i just want to specify that in my case i am not using 'pf_ring'
thank you in advance for your support.
Enrico.
On 07/25/2011 11:44 AM, Enrico Papi wrote:
Hello,
i'm using 3 versions of Ntop (4.0.3, svn-4735, svn-4742) and my libcap
version is 1.1.1
I have the same problem reported in this topic when i try to open with
tcpdump or wireshark the files saved with ntop (suspicious and 'other')
"reading from file ntop-other-pkts.vlan.pcap, link-type EN10MB (Ethernet)
-11:-46:-20.262 [|ether]
tcpdump: pcap_loop: bogus savefile header
"
this problem happens in all the 3 versions.
i have tried also to open the files after shutting down properly ntop but
i have the same error in all the 3 versions.
all the other features of ntop are working very well but i can't debug
this error since i nothing related is written on the syslog.
i think it could be related to the size of these pcap files, that should
be lower than a max value. but it happens also with files < 1000K
anyone who have some suggestions?
On Tue, 08 Mar 2011 00:45:09 -0800, M. V. wrote:
hi,
in order to boost capturing performance, i installed PF-Ring for libpcap
on Debian-6.0 using the link below. i got latest version of pf-ring from
svn, and recompiled my intel-card's driver to support pf_ring. i didn't
get any error or problem during the process.
http://www.ntop.org/blog/?p=125
now, when i use tcpdump which is compiled with libpcap-pf_ring to
capture traffic, it captures with no error or warning and it seems that
my capturing performance got better (based on capture-file size), but
the problem is:
when i open captured file with wireshark or tcpdump itself, i got a
weird error about bad packets size.
wireshark error:
----------------------
The capture file appears to be damaged or corrupt. (pcap: File has
3014350264-byte packet, bigger than maximum of 65535)
tcpdump error:
--------------------
tcpdump: pcap_loop: bogus savefile header
i don't know what is the problem, so i wanted to ask if anyone has
experienced this before or has any idea about it.
thank you.
<html><head><style type="text/css"><!-- DIV {margin:0px;}
--></style></head><body><div style="font-family:times new
roman,new york,times,serif;font-size:12pt"><div><div>hi,<br>
<br>
in order to boost capturing performance, i installed PF-Ring for libpcap
on Debian-6.0 using the link below. i got latest version of pf-ring from
svn, and recompiled my intel-card's driver to support pf_ring. i didn't
get any error or problem during the process.<br><br> <a
href="http://www.ntop.org/blog/?p=125";>http://www.ntop.org/blog/?p=125</
a><br><br>
now, when i use tcpdump which is compiled with libpcap-pf_ring to
capture traffic, it captures with no error or warning and it seems that
my capturing performance got better (based on capture-file size), but
the problem is:<br>
<br>
when i open captured file with wireshark or tcpdump itself, i got a
weird error about bad packets size.<br> <br>
wireshark error:<br>
----------------------<br>
The capture file appears to be damaged or corrupt.<br> (pcap: File has
3014350264-byte packet, bigger than maximum of 65535)<br> <br>
tcpdump error:<br>
--------------------<br>
tcpdump: pcap_loop: bogus savefile header<br> <br>
i don't know what is the problem, so i wanted to ask if anyone has
experienced this before or has any idea about it.<br> <br>
thank you.<br></div>
</div>
</div><br>
</body></html>_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
