Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ulogd2-pcap - tcpdump unknown file format
554 views
Skip to first unread message
Florian Pelgrim
Oct 29, 2016, 7:10:04 AM10/29/16
to
Hi,
I'm logging dropped packets with ulogd2 into a pcap file so that tcpdump
should be able to read it.
At some point tcpdump is not anymore able to read the file and quits
with "unknown file format".
The file command instead is printing a correct header:
/var/log/ulog/ulogd.pcap: tcpdump capture file (little-endian) - version
2.4 (raw IP, capture length 65536)
Also I still can have the file open and see packets beeing logged but
when I try to open a new tcpdump in another shell I get the error.
When I delete the file and start a new one everything is to be working
again.
Is anyone else also facing this error?
Ideas for starting debugging which is causing the error?
Packet details:
tcpdump: 4.6.2-5+deb8u1
ulogd2: 2.0.4-2+deb8u1
ulogd2-pcap: 2.0.4-2+deb8u1
iptables: 1.4.21-2+b1
Kernel: 3.16.0-4-amd64
Cheers
Flo
I'm logging dropped packets with ulogd2 into a pcap file so that tcpdump
should be able to read it.
At some point tcpdump is not anymore able to read the file and quits
with "unknown file format".
The file command instead is printing a correct header:
/var/log/ulog/ulogd.pcap: tcpdump capture file (little-endian) - version
2.4 (raw IP, capture length 65536)
Also I still can have the file open and see packets beeing logged but
when I try to open a new tcpdump in another shell I get the error.
When I delete the file and start a new one everything is to be working
again.
Is anyone else also facing this error?
Ideas for starting debugging which is causing the error?
Packet details:
tcpdump: 4.6.2-5+deb8u1
ulogd2: 2.0.4-2+deb8u1
ulogd2-pcap: 2.0.4-2+deb8u1
iptables: 1.4.21-2+b1
Kernel: 3.16.0-4-amd64
Cheers
Flo
Florian Pelgrim
Oct 29, 2016, 12:40:04 PM10/29/16
to
Problem found! :)
If you wait long enough tail will not include the file header and
tcpdump will just die.
tail -F -n +1 $my_pcap | tcpdump -nr -
And you are happy again.
Don't even think about not including -n... Depening on how many log
entrys you have it will be sloooooooow.
Cheers
Flo
If you wait long enough tail will not include the file header and
tcpdump will just die.
tail -F -n +1 $my_pcap | tcpdump -nr -
And you are happy again.
Don't even think about not including -n... Depening on how many log
entrys you have it will be sloooooooow.
Cheers
Flo
0 new messages