Re: [Wireshark-users] file format question

On Aug 22, 2011, at 1:08 PM, János Löbb wrote:

> root@doppio:~# tcpdump -c1000 net xxx.yy.zz.0/24 > /tmp/tcpdump.pcap

That should be "> /tmp/tcpdump.txt"...

...because tcpdump's default output format is a textual dissection of the packets.

> The file "/Volumes/Home/janos/tcpdump.pcap" isn't a capture file in a format Wireshark understands.

Yup. Wireshark can't read tcpdump's (or Wireshark's/TShark's) textual dissection(s) of packets as a capture.

> So the question is how should I do the tcpdump on Ubuntu to be able to open it in Wireshark on my Mac ?

With the "-w" flag, to get it to write out the raw packet data in pcap format, rather than writing out the dissected packets as text:

        tcpdump -c1000 -w /tmp/tcpdump.pcap net xxx.yy.zz.0/24
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe

• This message: [ Message body ]
• Next message: Michael Tuexen: "Re: [Wireshark-users] file format question"
• Previous message: Bill Meier: "Re: [Wireshark-users] file format question"
• In reply to: János Löbb: "[Wireshark-users] file format question"
• Next in thread: Stephen Fisher: "Re: [Wireshark-users] file format question"
• Reply: Stephen Fisher: "Re: [Wireshark-users] file format question"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]