Re: redhat - openbsd tcpdump
On 2015-06-16, Frank Brodbeck frank.brodb...@to.com wrote: Hi Patric, On Tue, Jun 16, 2015 at 10:51:54AM -0500, patric conant wrote: What's file say when you run it against it? foo.pcap: tcpdump capture file (little-endian) - version 2.4 (Linux cooked, capture length 96) I now know that I can convert the file via wireshark but if someone knows a faster method I would be happy to hear about it. It might be faster to add support for cooked to tcpdump(8), then you wouldn't need to convert it, look at print-sll.c from tcpdump.org's tcpdump code... The most likely reason to have this type of file is from doing a capture with -i any on Linux, if you can use a specific interface name instead you should get standard ethernet headers rather than these special ones..
Re: redhat - openbsd tcpdump
Hi Patric, On Tue, Jun 16, 2015 at 10:51:54AM -0500, patric conant wrote: What's file say when you run it against it? foo.pcap: tcpdump capture file (little-endian) - version 2.4 (Linux cooked, capture length 96) I now know that I can convert the file via wireshark but if someone knows a faster method I would be happy to hear about it. Frank. -- Frank Brodbeck Techn. Consultant TOsupport Tel.: +49 711 88770-172 E-Mail: frank.brodb...@to.com Thinking Objects GmbH Lilienthalstraße 2/1 70825 Korntal/Stuttgart http://www.to.com Geschäftsführer: Markus Klingspor, Rudolf Zimmermann, Michael Föck Sitz und Amtsgericht Stuttgart, HRB 19769
Re: redhat - openbsd tcpdump
What's file say when you run it against it? On Tue, Jun 16, 2015 at 4:25 AM, Frank Brodbeck frank.brodb...@to.com wrote: Hi, is it possible to convert a pcap done with tcpdump under redhat to a format I can read with tcpdump(8). At least I think the following error: tcpdump: unknown data link type 0x71 is due to a format incompatibility. Frank. -- Frank Brodbeck Techn. Consultant TOsupport Tel.: +49 711 88770-172 E-Mail: frank.brodb...@to.com Thinking Objects GmbH LilienthalstraÃe 2/1 70825 Korntal/Stuttgart http://www.to.com Geschäftsführer: Markus Klingspor, Rudolf Zimmermann, Michael Föck Sitz und Amtsgericht Stuttgart, HRB 19769
Re: redhat - openbsd tcpdump
On Tue, Jun 16, 2015 at 11:25:46AM +0200, Frank Brodbeck wrote: Hi, is it possible to convert a pcap done with tcpdump under redhat to a format I can read with tcpdump(8). At least I think the following error: tcpdump: unknown data link type 0x71 is due to a format incompatibility. Frank. -- OpenBSD's tcpdump(8) does not support DLT_LINUX_SLL or Linux cooked capture encapsulation format. The tcpdump.org documentation about it is here: http://www.tcpdump.org/linktypes.html http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html If possible, try using -y EN10MB on Linux instead. There is also support for this format in Wireshark, which is in the ports tree, if recapturing isn't possible. https://wiki.wireshark.org/SLL -Bryan.
