Re: [Wireshark-users] 2 gig limit on mergecap
After trying this:
for i in {files 2 through n}
do
(dd bs=20 count=1; cat) <$i >>the_first_file
done
it created the file, but tcpdump gave this error while trying to just read
it:
tcpdump: : Value too large for defined data type. it also gave
that error with any program that had to read it (snort, bro, etc..)
suppose i'll just stick with running them individually until this
functionality is implemented.
thanks for the help..
daniel
On 11/22/06, Guy Harris <[EMAIL PROTECTED] > wrote:
Daniel Goolsby wrote:
> not sure, they're binary files.
In the specific type of merging you're doing, which is just
concatenation, if the capture files are all libpcap files, you could,
for files 2 through N, strip off the 20-byte file header from the file
and append it to the first file. That could be done with the aid of dd
and cat), for example:
for i in {files 2 through n}
do
(dd bs=20 count=1; cat) <$i >>the_first_file
done
in the Bourne shell or a compatible shell (Korn, Bourne-again, etc.).
However, whether you'd be able to read the resulting file, either with
tcpdump or *shark, is another matter, as per my other mail.
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
--
--daniel
--
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Mac OS X Help
I have found that I can reconnect to my wireless access point after I start the trace, and all works as expected (until the next trace, at which time you see the problem again). The only other workaround I have found is to run the capture from the command line, and then use wireshark to decode the capture file for you. For example... sudo tcpdump -i en1 -s0 -w qq.cap dst port 80 wireshark qq.cap On Nov 23, 2006, at 1:00 PM, Robert Craig wrote: > I have just installed wireshark on my intel duo MacBook using > DarwinPorts. > It starts up fine (as root) but as soon as I click "List available > capture interfaces..." my wireless disconnects and refuses to > reconnect whilst wireshark is open. > Although it works fine for the wired network. > > Any suggestions? > > Thanks in advance ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Mac OS X Help
Again me being slow, yes tcpdump -D recreates the problem. I forgot I wasn't running as root. On 23/11/06, Robert Craig <[EMAIL PROTECTED]> wrote: Sorry get what you mean now, been a long day. "tcpdump -D" does nothing just returns the prompt with no output or errors??? "tcpdump" outputs "tcpdump: no suitable device found" On 23/11/06, Guy Harris <[EMAIL PROTECTED]> wrote: > > Robert Craig wrote: > > > In response to Steve I have used tcpdump -i en1 and it worked fine. > The > > connection did not drop. > > Did you try "tcpdump -D" or "tcpdump" without a "-i" flag? > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Mac OS X Help
Sorry get what you mean now, been a long day. "tcpdump -D" does nothing just returns the prompt with no output or errors??? "tcpdump" outputs "tcpdump: no suitable device found" On 23/11/06, Guy Harris <[EMAIL PROTECTED]> wrote: Robert Craig wrote: > In response to Steve I have used tcpdump -i en1 and it worked fine. The > connection did not drop. Did you try "tcpdump -D" or "tcpdump" without a "-i" flag? ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Mac OS X Help
Robert Craig wrote: > In response to Steve I have used tcpdump -i en1 and it worked fine. The > connection did not drop. Did you try "tcpdump -D" or "tcpdump" without a "-i" flag? ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Mac OS X Help
Thank you for your help. In response to Steve I have used tcpdump -i en1 and it worked fine. The connection did not drop. As for wireshark as soon as I hit capture options the connection drops even if I just type in en1. After further testing I have found that the connection drops but if I start the capture and leaving it running I can then reconnect to the wireless network and it will start capturing the packets. Thanks again for the help On 23/11/06, Guy Harris <[EMAIL PROTECTED]> wrote: Robert Craig wrote: > I have just installed wireshark on my intel duo MacBook using DarwinPorts. > It starts up fine (as root) but as soon as I click "List available > capture interfaces..." my wireless disconnects and refuses to reconnect > whilst wireshark is open. > Although it works fine for the wired network. > > Any suggestions? Try not using "List available capture interfaces" - capture on en0 for wired captures and en1 for wireless captures. Also, don't use the drop-down list to select an interface in the capture options window - just type en0 or en1. That might help. This is a known problem - or, rather, a consequence of several known problems. Some can be fixed in libpcap (I'll look at that), some in Wireshark (I'll look at that - but those would also need the libpcap fix, meaning Apple would have to pick that fix up for the system libpcap or you'd have to somehow get a version of Wireshark built with a fixed version), and some in the driver for the wireless adapter (somebody in the group at Apple that does AirPort adapter software would have to look at that). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Mac OS X Help
