tcpdump mailing list archives
tcpdump + pf_ring capture: bogus savefile header
From: "M. V." <bored_to_death85 () yahoo com>
Date: Tue, 8 Mar 2011 01:15:42 -0800 (PST)
hi, in order to boost capturing performance, i installed PF-Ring for libpcap on Debian-6.0 using the link below. i got latest version of pf-ring from svn, and recompiled my intel-card's driver to support pf_ring. i didn't get any error or problem during the process. http://www.ntop.org/blog/?p=125 now, when i use tcpdump which is compiled with libpcap-pf_ring to capture traffic, it captures with no error or warning and it seems that my capturing performance got better (based on capture-file size), but the problem is: when i open captured file with wireshark or tcpdump itself, i got a weird error about bad packets size. wireshark error: ---------------------- The capture file appears to be damaged or corrupt. (pcap: File has 3014350264-byte packet, bigger than maximum of 65535) tcpdump error: -------------------- tcpdump: pcap_loop: bogus savefile header i don't know what is the problem, i googled the problem but didn't find anything useful. i also posted this on ntop mailing-list, but so far nothing. so i wanted to ask you guys if anyone has experienced this before or has any idea about it. thank you. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump + pf_ring capture: bogus savefile header M. V. (Mar 08)
- Re: tcpdump + pf_ring capture: bogus savefile header Guy Harris (Mar 08)
- Re: tcpdump + pf_ring capture: bogus savefile header M. V. (Mar 08)
- Re: tcpdump + pf_ring capture: bogus savefile header Guy Harris (Mar 08)