$this = (new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Properly using tcpdump with Wireshark to avoid stanag4607 errors

Posted November 09, 2015 by shaun

For a long time, I could do a packet capture on a Linux machine by redirecting the output of tcpdump to a file, and Ethereal would open it up no problem. Somewhere along the way, Wireshark started choking on these files. Every now and then I still forget and try to do something like this:

tcpdump -nn -vv -S -X -s0 -i eth0 port 53 > /tmp/dns.cap

That captures a bunch of packets in human-readable form, but Wireshark refuses to open the file. It gives an error along the lines of:

The capture file appears to be damaged or corrupt.
(stanag4607: File has 976238138d-byte packet, bigger than maximum of 262144)

If you find yourself looking at this error, make sure to use the -w flag to tcpdump instead of redirecting stdout:

tcpdump -nn -vv -S -X -s0 -i eth0 port 53 -w /tmp/dns.cap

This generates a binary pcap file that Wireshark happily opens up.



Recent articles

📰 SFSQuery, a PHP class to query the StopForumSpam API and DNSBL

📰 Resolving portmaster error "pkg-static: automake-1.16.1 conflicts with automake-wrapper-20131203"

📰 Resolving LibreNMS error "RuntimeException: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths"

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

📰 Installing PHP 7.2 with pthreads on CentOS 6

📰 LocalStorage kills another site, or: Working around Zap2it's new interface

📰 A new DNS geolocation service from PowerDNS

▲ Back to top | Permalink to this page