Can u try saving a file with wireshark (or whatever) and using ntop to open? And ntop to save the file and wireshark to open?
I think a similar prob was reported maybe 6 months ago? Try searching threads and see what pops up. ----- Original Message ----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Fri Jul 31 07:29:02 2009 Subject: [Ntop] bogus savefile header in pcap dumps Hi, When trying to read in a pcap dump, I am getting this error in my logs during startup: Jul 31 08:16:40 ntop ntop[1616]: THREADMGMT[t3033672592]: NPS(/usr/local/var/ntop/tmp.eth2.pcap): pcapDispatch thread running [p1616] Jul 31 08:16:40 ntop ntop[1616]: **ERROR** Reading packets on device 0 (/usr/local/var/ntop/tmp.eth2.pcap): 'bogus savefile header' Jul 31 08:16:40 ntop ntop[1616]: THREADMGMT[t3033672592]: NPS(/usr/local/var/ntop/tmp.eth2.pcap): pcapDispatch thread terminated [p1616] Ntop starts, but there is no data despite the pcap being close to 400MB. Googling, it seems like this might be caused by a bad captured packet or perhaps the version of libpcap not logging in a standard format? But I didn't know if someone else had seen the error. It didn't seem like there were other command line options I should be using when capturing or reading in the pcap dump. I was logging with this command: /usr/local/bin/ntop -u ntop -o -m 192.168.1.0/24,216.237.100.128/25 -i eth2 -l /tmp And reading with this: /usr/local/bin/ntop -u ntop -o -L -m 192.168.1.0/24,xxx.xxx.xxx.xxx/25 -f /usr/local/var/ntop/tmp.eth2.pcap -w 0 -W 443 -t 5 -d The machine is CentOS 5.3, 32 bit libpcap-0.9.4-14.el5 ntop v.3.3.10 [i686-redhat-linux-gnu] Thanks, James _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
