Can I apply a filter to a trace file when using Windump

kkekke Member Posts: 8 ■□□□□□□□□□
Hi friends,

I captured some packets and write them to a file with windump, the command is as follows
windump -i2 -w -s 1500 -w xxx.pcap

But when I tried to apply a filter(windump -r xxx.pcap ip[9] = 6) to the trace file, windump only reponded with "reading from file xxx.pcap, link-type EN10MB (Ethernet)", I have no idea what's wrong here? I can only apply a filter whiling capturing?

I've confirmed that there are tcp packets in the trace file and if I open it with Wireshark and apply a display filter "tcp" or "ip[9] == 6", it works perfectly.

Thanks in advance:)


  • JDMurrayJDMurray Admin Posts: 12,876 Admin
    I just tried to duplicate your command lines and found a redundant '-w' in your capture command that causes a syntax error. After taking that out it works fine for me to both create the pcap file and to display its contents using WinDump and that filter expression. I'm wondering if your standard output is being implicitly redirected somehow. Try explicitly redirecting the WinDump output to a file and check is the output is stored: windump -r xxx.pcap ip[9] = 6 > xxx.txt
  • kkekke Member Posts: 8 ■□□□□□□□□□
    @JDMurray, thank you for your reply, I made a typo in my first post, I have tried to redirect the windump output to a text file as follows,
    windump -r xxx.pcap ip[9] = 6 > xxx.txt
    but got the same echo "reading from file xxx.pcap, link-type EN10MB (Ethernet)" icon_sad.gif
  • chaser7783chaser7783 Member Posts: 154
    kke, just did the same in tcpdump, I also get "reading from file xxx.pcap, link-type EN10MB (Ethernet)" which is normal, but look in the file xxx.txt.icon_wink.gif Nothing other than that should be written to the terminal b/c you have redirected all output to xxx.txt.
  • JDMurrayJDMurray Admin Posts: 12,876 Admin
    I wonder if it's a permission problem. You're not trying to write/read the pcap file from your System32 folder, are you? Open the command window using "Run as administrator" and try reading the pcap file using windump again.
  • kkekke Member Posts: 8 ■□□□□□□□□□
    chaser7783 Thanks, haha, sure I have checked the xxx.txt but it's empty unfortunatelyicon_sad.gif
    @JDMurray, I work under Windows XP and my account is in the administrator user group so I really have no idea what's wrong.
  • kkekke Member Posts: 8 ■□□□□□□□□□
    Hi chaser7783 and JDMurray, in order to ascertain whether the problem is caused by environment discrepancy or not, I have uploaded the xxx.pcap file to , please have a look:)
  • chaser7783chaser7783 Member Posts: 154
    Ok I believe I see the issue, The captured traffic is PPP over ethernet which is encapsulated in the Ethernet header, so a byte offset of 9 alone wont work. You have to state it being PPPoe, much like you would vlan traffic. so the correct syntax would be: windump -nr xxx.pcap ' pppoes and ip[9] = 06' > xxx.txt

    Sample payload:

    0000 00 d0 b7 1b 8d 3e 3c 97 0e 5c cb 45 88 64 11 00
    0010 4e 01 00 36 00 21 45 00 00 34 77 fb 40 00 80 06
    0020 ab b8 0a c6 01 06 4a 7d 80 c7 d7 94 00 50 56 e2
    0030 23 01 00 00 00 00 80 02 20 00 26 4c 00 00 02 04
    0040 05 a0 01 03 03 08 01 01 04 02
  • JDMurrayJDMurray Admin Posts: 12,876 Admin
  • kkekke Member Posts: 8 ■□□□□□□□□□
    Thank you guys, it works now:)
Sign In or Register to comment.