[Ntop] bogus savefile header in pcap dumps

Gary Gatten Ggatten at waddell.com
Fri Jul 31 15:23:45 CEST 2009 

Can u try saving a file with wireshark (or whatever) and using ntop to open? And ntop to save the file and wireshark to open?

I think a similar prob was reported maybe 6 months ago? Try searching threads and see what pops up.

----- Original Message -----
From: ntop-bounces at unipi.it <ntop-bounces at unipi.it>
To: ntop at unipi.it <ntop at unipi.it>
Sent: Fri Jul 31 07:29:02 2009
Subject: [Ntop] bogus savefile header in pcap dumps

Hi,

When trying to read in a pcap dump, I am getting this error in my logs 
during startup:

Jul 31 08:16:40 ntop ntop[1616]:   THREADMGMT[t3033672592]: 
NPS(/usr/local/var/ntop/tmp.eth2.pcap): pcapDispatch thread running [p1616]
Jul 31 08:16:40 ntop ntop[1616]:   **ERROR** Reading packets on device 0 
(/usr/local/var/ntop/tmp.eth2.pcap): 'bogus savefile header'
Jul 31 08:16:40 ntop ntop[1616]:   THREADMGMT[t3033672592]: 
NPS(/usr/local/var/ntop/tmp.eth2.pcap): pcapDispatch thread terminated 
[p1616]

Ntop starts, but there is no data despite the pcap being close to 400MB. 
Googling, it seems like this might be caused by a bad captured packet or 
perhaps the version of libpcap not logging in a standard format? But I 
didn't know if someone else had seen the error. It didn't seem like 
there were other command line options I should be using when capturing 
or reading in the pcap dump.

I was logging with this command:

/usr/local/bin/ntop -u ntop -o -m 192.168.1.0/24,216.237.100.128/25 -i 
eth2 -l /tmp

And reading with this:

/usr/local/bin/ntop -u ntop -o -L -m 192.168.1.0/24,xxx.xxx.xxx.xxx/25 
-f /usr/local/var/ntop/tmp.eth2.pcap -w 0 -W 443 -t 5 -d

The machine is CentOS 5.3, 32 bit
libpcap-0.9.4-14.el5
ntop v.3.3.10 [i686-redhat-linux-gnu]

Thanks,
James
_______________________________________________
Ntop mailing list
Ntop at unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listgateway.unipi.it/pipermail/ntop/attachments/20090731/439bf706/attachment.htm>

More information about the Ntop mailing list