Robert Craig wrote: > I have just installed wireshark on my intel duo MacBook using DarwinPorts. > It starts up fine (as root) but as soon as I click "List available > capture interfaces..." my wireless disconnects and refuses to reconnect > whilst wireshark is open. > Although it works fine for the wired network. > > Any suggestions? Try not using "List available capture interfaces" - capture on en0 for wired captures and en1 for wireless captures. Also, don't use the drop-down list to select an interface in the capture options window - just type en0 or en1. That might help. This is a known problem - or, rather, a consequence of several known problems. Some can be fixed in libpcap (I'll look at that), some in Wireshark (I'll look at that - but those would also need the libpcap fix, meaning Apple would have to pick that fix up for the system libpcap or you'd have to somehow get a version of Wireshark built with a fixed version), and some in the driver for the wireless adapter (somebody in the group at Apple that does AirPort adapter software would have to look at that). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Mac OS X Help
On Thu, Nov 23, 2006 at 07:00:56PM +, Robert Craig wrote: > I have just installed wireshark on my intel duo MacBook using > DarwinPorts. It starts up fine (as root) but as soon as I click "List > available capture interfaces..." my wireless disconnects and refuses > to reconnect whilst wireshark is open. Although it works fine for the > wired network. There is a known issue with OS X on the Intel platform where this happens. We don't believe it is an issue with Wireshark because people can usually duplicate the issue with tcpdump (that comes with the operating system). Could you try tcpdump and see if the same problem happens? Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Mac OS X Help
I have just installed wireshark on my intel duo MacBook using DarwinPorts. It starts up fine (as root) but as soon as I click "List available capture interfaces..." my wireless disconnects and refuses to reconnect whilst wireshark is open. Although it works fine for the wired network. Any suggestions? Thanks in advance ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wireshark-0.99.4pre1 and tollbar icon size on windows platform
Hi, Oh great, now we've two of them. Let see if we can establish on one of them, shall we? Thanx, Jaap On Thu, 23 Nov 2006, Xiaoguang Liu wrote: > I found out wireshark readed the one below instead of "C:\Program > Files\Wireshark\share\themes\Default\" > > C:\Program Files\Wireshark\etc\gtk-2.0\gtkrc > > You may check it out with filemon from sysinternals.com > > > On 11/23/06, Xiaoguang Liu <[EMAIL PROTECTED]> wrote: > > > > I ran into exact the same issue too. > > > > > > > > > > On 10/23/06, Mike Oliveras <[EMAIL PROTECTED]> wrote: > > > > > > OK... Thanks for trying it on your machine. I will try it out on an > > > other machine and try and see what's up with the one I was using. > > > > > > Thanks, > > > > > > Mike > > > > > > On 10/22/06, Ulf Lamping <[EMAIL PROTECTED]> wrote: > > > > Mike Oliveras wrote: > > > > > That's the only gtkrc file that I am aware of. Based on the > > > repsonse > > > > > from Jaap when this question came up a while ago, he gave the path > > > to > > > > > the file as " > > > > > C:\Program Files\Wireshark\share\themes\Default\gtk-2.0\gtkrc > > > ". This > > > > > was given in > > > http://www.wireshark.org/lists/wireshark-users/200606/msg00021.html. > > > > > > > > > > This did work for me in the previous release. > > > > > > > > > You got the right file. > > > > > > > > I've tried to change it on my machine with the pre1 and it works just > > > as > > > > expected (showing large icons now). > > > > > > > > I don't know what's wrong with your machine/installation ?!? > > > > > > > > Regards, ULFL > > > > ___ > > > > Wireshark-users mailing list > > > > Wireshark-users@wireshark.org > > > > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > > > > ___ > > > Wireshark-users mailing list > > > Wireshark-users@wireshark.org > > > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > > > > > ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] 2 gig limit on mergecap
