Well, isn't *that* special. Turns out the system declared time structure is 64-bit and the on-disk capture files use 32-bit. Once I corrected for that, the router is now writing error files that tcpdump is very happy with. I assume wireshark will be too.
So now, if your gateway is sending packets that contain errors and would be dropped and are therefore showing up in the pkterrors.txt file, you can grab a capture file containing those erroneous packets from, for example, https://gw.ampr.org/private/errors/1.2.3.4.pcap (Of course, replace 1.2.3.4 with your own gateway address.)
The only thing missing is that pcap files have no way to contain an indication of what the error was that caused that particular packet to be rejected. You'll just have to correlate them with the errors reported in the pkterrors.txt file for your gateway.
Keep in mind that the pkterrors.txt file and the accumulated pcap files are deleted and start fresh every day at midnight Pacific time (GMT-7 or -8).
This is fun! - Brian
On Mon, May 08, 2017 at 12:46:02PM -0700, Tom Hayward wrote:
Would you consider changing the format to pcap or pcapng? This would allow viewing the packets in Wireshark. The format isn't much more complicated than the format you've chosen:
https://wiki.wireshark.org/Development/LibpcapFileFormat
Tom KD7LXL