Ggatten at waddell
Jul 31, 2009, 6:23 AM
Post #2 of 2
(742 views)
Permalink
|
Can u try saving a file with wireshark (or whatever) and using ntop to open? And ntop to save the file and wireshark to open?
I think a similar prob was reported maybe 6 months ago? Try searching threads and see what pops up.
----- Original Message -----
From: ntop-bounces [at] unipi <ntop-bounces [at] unipi>
To: ntop [at] unipi <ntop [at] unipi>
Sent: Fri Jul 31 07:29:02 2009
Subject: [Ntop] bogus savefile header in pcap dumps
Hi,
When trying to read in a pcap dump, I am getting this error in my logs
during startup:
Jul 31 08:16:40 ntop ntop[1616]: THREADMGMT[t3033672592]:
NPS(/usr/local/var/ntop/tmp.eth2.pcap): pcapDispatch thread running [p1616]
Jul 31 08:16:40 ntop ntop[1616]: **ERROR** Reading packets on device 0
(/usr/local/var/ntop/tmp.eth2.pcap): 'bogus savefile header'
Jul 31 08:16:40 ntop ntop[1616]: THREADMGMT[t3033672592]:
NPS(/usr/local/var/ntop/tmp.eth2.pcap): pcapDispatch thread terminated
[p1616]
Ntop starts, but there is no data despite the pcap being close to 400MB.
Googling, it seems like this might be caused by a bad captured packet or
perhaps the version of libpcap not logging in a standard format? But I
didn't know if someone else had seen the error. It didn't seem like
there were other command line options I should be using when capturing
or reading in the pcap dump.
I was logging with this command:
/usr/local/bin/ntop -u ntop -o -m 192.168.1.0/24,216.237.100.128/25 -i
eth2 -l /tmp
And reading with this:
/usr/local/bin/ntop -u ntop -o -L -m 192.168.1.0/24,xxx.xxx.xxx.xxx/25
-f /usr/local/var/ntop/tmp.eth2.pcap -w 0 -W 443 -t 5 -d
The machine is CentOS 5.3, 32 bit
libpcap-0.9.4-14.el5
ntop v.3.3.10 [i686-redhat-linux-gnu]
Thanks,
James
_______________________________________________
Ntop mailing list
Ntop [at] unipi
http://listgateway.unipi.it/mailman/listinfo/ntop
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
|
