Re: tcpdump and wireshark

[Dmitry <mitroko () gmail com>]

Hm, did´nt help.

Dmitry.

On 9/16/08, Arien Vijn <arien.vijn () ams-ix net> wrote:
> On 15 sep 2008, at 23:05, Dmitry wrote:
>
> > Hello.
> > I'm interesting in info extraction from pcap dumps.
> > Recently I did some test dump of downloaded picture with tcpdump and
> > wrote
> > it to file 'dump.pcap'.
> >
> > Test zero:
> > I have started capture on 192.168.0.1 host and did http request of
> > image to
> > 192.168.0.2
> > Nothing else dropped to dump except arp requests etc.
> >
> > Test one:
> > I've opened dump with wireshark.
> > Found stream, filtered it out and saved raw data to file 'dump.hex'
> > Deleted HTTP request till \xff byte before JFIF header and got image.
> >
> > Test two:
> > I've processed dump thru tcpdump in command-line manner
> > $> tcpdump -nn -r dump.pcap src host 192.168.0.2 and src port 80 and
> > dst
> > host 192.168.0.1 and dst port 50713 -w dump.hex
> > Deleted HTTP request till \xff byte before JFIF header and got wrong
> > image.
> >
> > So, there I've got in trouble. What I'm doing wrong with tcpdump?
>
> Snap length I guess. Tcpdump's default is 68 bytes. Try the parameter:
> "-s 0" to capture the whole packet.
>
> I believe that tshark captures the entire packet by default.
>
> -- Arien
>
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.