I have several pcap files that I merge together using mergecap on Linux. "mergecap -w output.pcap file1 file2 ...." once the file is merged I then transfer it from the Linux box to a Windows machine using SecureFX and when I try to open it it says "The file X.pcap isn't a capture file in format Wireshark understands." asked 08 Jul '15, 08:50  mrjoli021 showing 5 of 11 show 6 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
If I run the same command in Windows CLI using the exact same files the merge works. For the Linux box I am using CentOS 6.5.
Is your SecureFX tool transferring the file in binary mode (as it should) and not text mode? There is no reason for a pcap file created by mergecap on Linux to not open on Windows, unless it is corrupted during the transfer. A way to verify this would be to compute its MD5 or SHA1 on Linux and then on Windows after transfer and confirm they match.
Yes it is doing Binary I had already checked that. Same files and same command. One ran on windows CLI and I am able to open it on Windows wireshark. the other ran on CentOs 6.5 and when I transfer the file over it doesnt work. Maybe mergecap damages the files. The command I am using is "mergecap -w file.pcap file1 file2 ....." the only difference is that on windows i need to specify mergecap.exe. This is consistent I run pcaps everyday from multiple systems and everyday I cant open the file, but again same thing in windows and i am able to open it.
MD5sum passed before and after transfer.
What version of mergecap do you have on each platform? Post the output of "tshark -v" or "mergecap -V" from each machine here.
Perhaps the "pcap" file on the CentOS is actually a pcapng format, and the Windows version of Wireshark is so old it can't read it?
Windows Wireshark Version 1.8.6
CentOS: TShark 1.8.10 (SVN Rev Unknown from unknown)
I am saving the file as output.pcap should I save it as something else?
darn lost my comment...
mergecap (and Wireshark, and tshark) don't care about the file name extension really - they don't use it for deciding things.
Force mergecap to generate a old-style cap file by going this:
I get this error on when running in on CentOS: mergecap: The available capture file types for the "-F" flag are:
OK, so the name was different back then... try "libpcap", i.e.:
By using the suggested method "mergecap -F libpcap -w output.pcap infile1 infile2" I not getting that error anymore. I am not getting a different error:
"The capture file appears to be damaged or corrupt. (pcap file has 14436269812-byte packet, bigger than maximum of 65535)"
Well that is really weird. You're getting that error on the Windows Wireshark 1.8.6, after copying the file over from CentOS Wireshark 1.8.10?
14436269812is bigger than a 32-bit unsigned integer - which is what the packet length field is - so how could it even come up with such a big number to print it in the error message?Well... your options are (1) upgrade the Windows Wireshark to something more modern and not end-of-life, like 1.12.6. Or at least to something newer than 1.8.6. See if that fixes it. Or (2) post a sample merged capture file that's supposedly corrupted, to somewhere we can get at it.
What is the size, in bytes, of the file on the Linux machine, and what is the size, in bytes, of the copy of that file on the Windows machine?