Properly using tcpdump with Wireshark to avoid stanag4607 errors
For a long time, I could do a packet capture on a Linux machine by redirecting the output of tcpdump to a file, and Ethereal would open it up no problem. Somewhere along the way, Wireshark started choking on these files. Every now and then I still forget and try to do something like this:
tcpdump -nn -vv -S -X -s0 -i eth0 port 53 > /tmp/dns.cap
That captures a bunch of packets in human-readable form, but Wireshark refuses to open the file. It gives an error along the lines of:
The capture file appears to be damaged or corrupt. (stanag4607: File has 976238138d-byte packet, bigger than maximum of 262144)
If you find yourself looking at this error, make sure to use the -w flag to tcpdump instead of redirecting stdout:
tcpdump -nn -vv -S -X -s0 -i eth0 port 53 -w /tmp/dns.cap
This generates a binary pcap file that Wireshark happily opens up.