Hello, i'm using 3 versions of Ntop (4.0.3, svn-4735, svn-4742) and my libcap version is 1.1.1
I have the same problem reported in this topic when i try to open with tcpdump or wireshark the files saved with ntop (suspicious and 'other') "reading from file ntop-other-pkts.vlan.pcap, link-type EN10MB (Ethernet) -11:-46:-20.262 [|ether] tcpdump: pcap_loop: bogus savefile header " this problem happens in all the 3 versions. i have tried also to open the files after shutting down properly ntop but i have the same error in all the 3 versions. all the other features of ntop are working very well but i can't debug this error since i nothing related is written on the syslog. i think it could be related to the size of these pcap files, that should be lower than a max value. but it happens also with files < 1000K anyone who have some suggestions? On Tue, 08 Mar 2011 00:45:09 -0800, M. V. wrote:
hi, in order to boost capturing performance, i installed PF-Ring for libpcap on Debian-6.0 using the link below. i got latest version of pf-ring from svn, and recompiled my intel-card's driver to support pf_ring. i didn't get any error or problem during the process. http://www.ntop.org/blog/?p=125 now, when i use tcpdump which is compiled with libpcap-pf_ring to capture traffic, it captures with no error or warning and it seems that my capturing performance got better (based on capture-file size), but the problem is: when i open captured file with wireshark or tcpdump itself, i got a weird error about bad packets size. wireshark error: ---------------------- The capture file appears to be damaged or corrupt. (pcap: File has 3014350264-byte packet, bigger than maximum of 65535) tcpdump error: -------------------- tcpdump: pcap_loop: bogus savefile header i don't know what is the problem, so i wanted to ask if anyone has experienced this before or has any idea about it. thank you. <html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div><div>hi,<br> <br> in order to boost capturing performance, i installed PF-Ring for libpcap on Debian-6.0 using the link below. i got latest version of pf-ring from svn, and recompiled my intel-card's driver to support pf_ring. i didn't get any error or problem during the process.<br><br> <a href="http://www.ntop.org/blog/?p=125";>http://www.ntop.org/blog/?p=125</
a><br><br>
now, when i use tcpdump which is compiled with libpcap-pf_ring to capture traffic, it captures with no error or warning and it seems that my capturing performance got better (based on capture-file size), but the problem is:<br> <br> when i open captured file with wireshark or tcpdump itself, i got a weird error about bad packets size.<br> <br> wireshark error:<br> ----------------------<br> The capture file appears to be damaged or corrupt.<br> (pcap: File has 3014350264-byte packet, bigger than maximum of 65535)<br> <br> tcpdump error:<br> --------------------<br> tcpdump: pcap_loop: bogus savefile header<br> <br> i don't know what is the problem, so i wanted to ask if anyone has experienced this before or has any idea about it.<br> <br> thank you.<br></div> </div> </div><br> </body></html>_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
