But after this its not able to display on the console .

Thanks .

(09 Jun '14, 21:29) deepak660d

2 Answers:

0

TShark 1.4.3 Compiled
and then i need to use wireshark to see the packet .
-bash: wireshark: command not found

Apparently you are capturing on one system and you are doing the analysis with Wireshark on another system, right?

So, I guess, the tshark version on that system is unable to interpret the encapsulation type (as it shows a UNKNOWN WTAP_ENCAP error), but the Wireshark version you are using to do the analysis does support it.

Solution for you: Either upgrade the tshark version on that system, or if that is not possible, do what you already did: Capture on the system with tshark -w or tcpdump and do the analysis on another system.

Regards
Kurt

answered 10 Jun '14, 03:36

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Jun '14, 03:37

Yup, i am using wireshark for further analysis . and wireshark version is 1.6.7( in windows) .

Thanks

(10 Jun '14, 10:05) deepak660d

I have the source code for wireshark 1.4.3 and i am building the tshark for my own linux system only . I just checked with wireshark 1.4.3(in windows) ,its display the capture packet properly . So the problem as i am getting for tshark only not wireshark with the same version which is part of wireshark with some configuration . So could you please check whats things i am missing in my source code ?

Thanks, Deepak

(10 Jun '14, 10:23) deepak660d

0

Your version of TShark either has a bug or was somehow incorrectly built; normal Wireshark/TShark 1.4.3 can handle LINKTYPE_RAW/DLT_RAW captures (LINKTYPE_RAW maps to WTAP_ENCAP_RAW_IP, which has a value of 7).

I don't know why it was incorrectly built; you will have to figure that out yourself, or try running a pre-built version of Wireshark/TShark for your Linux system.

answered 10 Jun '14, 11:05

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

As i have given the info that previous problem arptype 65534 not supported by libpcap - falling back to cooked socket. so i just made some changes inside the function map_arphdr_to_dlt for ARPHRD_NONE(65534) and give the linktype to DLT_RAW ,its capturing the file . So libpcap is now OK . But why tshark is saying unknown wtap_encap .It means i am missing something .

(10 Jun '14, 21:06) deepak660d

Hi, When i am running on any interface then

tshark -i any

Running as user "root" and group "root". This could be dangerous. Capturing on Pseudo-device that captures on all interfaces tshark: Promiscuous mode not supported on the "any" device.

0.000000 -> UNKNOWN WTAP_ENCAP = 25

0.000022 -> UNKNOWN WTAP_ENCAP = 25

0.000030 -> UNKNOWN WTAP_ENCAP = 25

0.000037 -> UNKNOWN WTAP_ENCAP = 25

(11 Jun '14, 06:42) deepak660d

@deepak660d

Your "answer" have been converted to comments as that's how this site works. Please read the FAQ for more information.

(11 Jun '14, 06:57) grahamb ♦

But why tshark is saying unknown wtap_encap .It means i am missing something .

You're missing a version of Wireshark in which the dissector for "raw IP" captures registers itself. That is not the case with the standard versions of Wireshark that we provide, so whoever built the version of Wireshark you're doing has made a mistake of some sort.

And, apparently, you're also missing a version of Wireshark in which the dissector for Linux cooked captures registers itself; that's why you're getting "UNKNOWN WTAP_ENCAP = 25".

Please try NOT building your own version of Wireshark, and try just running a pre-built version.

(No, this is not a TShark vs. Wireshark issue; they use the same code to dissect packets, and if you've built Wireshark as well as TShark, both of them will have the same problem on your Linux box.)

(11 Jun '14, 09:44) Guy Harris ♦♦