I have a Linux box running a cron job of tcpdump constantly with: tcpdump -i eth0 -nnv > blahblahlog.log and I am trying to look at the last few days to research a problem I was seeing. When I change the extension of the capture of today (still ongoing) I just get a little message that it was cut off in the middle of a capture, which I know since I did it. However if I try to do one of the previous days captures I get "The file "blahblahlog.pcap" isn't a capture file in a format Wireshark understands." I saw in looking on here and StackOverflow that I should use the -w flag but what I'm confused by is if that is the case why is it able to open the incomplete capture from today and not these other ones? asked 28 Oct '15, 14:04  WetStoneTech |
One Answer:
Hi, the > does not work here. You must use "-i eth0 -nnv -w blagblahlog.log" instead of your example. Next, you should also add "-s 0" to your command line if you want the complete contents of the packets to be stored and not just the first 60 (?) bytes. But it is also not clear to me how is it possible that the "today's" capture can be open. Regards Pavel answered 28 Oct '15, 14:53  sindy edited 28 Oct '15, 14:54 |
I've just tried it - as expected, "> filename" saves the text output of tcpdump into the "filename", so I don't get how you could open the result with Wireshark. Has Wireshark first complained about the file being cut in the middle of a packet and then has shown some packets making sense or it has shown the complaint and that was all?
To double check, you may simply "cat" or "less" the "today's" file; if it is human-readable, it is not a pcap nor pcapng file. But it may be so short that Wireshark's heuristics false-detects it as some of the other formats which Wireshark supports.
I've already added the -w to my command string and I'll go back and add the -s for tomorrow's log and going forward, thanks for the suggestions.
As for the "today's" file it actually stopped opening in Wireshark now and is giving me the same format error as the other ones. With the way some of my equipment has been operating lately I'm chalking the fact that it worked up to the computer gods at this point.