This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

pcapng file from Raspberry Pi not readable on Ubuntu machine

Hi all

I've the following scenario: I've Raspberry Pi (arm architecture) running Kali Linux where I launch tshark in order to capture net packets using followin command: tshark -i eth0 -F pcapng -w capture.pcap -a duration:600 Once done, I've capure.pcap file containing all the packets readable from raspberry.

Well, if I move capture.pcap on Ubuntu 13.10 x64 , both Wireshark and tshark told me that capture.pcap is not recognized.

Same issue on viceversa.

Any idea?

thx

tshark wireshark

asked 18 Jun '14, 14:37

blaskino
16●1●1●4
accept rate: 0%

edited 18 Jun '14, 16:14

Guy Harris ♦♦
17.4k●3●35●196

Well, if I move capture.pcap on Ubuntu 13.10 x64

How do you move the file?

What is the output of the following commands

file capture.pcap
capinfos capture.pcap

(18 Jun '14, 15:33) Kurt Knochner ♦

Hi Kurt, first of all thx for the answer. I move the capture.pcap file via ftp.
The output of file capture.pcap is:
capture.cap: pcap-ng capture file - version 1.0

and the output of capinfos capture.pcap is:
File name: capture.cap File type: Wireshark/... - pcapng File encapsulation: Ethernet Packet size limit: file hdr: (not set) Number of packets: 4215 File size: 792 kB Data size: 651 kB Capture duration: 61 seconds Start time: Wed Jun 18 21:53:35 2014 End time: Wed Jun 18 21:54:36 2014 Data byte rate: 10 kBps Data bit rate: 85 kbps Average packet size: 154,52 bytes Average packet rate: 69 packets/sec SHA1: a49d26d9cc4449eb71387372cc526e270eafc513 RIPEMD160: 11f4a65bb100b8137c24198a664a22ebf4ed3ccc MD5: 7a0e43b3fae414638ca1da1be6e1f25f Strict time order: True

Thanks again!

(18 Jun '14, 15:44) blaskino

One Answer:

So that's the output of capinfos capture.pcap on the Raspberry Pi?

When you FTPed the capture file, did the FTP program indicate whether it was transferred in ASCII mode (which will NOT work - the copy will not be an exact copy and will not be readable) or in binary mode (which should work)?

What does od -bc capture.pcap | head print on the Ubuntu system?

answered 18 Jun '14, 16:13

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

Hi Guy, yes, capinfos' output is on Raspberry Pi.

The output of od -bc capture.pcap | head
on the ubuntu system is:
0000000 012 015 015 012 144 000 000 000 115 074 053 032 001 000 000 000 \n \r \r \n d \0 \0 \0 M < + 032 001 \0 \0 \0 0000020 377 377 377 377 377 377 377 377 003 000 014 000 114 151 156 165 377 377 377 377 377 377 377 377 003 \0 \f \0 L i n u 0000040 170 040 063 056 061 063 056 060 004 000 057 000 104 165 155 160 x 3 . 1 3 . 0 004 \0 / \0 D u m p 0000060 143 141 160 040 061 056 061 060 056 062 040 050 123 126 116 040 c a p 1 . 1 0 . 2 ( S V N 0000100 122 145 166 040 065 061 071 063 064 040 146 162 157 155 040 057 R e v 5 1 9 3 4 f r o m /

Thanx, now I check the transfer mode on ftp. I'll try also to get the file using a pendrive.

(18 Jun '14, 23:05) blaskino

Solved! It's a matter of file trasfer as you said. Setting up ftp to binary mode both on client and server solved the issue.

Thanks again to Guy and Kurt

(19 Jun '14, 00:57) blaskino

@blaskino

I've moved around the comments and "answers" to create an actual answer.

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(19 Jun '14, 11:14) grahamb ♦