Skip to content
This repository


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

"ValueError: Invalid tcpdump header" for a generated pcap #21

prongs opened this Issue · 10 comments

4 participants

Rajat Khandelwal andrewf Guy Harris Utkarsh Sengar
Rajat Khandelwal

My pcap file is generated via a command like:

cmd = """tshark -r "%s" -R "frame.time_relative >= %f" -w "%s" """ % (pcap_name, first_dns_query_time, normalized_pcap_name)

And that normalized pcap is given input to pcap2har. I get this error:

Traceback (most recent call last):
  File "", line 65, in <module>
    dispatcher = pcap.EasyParsePcap(filename=inputfile)
  File "/path/to/pcap2har/pcap2har/", line 80, in EasyParsePcap
    ParsePcap(dispatcher, filename=filename, reader=reader)
  File "/path/to/pcap2har/pcap2har/", line 27, in ParsePcap
    pcap = ModifiedReader(f)
  File "/path/to/pcap2har/pcap2har/", line 105, in __init__
    raise ValueError, 'invalid tcpdump header'
ValueError: invalid tcpdump header

Without knowing more, I can only guess that your pcap has an invalid tcpdump header ;). Can you open the file in Wireshark to see if it gives any errors, and/or send me the pcap so I can try to reproduce the issue? The first couple hundred bytes ought to do it, since it's just the file header it's complaining about.

Also, is this a consistent error or something that only happens sometimes?

Rajat Khandelwal

Wireshark(version 1.8) can open the file just fine. You can download the pcap from here. The original pcap from which it was produced is here. I submitted the issue to stackoverflow also.

As for consistency, I checked for two pcaps(generated in the same way), I get the same error.

Guy Harris

Wireshark (version 1.8) writes pcap-ng files, not pcap files, by default. The "pcap" in question is a pcap-ng file, not a pcap file, and any tool that has its own hand-written code to read pcap files, rather than using libpcap to do so, and that has no code to read pcap-ng files, will fail to read pcap-ng files. (libpcap 1.0 and later can read a probably fairly large subset of pcap-ng files; the files have to have all interfaces have the same link-layer header type and snapshot length, and you only see packet blocks, due to limitations of the current pcap API. Unfortunately, there's no version of WinPcap that's based on libpcap 1.0 or later, so that doesn't work on Windows.)

Rajat Khandelwal

Can I instruct tshark to write pcap instead of pcapng? Or can I maybe convert pcapng file to pcap file?

Guy Harris

Can I instruct tshark to write pcap instead of pcapng?

Yes, with "-F pcap". See the answer to your StackOverflow question.

Or can I maybe convert pcapng file to pcap file?

Yes, with editcap (again, with "-F pcap") or with tcpdump if you have libpcap 1.0 or later (have it read the pcap-ng file and write a new file, which will be a pcap file).

Rajat Khandelwal

I found editpcap. Thanks


Thanks, guyharris.

Utkarsh Sengar

I understand this is an old thread but I am getting the same error. I tried adding "-F pcap" but I get this error:

pi@raspberrypi ~ $ sudo tshark -F pcap -i mon0 subtype probereq -w /tmp/rpi-cap.pcap
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
tshark: "pcap" isn't a valid capture file type
tshark: The available capture file types for the "-F" flag are:
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
    commview - TamoSoft CommView
    dct2000 - Catapult DCT2000 trace (.out format)
    erf - Endace ERF capture
    eyesdn - EyeSDN USB S0/E1 ISDN trace format
    k12text - K12 text file
    lanalyzer - Novell LANalyzer
    libpcap - Wireshark/tcpdump/... - libpcap
    modlibpcap - Modified tcpdump - libpcap
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    nettl - HP-UX nettl trace
    ngsniffer - NA Sniffer (DOS)
    ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
    ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
    niobserver - Network Instruments Observer
    nokialibpcap - Nokia tcpdump - libpcap
    nseclibpcap - Wireshark - nanosecond libpcap
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
    pcapng - Wireshark - pcapng
    rf5 - Tektronix K12xx 32-bit .rf5 format
    rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
    snoop - Sun snoop
    suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
    visual - Visual Networks traffic capture

pi@raspberrypi ~ $ tshark -v
TShark 1.8.2

Copyright 1998-2012 Gerald Combs <> and contributors.
This is free software; see the source for copying conditions. There is NO

Compiled (32-bit) with GLib 2.32.4, with libpcap, with libz 1.2.7, with POSIX
capabilities (Linux), with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without
Python, with GnuTLS 2.12.20, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP.

Running on Linux 3.6.11+, with locale en_GB.UTF-8, with libpcap version 1.3.0,
with libz 1.2.7.

Built using gcc 4.6.3.

Any suggestions?

Guy Harris

Sorry, it should be -F libpcap instead, as per the error message from tshark. Yeah, it's confusing that pcap format is called "libpcap format", but that's the way tshark currently works.

Utkarsh Sengar

Thanks. I tried libpcap too. But when I loaded the file in wireshark -> Statistics -> Summary, it says its Wireshark, pcapng and not libpcap.

  1. I tried converting it using editpcap, didn't help.
  2. Conversion using this website worked:

Anyway, I was trying to programmatically access a pcap file using python and process it. But the route of: tshark -> libpcap -> python seems like an overkill and complicated.

I setteled with using scapy which directly intercepts the packets 1 and eliminated tshark from the picture.

Thanks for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.