Your suspicions are correct: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/choosing_between_ntfs_fat_and_fat32.mspx?mfr=true The file size limit for FAT32 appears to be 4GB. That said, I can't image trying to use a modern Hard Drive with large partitions and writing large files under FAT32 - it's just not a robust file system and is too easily corrupted. --Jim --- I always thought 4 gb was the limit for FAT32. On Thu, 23 Nov 2006 01:09:40 +, "William Saw" <[EMAIL PROTECTED]> said: > Hi Daniel, > If you are running on wondows FAT32 disk partition, that is the > limitation. > Try NTFS. > Regards, > SL Saw > > >From: Jeff Morriss <[EMAIL PROTECTED]> > >Reply-To: Community support list for Wireshark > > > >To: Community support list for Wireshark > >Subject: Re: [Wireshark-users] 2 gig limit on mergecap > >Date: Thu, 23 Nov 2006 08:51:11 +0800 > > > > > > > >Daniel Goolsby wrote: > > > I sifted through some of the archives but couldn't find anything whether > > > this was going to be fixed. I started capturing all port 80 traffic.. > > > every hour i send that tcpdump to another machine, so at the end of the > > > day i wanted to merge all the traffic together in one nasty port 80 > > > tcpdump file. > > > > > > regardless, mergecap stops at 2g. I made sure and compiled merge on a > > > Sparc Sun box, i also recompiled zlib to make sure it was at least > > > compiled on a 64bit machine- no telling if it had any real effect. > > > > > > regardless, it still stops after the 2 gig limit has been reached on the > > > new dump file i'm trying to create. Are there any other tools that can > > > merge tcpdump files that anyone knows of that doesn't have this limit? > > > > > > I could probably 'tcpreplay' the individual files on an interface that > > > isn't being used, and tcpdump that one, but that's the only workaround > > > i've thought up so far. > > > > > > Any suggestions/comments? > > > >One other thought is: what will you do with a capture file > 2 Gb big? > >Are you aware that Wireshark needs a lot of memory to open large capture > >files: > > > >http://wiki.wireshark.org/KnownBugs/OutOfMemory > > > >? > >___ > >Wireshark-users mailing list > >Wireshark-users@wireshark.org > >http://www.wireshark.org/mailman/listinfo/wireshark-users > > _ > Share your latest news with your friends with the Windows Live Spaces > friends module. > http://clk.atdmt.com/MSN/go/msnnkwsp007001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mk > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Email service worth paying for. Try it for free ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users <>___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] VoIP Calls from Command line
Hi, Is it possible to get the Statistics -> VoIP Calls report from command line using Tshark? What I am really looking for is to run Tshark continuously and the VoIP calls report get's written in a file. raj ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wireshark-0.99.4pre1 and tollbar icon size on windows platform
I found out wireshark readed the one below instead of "C:\Program Files\Wireshark\share\themes\Default\" C:\Program Files\Wireshark\etc\gtk-2.0\gtkrc You may check it out with filemon from sysinternals.com On 11/23/06, Xiaoguang Liu <[EMAIL PROTECTED]> wrote: I ran into exact the same issue too. On 10/23/06, Mike Oliveras <[EMAIL PROTECTED]> wrote: > > OK... Thanks for trying it on your machine. I will try it out on an > other machine and try and see what's up with the one I was using. > > Thanks, > > Mike > > On 10/22/06, Ulf Lamping <[EMAIL PROTECTED]> wrote: > > Mike Oliveras wrote: > > > That's the only gtkrc file that I am aware of. Based on the > repsonse > > > from Jaap when this question came up a while ago, he gave the path > to > > > the file as " > > > C:\Program Files\Wireshark\share\themes\Default\gtk-2.0\gtkrc > ". This > > > was given in > http://www.wireshark.org/lists/wireshark-users/200606/msg00021.html. > > > > > > This did work for me in the previous release. > > > > > You got the right file. > > > > I've tried to change it on my machine with the pre1 and it works just > as > > expected (showing large icons now). > > > > I don't know what's wrong with your machine/installation ?!? > > > > Regards, ULFL > > ___ > > Wireshark-users mailing list > > Wireshark-users@wireshark.org > > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] wireshark-0.99.4pre1 and tollbar icon size on windows platform
I ran into exact the same issue too. On 10/23/06, Mike Oliveras <[EMAIL PROTECTED]> wrote: OK... Thanks for trying it on your machine. I will try it out on an other machine and try and see what's up with the one I was using. Thanks, Mike On 10/22/06, Ulf Lamping <[EMAIL PROTECTED]> wrote: > Mike Oliveras wrote: > > That's the only gtkrc file that I am aware of. Based on the repsonse > > from Jaap when this question came up a while ago, he gave the path to > > the file as " > > C:\Program Files\Wireshark\share\themes\Default\gtk-2.0\gtkrc". This > > was given in http://www.wireshark.org/lists/wireshark-users/200606/msg00021.html. > > > > This did work for me in the previous release. > > > You got the right file. > > I've tried to change it on my machine with the pre1 and it works just as > expected (showing large icons now). > > I don't know what's wrong with your machine/installation ?!? > > Regards, ULFL > ___ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
