This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have several pcap files that I merge together using mergecap on Linux. "mergecap -w output.pcap file1 file2 ...."

once the file is merged I then transfer it from the Linux box to a Windows machine using SecureFX and when I try to open it it says "The file X.pcap isn't a capture file in format Wireshark understands."

asked 08 Jul '15, 08:50

mrjoli021's gravatar image

mrjoli021
6224
accept rate: 0%

If I run the same command in Windows CLI using the exact same files the merge works. For the Linux box I am using CentOS 6.5.

(08 Jul '15, 08:55) mrjoli021
1

Is your SecureFX tool transferring the file in binary mode (as it should) and not text mode? There is no reason for a pcap file created by mergecap on Linux to not open on Windows, unless it is corrupted during the transfer. A way to verify this would be to compute its MD5 or SHA1 on Linux and then on Windows after transfer and confirm they match.

(08 Jul '15, 09:12) Pascal Quantin

Yes it is doing Binary I had already checked that. Same files and same command. One ran on windows CLI and I am able to open it on Windows wireshark. the other ran on CentOs 6.5 and when I transfer the file over it doesnt work. Maybe mergecap damages the files. The command I am using is "mergecap -w file.pcap file1 file2 ....." the only difference is that on windows i need to specify mergecap.exe. This is consistent I run pcaps everyday from multiple systems and everyday I cant open the file, but again same thing in windows and i am able to open it.

MD5sum passed before and after transfer.

(08 Jul '15, 13:25) mrjoli021

What version of mergecap do you have on each platform? Post the output of "tshark -v" or "mergecap -V" from each machine here.

Perhaps the "pcap" file on the CentOS is actually a pcapng format, and the Windows version of Wireshark is so old it can't read it?

(08 Jul '15, 13:55) Hadriel

Windows Wireshark Version 1.8.6

CentOS: TShark 1.8.10 (SVN Rev Unknown from unknown)

I am saving the file as output.pcap should I save it as something else?

(08 Jul '15, 14:23) mrjoli021

darn lost my comment...

mergecap (and Wireshark, and tshark) don't care about the file name extension really - they don't use it for deciding things.

Force mergecap to generate a old-style cap file by going this:

mergecap -F pcap -w output.pcap infile1 infile2
(08 Jul '15, 15:09) Hadriel

I get this error on when running in on CentOS: mergecap: The available capture file types for the "-F" flag are:

5views - InfoVista 5View capture
btsnoop - Symbian OS btsnoop
commview - TamoSoft CommView
dct2000 - Catapult DCT2000 trace (.out format)
erf - Endace ERF capture
eyesdn - EyeSDN USB S0/E1 ISDN trace format
k12text - K12 text file
lanalyzer - Novell LANalyzer
libpcap - Wireshark/tcpdump/... - libpcap
modlibpcap - Modified tcpdump - libpcap
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
nettl - HP-UX nettl trace
ngsniffer - NA Sniffer (DOS)
ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
niobserver - Network Instruments Observer
nokialibpcap - Nokia tcpdump - libpcap 
nseclibpcap - Wireshark - nanosecond libpcap
nstrace10 - NetScaler Trace (Version 1.0)
nstrace20 - NetScaler Trace (Version 2.0)
pcapng - Wireshark - pcapng
rf5 - Tektronix K12xx 32-bit .rf5 format
rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
snoop - Sun snoop
suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
visual - Visual Networks traffic capture
(08 Jul '15, 15:30) mrjoli021

OK, so the name was different back then... try "libpcap", i.e.:

mergecap -F libpcap -w output.pcap infile1 infile2
(08 Jul '15, 15:47) Hadriel

By using the suggested method "mergecap -F libpcap -w output.pcap infile1 infile2" I not getting that error anymore. I am not getting a different error:

"The capture file appears to be damaged or corrupt. (pcap file has 14436269812-byte packet, bigger than maximum of 65535)"

(08 Jul '15, 17:00) mrjoli021

Well that is really weird. You're getting that error on the Windows Wireshark 1.8.6, after copying the file over from CentOS Wireshark 1.8.10? 14436269812 is bigger than a 32-bit unsigned integer - which is what the packet length field is - so how could it even come up with such a big number to print it in the error message?

Well... your options are (1) upgrade the Windows Wireshark to something more modern and not end-of-life, like 1.12.6. Or at least to something newer than 1.8.6. See if that fixes it. Or (2) post a sample merged capture file that's supposedly corrupted, to somewhere we can get at it.

(08 Jul '15, 18:31) Hadriel

What is the size, in bytes, of the file on the Linux machine, and what is the size, in bytes, of the copy of that file on the Windows machine?

(08 Jul '15, 20:22) Guy Harris ♦♦
showing 5 of 11 show 6 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×154

question asked: 08 Jul '15, 08:50

question was seen: 2,066 times

last updated: 08 Jul '15, 20:22

p​o​w​e​r​e​d by O​S​Q​A