Posted on November 6, 2019 6:29 pm
 |  Asked by Martin
 |  53 views
Tags:
0
0
Print Friendly, PDF & Email

Hello,
I was wondering, if it is possible to open a tcpdump capture file in Wireshark; renaming file to ‘pcpap’ extension didn’t work – “The file isn’t a capture file in a format Wireshark understands. Opening the file in notepad++ does not really provide me with the deep look into all the layers. The ideas was to capture the packets when they leave the VTI interface [Type2] to verify encapsulation is properly done.

tcpdump -i et20 > /mnt/flash/udp.capture
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on et1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C2768 packets captured
2782 packets received by filter

Please advise.

Thanks,

Martin

0
Answered on November 6, 2019 8:42 pm

Hi Martin.

You can use the -w option. Example:

- Run tcpdump capturing the packets:

#bash tcpdump -i any -w /mnt/flash/test.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
^C29 packets captured
30 packets received by filter
0 packets dropped by kernel

- Check that the file has been created:

#bash ls -lah /mnt/flash/test.pcap
-rwxrwx--- 1 root eosadmin 4.7K Nov 6 20:37 /mnt/flash/test.pcap

- Read the file using tcpdump (this will be readble using wireshark as well):

#bash tcpdump -r /mnt/flash/test.pcap
reading from file /mnt/flash/test.pcap, link-type LINUX_SLL (Linux cooked)
20:37:21.774495 Out 28:99:44:33:cc:cc (oui Arista Networks) ethertype IPv4 (0x0800), length 216: sw.local.com.ssh > 11.11.4.11.53859: Flags [P.], seq 2977326259:2977326407, ack 1034730473, win 314, options [nop,nop,TS val 157816777 ecr 1533260089], length 148

Hope this helps.

Post your Answer

You must be logged in to post an answer.